The powerpoint presentation for this lab can be found here.

In this lab we'll do some exercises with Message Authentication Codes.

In this exercise we will attack an insecure MAC algorithm by showing that an adversary can forge a (message, tag) pair without first querying a $\mathsf{Tag}$ oracle with the message.

Let $F$ be a $\mathsf{PRF}$. Show that the following MAC is insecure by constructing an efficient adversary with non-negligible advantage. The key is $k \in \{0, 1\}^n$, and for any message $m = m1 \| m2$ with $\left|m_1\right| = \left|m_2\right| = n$, the MAC is computed as:

$\mathsf{Tag}(k, m_1 \| m_2) = F_k(m_1) \| F_k(F_k(m_2)) $

In this exercise you will implement the Birthday attack on SHA-1 using OpenSSL. The goal is to obtain a collision in the first four bytes of the hash.

Your goal is to obtain a collision by finding two messages, $M_1$ and $M_2$, such that for the first four bytes $\mathsf{SHA1}(M_1) = \mathsf{SHA1}(M_2)$.

The collision will be $32$ bits long, which means you will need $2^{16}$ random messages in your attack. Note that the attack is not guaranteed to succeed; on average, two iterations of the attack are required to find a collision.

In contrast to previous labs, this time we'll use C. You can implement the attack from scratch, or start from our archive here.

To compute a digest, you might find the code below useful:

    SHA_CTX context;
    SHA1_Init(&context);
    SHA1_Update(&context, buffer, length);
    SHA1_Final(md, &context); /* md must point to at least 20 bytes of valid memory */

$ ./config --prefix=your_working_dir --openssldir=your_working_dir/openssl
$ make
$ make install_sw

LDFLAGS=-Lyour_working_dir/lib -lcrypto
CFLAGS=-Wall -g -Iyour_working_dir/include