Question: Homework 4: Breaking SHA-1 (Breaking Insecure MACs)
18 Oct 2022,7:19 PM
Homework 4: Breaking SHA-1
Objectives: Understanding UF-CMA by attacking a real hash function and integrity scheme.
The goal of this assignment is to break the security of a deterministic hash-based MAC. Namely, let H be the hash function constructed from the compression hash function h via the Merkle-Damg˚ard transform as per Figure 1. Then, to tag a message M consisting of b-bit blocks under a b-bit key K we compute tag ← H(K ∥ M ).
We have provided you with several Python files that you will work with in this assignment. In particular, you will be demonstrating that the MAC described above is not UF-CMA secure by modifying student.py to create a forged message and a corresponding tag. Detailed explanations can be found in the Files section, below.
You will be submitting your deliverables via Gradescope.
You’ve been provided the following library:
- student.py contains your exploit code that will successfully create a forged mes- sage that passes the MAC without knowing the secret key.
This is the only file you will modify for submission.
- crypto.py contains a custom Sha1 implementation modeled after Python’s hashlib module, but is extended with extra parameters that may help with length ex- tension attacks. You will likely need to refer to the RFC to understand how to use them.
- oracle.py simulates a UF-CMA adversarial scenario by including the necessary oracles.
- grader.py runs your exploit and lets you know whether or not you’ve successfully forged a message.
- secret.txt is an auto-generated secret key used by the oracle when you run the tests. Note that the Gradescope autograder will obviously use different keys.
The docstrings in each file provide further details about these modules; read them!
You can install the latest version of Python 3 for your system from here; there are no extra dependencies to install. Older versions of Python 3 may work, but we cannot make guarantees. To run the local auto-grader, simply execute:
python grader.py [your GT username]
-
- Objective
You should make student.main() return a (message, tag) pair that:
- includes at least the original message and your GT username in the forged message,
- hasn’t been submitted to the oracle, and
- passes the MAC.
(where message is a sequence of bytes and tag is a hexadecimal string value)
There are two parts to this:
- You should be able to do this for a fixed key length of 64 bytes. (15 points)
- You should then extend your solution to work for a variable, arbitrary key length of up to 100 bytes. (5 points)
You will need to submit the following deliverables via Gradescope. There are dif- ferent assignments for each, so please be careful to submit to the right one!
-
- student.py (20 points): Complete main() to forge messages via a length exten- sion attack. Remember that the messages you forge should contain at least your GT username and the original message.
You must keep the existing structure: nothing should run if you execute python student.py on its own, the input parameters should stay the same, and the return value(s) should match the expected format and types.
Submit this to Homework 4 (Code) on Gradescope.
The autograder will run a suite of tests to determine your score, offering small suggestions for common mistakes if it encounters them or exception logs if your code doesn’t run.
-
- report.pdf (5 points): Briefly discuss the exploit details. You should touch on, at minimum: how reliable your attack is, its (rough) run-time complexity, the root causes of the vulnerability in the integrity scheme at a high level, and how it could be alleviated (be sure to explain why these fixes will remedy the problem.).
Expert answer
This question has not been answered yet! Ask one of our experts for help on this by placing your order.
