Originally Posted by
laserlight
I presume they have such access to a copy of the binary, in which case the HMAC is still perfectly fine. If they have such access to the actual binary itself, it is game over since they can install code to intercept the password and/or plaintext archive.
Ahh, right you are! I really need to learn to communicate effectively; yes, it is a copy of the binary that, in this scenario, any attackers would have access to. I should have clarified that initially.
Originally Posted by
laserlight
Yes, but for encryption:
4. Calculate HMAC via H(MACk(X)).
I would modify that to:
4. Calculate HMAC via H(MACk(Xi)).
Then for decryption:
3. Calculate Dk(Xi) to acquire *potential* plaintext archive X.
4. Calculate HMAC via H(MACk(X)) from the *potential* plaintext archive X.
I would modify that correspondingly to:
3. Calculate HMAC via H(MACk(Xi)) from the *potential* encrypted archive Xi.
4. Calculate Dk(Xi) to acquire plaintext archive X.
Thank you very much! Yes, this way round makes much more sense; it did seem a bit redundant to decrypt the archive with a potential password, only to re-encrypt it again if the HMACs did not match.
So, considering potential attacks:
If someone inputs the wrong password, the HMAC generated would not be correct and the application would not decrypt the archive. If an attacker were to force decryption by manually feeding an incorrect password to the key-derivation function and forcing the module to call the decryption function, the key would not be correct and the resulting "decrypted" data would be incorrect. Am I correct?
If someone were to tamper with the archive, again, the HMAC generated prior to decryption would not match the HMAC stored at the beginning of the archive. Decryption would thus be impossible via the application itself and forcing decryption through binary modification would result in seemingly random data. Is this correct?
From the two scenarios outlined above, I realise that the actions of inputting an incorrect password and inputting either a correct or incorrect password to try to decrypt a tampered-with archive yield the same results (i.e. a non-valid HMAC). Is there any way to distinguish between an incorrect password being provided or the encrypted archive being tampered with?
Also, to derive the encryption key from the password, is it sufficient practise to iterate over the hash function a huge number of times or should a designated function, say PBKDF2 be used?
Another attack vector occurs to me: adversaries with massive computing power may find it easier to try to generate a valid HMAC from the encrypted archive itself via brute forcing of the key. Something like this:
Code:
1. HMACk0(Xi)
2. HMACk1(Xi)
3. HMACk2(Xi) ... etc etc
4. HMACk(n-1)(Xi)
5. HMACkn(Xi) <------------- Valid HMAC generated!
This attack would save having to attack the password itself and thus save repeatedly performing time consuming iterations of hash functions to derive a key for each password tested. I find myself wondering, how fast can HMACs be generated? I'm assuming the attack outlined above would still be less efficient than password brute-forcing or rainbow table attacks due to a huge keyspace? It just seems to me that any key-stretching used is pretty much rendered obsolete by this attack. (That is, unless HMACs computation is relatively time consuming?)
I apologise for so many questions and such long posts; I just want to learn how to do cryptography right, as all
Many thanks for all your help laser, I am learning a lot!
Abyssion