Is the security of the HMAC based on SHA-1 affected by the collisions attacks on SHA-1?
Description. The remote SSH server is configured to enable SHA-1 HMAC algorithms. Although NIST has formally deprecated use of SHA-1 for digital signatures, SHA-1 is still considered secure for HMAC as the security of HMAC does not rely on the underlying hash function being resistant to collisions.
Hash-based Message Authentication Code (HMAC) is a message authentication code that uses a cryptographic key in conjunction with a hash function. Hash-based message authentication code (HMAC) provides the server and the client each with a private key that is known only to that specific server and that specific client.
HMAC was proved in [4] to be a PRF assuming that (1) the underlying compression function is a PRF, and (2) the iterated hash function is weakly collision-resistant.
SHA-1 has been broken in 2005 by a theoretical collision attack. This attack, by Wang, requires expected 2^69 calls to SHA-1's compression function, which to this date is out of reach. In 2017, a practical collision attack on SHA-1 was reported, and the first known instance of a SHA-1 collision was provided.
The security implications of HMAC are described in detail in the security section of the RFC. In a nutshell, a very strong attack indeed is required before the security of the HMAC is threatened; the existing collision attacks on SHA-1 certainly don't constitute such. HMAC is specifically designed to make attacks difficult, and ordinary collision attacks won't generally suffice:
The security of the message authentication mechanism presented here depends on cryptographic properties of the hash function H: the resistance to collision finding (limited to the case where the initial value is secret and random, and where the output of the function is not explicitly available to the attacker), and the message authentication property of the compression function of H when applied to single blocks (in HMAC these blocks are partially unknown to an attacker as they contain the result of the inner H computation and, in particular, cannot be fully chosen by the attacker).
I recommend reading the whole section; it goes into more detail about exactly what attacks would suffice to break an HMAC, and just how much effort would be required.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With