This is a presentation. It focuses on the HMAC implementation of SHA-2 (512) hashing function. Talks about the weaknesses and the procedure to target the vulnerability. It is based on the research paper by Abdulhadi Shoufan on A Fault Attack on a Hardware-based Implementation of the Secure Hash Algorithm SHA-512.

1. Implementation Attacks
on
Hashing Functions
Presented By : Pragyanand Tiwari

2. Hash Function
Hash Function
(Mathematical
Transformation)
Input
(Message)
Output
(Digest, Tag,
Hash)
Deterministic
Function
Computationally
Efficient
Well Distributed
Output

3. Hash Function
A Few Hash Functions :
• MD5
• SHA- 1
• SHA - 2
• SHA - 3
• Skein
• Whirlpool

4. Hash Function
Applications
• Digital Signing
• Message Authentication
• Pseudo Random Number Generation
• Password Security
• Encryption

5. Hash Function
Desirable Properties
1. OW : One-Wayness
2. CR : Collison Resistance.
3. TCR : Targeted Collision Resistance.
4. PR : Pseudo-Randomness
5. NM : Non-Malleability

6. Implementation Attacks
Attacks on the Practical Realization of Cryptographic Algorithms and
Protocol.

7. Implementation Attacks on Hash Functions
Fault Attack
• Fault attacks work by injecting errors into the cryptosystem.
• Works in Three Phases.
• Phase 1 – Design of Fault Model.
• Phase 2 – Actual attack is performed by injecting error.
• Phase 3 – Faulty Result is Evaluated to extract the secret Key.

8. Implementation Attacks on Hash Functions
Testing Fault Attack on SHA-512 (SHA-2):
• The attack was carried out on HMAC implementation of SHA-2
(SHA-512), that has a key size of 1024 bits.
• Our fault model relies on an iterative flipping of two control bits at
specific time points.
• It reduces number of rounds and returns different intermediate values
as the final hash value.
• By analysing these faulty hash values, the first message can be
extracted entirely.

9. Implementation Attacks on Hash Functions
Testing Fault Attack on SHA-512 (SHA-2):
Hardware Implementation of SHA-2 contains at least two registers.
1. Hash Register : This register is initialized with the initial hash value
H(0) for each new message and updated after hashing each data
block. After hashing the last block, the HR contains the final hash
value.
2. Round Register(RR) : The register is initialized with the current hash
value H(i) for each data block and updated after each round.

10. Implementation Attacks on Hash Functions
• Testing Fault Attack on SHA-512 (SHA-2):The proposed fault
model relies on injecting two types of faults into the targeted
implementation.
• End-of-rounds error:
I. This error can be invoked by flipping the control bits which
enables writing the intermediate hash value into the hash register.
II. Must be performed in the correct clock cycle which demands
accurate knowledge of the time behaviour.

11. Implementation Attacks on Hash Functions
• Testing Fault Attack on SHA-512 (SHA-2):
• Last-Block Error:
1. It can be introduced in the system by flipping the other control bit
which is responsible for indicating the last bit.
2. It is done right after the first data block has been hashed.
3. It breaks the loop responsible for iterating the data blocks and
flipping the control bit, makes the intermediate value to be read out
as the final hash value.

12. Implementation Attacks on Hash Functions
• Testing Fault Attack on SHA-512 (SHA-2):
• Countermeasures:
There are two types of countermeasures for this Attack.
1. Preventive – Use of Asynchronous logic, clock randomization,
encryption of memory content.
2. Reactive – Blocking of output data in case of error detection.

13. Implementation Attacks on Hash Functions
• Testing Fault Attack on SHA-512 (SHA-2):
• Attack Evaluation:
1. Two variants of HMAC module were tested: with and without the
countermeasure.
2. Confirmed both, the criticality of attack and the effectiveness of the
Countermeasure.
3. By attacking the implementation the HMAC key was extracted in
mere 16 rounds, whereas each iteration provided a 64-bit segment
of the key.

14. Thank You!