The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.
N/A
Threat Mapped score: 0.0
Industry: Finiancial
Threat priority: Unclassified
CVE: CVE-2001-1585
Missing challenge-response step allows authentication bypass using public key.
| Phase | Note |
|---|---|
| Implementation | Developers sometimes omit "expensive" (resource-intensive) steps in order to improve performance, especially in devices with limited memory or slower CPUs. This step may be taken under a mistaken impression that the step is unnecessary for the cryptographic algorithm. |
| Requirements | This issue may happen when the requirements for the cryptographic algorithm are not clearly stated. |
Intro: The example code is taken from the HMAC engine inside the buggy OpenPiton SoC of HACK@DAC'21 [REF-1358]. HAMC is a message authentication code (MAC) that uses both a hash and a secret crypto key. The HMAC engine in HACK@DAC SoC uses the SHA-256 module for the calculation of the HMAC for 512 bits messages.
Body: However, this HMAC engine cannot handle messages that are longer than 512 bits. Moreover, a complete HMAC will contain an iterate hash function that breaks up a message into blocks of a fixed size and iterates over them with a compression function (e.g., SHA-256). Therefore, the implementation of the HMAC in OpenPiton SoC is incomplete. Such HMAC engines will not be used in real-world applications as the messages will usually be longer than 512 bits. For instance, OpenTitan offers a comprehensive HMAC implementation that utilizes a FIFO for temporarily storing the truncated message, as detailed in [REF-1359].
logic [511:0] bigData; ... hmac hmac( .clk_i(clk_i), .rst_ni(rst_ni && ~rst_4), .init_i(startHash && ~startHash_r), .key_i(key), .ikey_hash_i(ikey_hash), .okey_hash_i(okey_hash), .key_hash_bypass_i(key_hash_bypass), .message_i(bigData), .hash_o(hash), .ready_o(ready), .hash_valid_o(hashValid)