Lecture 11: Hash functions and MACs Flashcards

Question 1

Q

What are MACs built from?

Answer

A

block ciphers

Question 2

Q

What type of MAC is widely used in TLS?

Question 3

Q

What mode is widely used in TLS?

Answer

A

Authentication encryption mode GCM

Question 4

Q

What are hash functions typical building blocks in cryptograph for?

Answer

A

MACs and digital signatures

Question 5

Q

What does MAC stand for?

Answer

A

Message authentication code

Question 6

Q

Define a hash function

Answer

A

A hash function H is a PUBLIC function s.t.:

1) H is simple and fast to compute
2) H takes as input a message of ARBITRARY length and outputs a message digest H(m) of FIXED length

Question 7

Q

What are the three security properties of hash functions?

Answer

A

1) collision resistant
2) second-preimage resistant
3) preimage resistant (one-way)

Question 8

Q

Define collision resistant

Answer

A

It should be infeasible to find any 2 different values x1, x2 s.t. H(x1) = H(x2)

-> two different inputs will never give the same output
-> many possibilities reduced

Question 9

Q

Define second-preimage resistant. Why is it stronger than collision resistant property?

Answer

A

Given a value x1, it should be infeasible to find a different value x2 s.t. H(x1) = H(x2)

Stronger as put restriction on 1 input

Question 10

Q

Define preimage resistant (one-way)

Answer

A

Given a value y (output), it should be infeasible to find any input x such that H(x) = y

Question 11

Q

If an attacker can break second-preimage resistance, what else can they break? Why?

Answer

A

break collision resistance as second preimage resistance is stronger than collision resistant

Question 12

Q

Comment on the strength of collision resistant, second-preimage resistant and preimage-resistant (one-way).

Answer

A

From least strong to strongest:

1) collision resistant
2) second-preimage resistant
3) preimage resistant (one-way)

Question 13

Q

Explain the birthday paradox

[need to review YouTube video]

Answer

A

Let a group of 23 randomly chosen people, the probability that at least 2 have the same birthday is over 0.5.

If choosing around √|S| from a set S, then probability of getting 2 values the same is around 0.5

(pigeonhole principle –> if n items are put into m containers, with n > m, then at least one container must contain more than one item)

Question 14

Q

In terms of the birthday paradox, how many trials are enough to find a collision with probability around 0.5 when a hash function with output size of k bits is used?

Answer

A

Let H be seen as a random function.

Then √(2^k) = 2^(k/2) trials are enough to find a collision with probability around 0.5

Question 15

Q

How many trials are considered infeasible today for a hash function with output size of k bits?

What is the size of the output that hash functions need to satisfy collision resistance?

Answer

A

output of at least 256 bit to

Question 16

Q

From block ciphers, how can arbitrary-sized data can be processed?

Answer

A

1) having a function processing fixed-sized data

2) using it repeatedly

Question 17

Q

What does an iterated hash function do?

Answer

A

splits the input blocks of fixed size and operates on each block sequentially using the same function with fixed-sized inputs.

Question 18

Q

I.t.o iterated hash functions, what does Merkle-Damgård do?

Answer

A

using a compression function h taking fixed-sized inputs and applied to multiple blocks of the message

compression as reduces output length w.r.t. input

Question 19

Q

Outline the compression function h and give the diagram

Answer

A

h takes 2 n-bit input strings x1 and x2 and produces an n-bit output string y

diagram: slide 10, set 11

Question 20

Q

What type of function is Merkle-Damgård?

Answer

A

an iterated hash fuction

Question 21

Q

Explain Merkle-Damgård construction and give the diagram

Answer

A

1) Break message m into n-bit blocks m1 || m2 || … ||ml
2) Add padding and an encoding of the length of m –> this process may or may not add one block (depends if needed)
3) Input each block into compression function h along with chained output –> use IV to get started

Diagram: slide 11, set 11

Question 22

Q

What security does using Merkle-Damgård construction provide?

Answer

A

if compression function h is collision-resistant then hash function H is collision-resistant

Question 23

Q

What are the security weaknesses of Merkle-Damgård construction?

Answer

A

1) length extension attacks: once there is one collision, easy to find more
2) second preimage attacks not as hard as they should be
3) collisions for multiple messages: found without much more difficulty than collisions for 2 messages

Question 24

Q

What are examples of where Merkle-Damgård construction is used?

Answer

A

MD5, SHA-1, SHA-2 family

Question 25

Q

When was the MDx family used and who proposed it?

Answer

A

Proposed by Ron Rivest and widely used in the 90s

Question 26

Q

What are the deployed family members in the MDx family?

Answer

A

MD2, MD4 and MD5

Question 27

Q

What is size of the output in the MDx family and comment on its security

Answer

A

128-bit output

too small bits to be secure, should be 256

Question 28

Q

Which family members in the MDx family are broken?

Answer

A

ALL –> real collisions have been found

Question 29

Q

What does SHA stand for?

Answer

A

Secure hash algorithm

Question 30

Q

What is SHA based on?

Answer

A

MDx family design but has a more complex design and larger output of 160 bits

Question 31

Q

Has SHA-0 been broken?

Question 32

Q

Has SHA-1 been broken?

Question 33

Q

Why was the SHA-2 family developed?

Answer

A

in response to (real and theoretical) attacks onMD5 and SHA-1

Question 34

Q

What standard is SHA-2 in?

Answer

A

FIPS PUB 180-4 (Aug. 2015).

Question 35

Q

What is the hash size, block size and security match for SHA-224? Comment on if it is okay to use today

Answer

A

Hash size: 224 bits
Block size: 512 bits
Security match: 2 key 3DES

Hash size is too small so DON’T use

Question 36

Q

What is the hash size, block size and security match for SHA-512/224? Comment on if it is okay to use today

Answer

A

Hash size: 224 bits
Block size: 1024 bits
Security match: 2 key 3DES

Hash size is too small so DON’T use

Question 37

Q

What is the hash size, block size and security match for SHA-256? Comment on if it is okay to use today

Answer

A

Hash size: 256 bits
Block size: 512 bits
Security match: AES-128

Okay to use

Question 38

Q

What is the hash size, block size and security match for SHA-512/256? Comment on if it is okay to use today

Answer

A

Hash size: 256 bits
Block size: 1024 bits
Security match: AES-128

Okay to use

Question 39

Q

What is the hash size, block size and security match for SHA-384? Comment on if it is okay to use today

Answer

A

Hash size: 384 bits
Block size: 1024 bits
Security match: AES-192

Okay to use

Question 40

Q

What is the hash size, block size and security match for SHA-512? Comment on if it is okay to use today

Answer

A

Hash size: 512 bits
Block size: 1024 bits
Security match: AES-256

Okay to use

Question 41

Q

Comment on the message length field in terms of the SHA-2 family

Answer

A

64 bits when block length is 512 bits

128 bits when block length is 1024 bits

Question 42

Q

Comment on the padding used in SHA-2 family

Answer

A

always at least one bit of padding

There is an exact number of complete blocks, so:

1) After the 1st bit “1”, enough bits “0” are added.
2) Length field is then added (encoded)

Adding the padding and length field sometimes add an extra block, and sometimes does not –> depends on original message length

Question 43

Q

How and why was SHA-3 created?

Answer

A

attacks on MDx and SHA families as all based on same design

NIST competition –> Kecak (SHA-3) chosen which does not use a compression function, instead SPONGE function

Question 44

Q

What standard is SHA-3 (Keccak) in?

Answer

A

FIPS PUB 202 (Aug. 2015)

Question 45

Q

Why is applying a hash function NOT encryption?

Answer

A

1) hash computation does NOT depend on key

2) not possible to go backwards to find input in general –> linked blocks so difficult to update too

Question 46

Q

What do hash functions help provide?

Answer

A

data authentication, but not providing it alone!

Authenticating the hash of a message to authenticate the message

Question 47

Q

How and where are users’ passwords stored?

Answer

A

on server using hash functions, store salted hashes of passwords

Question 48

Q

How are salted hashes of passwords created?

Answer

A

1) pick random salt
2) compute h = H(pw, salt)
3) store (salt, hash)

Question 49

Q

Is it easy to check entered password for a user? If so, how?

Answer

A

h = H(pw’, salt)?

Question 50

Q

Comment on the hardness of recovering password pw from hash h

Answer

A

Hard to recover, assuming that H is preimage resistant (at least)

Question 51

Q

What would an attack need to store in order to recover a user’s password?

Answer

A

a different dictionary for EACH salt

Question 52

Q

What can be used to slow down password guessing?

Answer

A

slower hash function

Question 53

Q

What is the purpose of MAC?

Answer

A

It is a cryptographic mechanism to ensure message integrity:

Question 54

Q

What are the inputs and outputs of MAC?

Answer

A

Inputs: message M of arbitrary length, secret key K

Output: (short) fixed-sized tag T=MAC(M,K)

Question 55

Q

Outline how Alice sends a tag T and Bob use this info

Answer

A

1) Alice, the sender, appends the tag T to the message M (in the clear).
2) Bob, the recipient, computes T’ = MAC(M’,K) with the received message M’, and checks whether T = T’

Question 56

Q

Define unforgeability i.t.o MAC’s properties

Answer

A

it is not feasible to produce a valid pair(M,T) s.t. T = MAC(M,K) without knowledge of K

Question 57

Q

Define unforgeability under chosen message attack: i.t.o MAC’s properties

Answer

A

The attacker has access to a forging oracle (can compute valid tag) s.t. on input any message M of the attacker’s choice, the oracle outputs the tag T = MAC(M,K)

The attacker should not be able to produce a valid forgery that was not asked to the oracle (has not seen message for tag)

Question 58

Q

What does HMAC stand for?

Answer

A

MAC from hash function

Question 59

Q

When was HMAC proposed and by who?

Answer

A

Proposed by Bellare, Canetti and Krawczyk in 1996

Question 60

Q

What is HMAC built from?

Answer

A

Built from ANY iterated hash function H

Question 61

Q

What examples of HMAC usage?

Answer

A

MD5, SHA-1, SHA-256, …

Question 62

Q

What standard is HMAC in?

Answer

A

FIPS PUB 198-1 (July 2008).

Question 63

Q

Where is HMAC applied in?

Answer

A

Used in many applications such as TLS and IPSec

Question 64

Q

What are the 5 components used in constructing a HMAC?

Answer

A

H: iterated cryptographic hash function

M: message to be authenticated

K: key padded with zeros to be of block size of H

opad: fixed string 0x5c5c5c…5c
ipad: fixed string 0x363636…36

Answer 62

A

concatenation of bit strings

Answer 63

A

HMAC(M,K) = H((K ⊕ opad) || H((K ⊕ ipad) || M))

Answer 64

A

If:

1) either H is collision resistant
2) or H is a pseudorandom function

Answer 65

A

length extension attacks, even if H is a Merkle-Damgård hash function

Answer 66

A

pseudorandom function for deriving keys in cryptographic protocols

Answer 67

A

1) Split K into 2 parts K1 and K2, encrypt with K1 (confidentiality) and use K2 with a MAC (authenticity/integrity)
2) Use the authentication encryption algorithm providing both confidentiality and authenticity/integrity

Answer 68

A

1) Encrypt and MAC
2) MAC then encrypt
3) Encrypt then MAC

Answer 69

A

encrypt M, apply MAC to M, and send the ciphertext C and the tag T

Answer 70

A

apply MAC to M, then encrypt M||T, and send the ciphertext C

Answer 71

A

encrypt M, apply MAC to the ciphertext C, and send C and the tag T

Answer 72

A

Encrypt and MAC

Answer 73

A

1) C = Enc(M,K1)
2) T = MAC(C, K2)
3) Send C||T

Answer 74

A

MAC-then-encrypt construction

Several security vulnerabilities.

Answer 75

A

Combined authentication encryption modes

–> supporting CCM and GCM modes of operation for block ciphers

–> allowing data to be only authenticated (not encrypted) with authenticated encryption wit associated data (AEAD)

Answer 76

A

authenticated encryption wit associated data

Answer 77

A

Galois counter mode

Answer 78

A

1) a counter is initialized using a randomly chosen nonce N

2) keystream generated by encrypting successive values of the counter

Answer 79

A

Ot = E(Tt, K) where Tt = N||t is the concatenation of N and block number t

–> encryption applied on counter (nonce N)

Answer 80

A

Slide 30 in set 11

Answer 81

A

Ct = Ot ⊕ Pt

Answer 82

A

Pt = Ot ⊕ Ct

Answer 83

A

NO

Formatting function for N, A, P requires knowledge of length of A and P

Answer 84

A

Needing to know the size of A and P for CCM

Answer 85

A

NIST SP-800 38D

Answer 86

A

AES with GCM is faster

Hardware support of AES and carry-less addition in modern Intel chips

Answer 87

A

Combining CTR mode on block cipher E (e.g. AES but could be something else) with special keyed hash function GHASH

GHASH uses multiplication in finite field GF(2^(128))

Answer 88

A

plaintext P, authenticated data A and nonce N

Answer 89

A

ciphertext C and tag T

Answer 90

A

64-bit values

–> u and v are minimum numbers of zeros required to expand A and C to complete blocks respectively

Answer 91

A

Length t of T is 128 bits and length of N is 96 bits

Answer 92

A

J0 = N || 0^(31) || 1

Answer 93

A

increments the 32 MSB (most sig bit) of input string by 1 modulo 2^32

Answer 94

A

ciphertext C
nonce N
tag T
authenticated data A

Answer 95

A

1) bob computes the tag T’ using the shared key K and received C, N, A

2) bob compares T’ with received T:
- -> If T’ ≠ T the output “invalid”
- -> if T’ = T then the plaintext P is computed by generating the same keystream from CTR mode as for encryption

XOR to get plaintext

Brainscape's Knowledge GenomeTM

Lecture 11: Hash functions and MACs Flashcards

Brainscape's Knowledge Genome^TM