Hash functions, MACs and authenticated encryption

Question 1

What are hash functions?

Answer 1

Cryptographic functions used as building block for authentication

A public function H, such that:
- Simple and fast to compute
- H takes a message m input of arbitrary length, and computes a fixed length hash output H(m)

Question 2

What are MACs?

Answer 2

symmetric key cryptographic mechanisms providing authentication and integrity services

Question 3

What does authenticated encryption combine?

Answer 3

Confidentiality and authentication

Question 4

Name 3 security properties of hash functions

Answer 4

Collision resistant
One-way (preimage resistant)
Second-preimage resistant

Question 5

What does it mean to be collision resistant?

Answer 5

It should be infeasible (impractical) to find 2 different messages x1 and x2, with H(x1)=H(x2)

Question 6

What does it mean to be preimage resistant (one-way)?

Answer 6

Given a value y, it should be infeasible to find any input x that gives H(x)=y

Question 7

What does it mean to be second-preimage resistant?

Answer 7

Given a value x1, it should be infeasible to find a different x2 such that H(X1)=H(X2)

Question 8

What can also be broken, if an attacker manages to break second-preimage resistance?

Answer 8

Collision resistance

Question 9

What is the birthday paradox?

Answer 9

If we choose sqrt(M) values from a set of size M, the probability of getting 2 equal values are around 0.5

If H has the output size of 2^k, then 2^(k/2) trials are enough to find a collision with the probability of 0.5

Question 10

Today, how many trials are considered infeasible, and because of this, how large should hash-outputs be to satisfy collision resistance?

Answer 10

2^128

This means that hash outputs should be 256 bits.

Question 11

What are iterated hash functions?

Answer 11

Split input into fixed sized blocks

Operates on each block sequentially using the same function with fixed size inputs (as done with block ciphers)

Question 12

What is the Merkle-Damgård construction?

Answer 12

Use a fixed-size compression function applied to multiple blocks of the message.

1. Breaks message m into n-bit blocks m1||m2||…||mn
2. Add padding and an encoding of the length of m. This may, or may not, add one block.
3. Input each block into the compression function h along with chained output; use IV to get started

h(IV, m1) = n1
h(n1, m2) = n2
…
Produces in the end H(m)

Question 13

How does a compression function h work?

Answer 13

Takes to input strings x1 and x2, and produces an n bit output string y

h(x1, x2) = n

Question 14

What is the security of Merkle-Damgård construction?

Answer 14

If compression-function h is collision-resistant, then hash-function H is collision resistant

Question 15

What are some weaknesses of Merkle-Damgård construction?

Answer 15

Length-extension attack: Once you have one collision, easy to find more

Sencond-preimage attacks are not as hard as they should be

Question 16

What are the members of the MDx family?

Answer 16

MD2, MD4, MD5

All 128-bit output

All broken

Question 17

What is SHA-0 and SHA-1

Answer 17

Secure Hash Algorithm

Both 160-bit output

Both are broke, have found collisions

Question 18

What is the SHA-2 family?

Answer 18

Developed in response to (real or theoretical) attacks on MD5 and SHA-1

Question 19

Describe the SHA-2 family

Answer 19

Block n: 512, 1024
Message length field: 64, 128

At least one bit of padding. After the first 1 in the padding, ‘0’ bits are added to achieve a exact number of blocks.

Question 20

What is SHA-3?

Answer 20

Use of sponge construction instead of Merkle-Damgård

Question 21

What are some properties that shows that hash is not encryption?

Answer 21

Hash computation aren’t dependent on a key

Not generally possible to go backwards to find the input

Question 22

How can hash functions help with providing data authentication?

Answer 22

Authenticate the hash of a message to authenticate the message

Building blocks for message authentication codes (HMAC)

Building blocks for signatures.

Question 23

How can the use of keys be combined with hash fnctions?

Answer 23

Can write hash functions that take a key s as an input:

H^s(x) = H(s, x)

It must be hard to find collision for a randomly generated key s

Key is NOT secret

Collision resistance must hold even if the adversary has the key

Question 24

How can hashes be used to store passwords?

Answer 24

Store salted hashes of passwords
- pick random salt
- compute h = H(pass, salt)
- store (salt, h)

Can check if password is valid by:
h == H(password_input, salt)

If H is preimage resistant, pass is hard to retreive from H(pass)

Question 25

Wat does secure communications mean?

Question 26

What is message integrity?

Question 27

What are MACs and what are they used for?

Answer 27

Message Authentication Code

Integrity and authentication

Question 28

Describe how MACs work

Answer 28

key K and message M, MAC algorithm outputs a fixed-length tag:

T = MAC(K, M)

Symmetric key algorithm, send and recv have K

Sender sends (M, K), M may- or may not be encrypted.

Receiver computes T’ = MAC(M’, K)

Then compares the tags T’ = T

Question 29

What is MAC unforgeability?

Answer 29

It is not feasible to producee a M and a T such that:

T = MAC(M, K) without knowing the K

Question 30

What is unforgeability under chosen message attack?

Answer 30

Attacker is given access to a forging oracle

Attacker can input M and the MAC tag is returned:

T = MAC(M, K)

The unforgeability property says that it is not feasible for the attacker to produce a (M, T) pair that was not already asked to the Oracle

Question 31

What is HMAC?

Answer 31

Built from iterated hash functions

Standardized, used in applications including TLS and IPsec

Question 32

How is HMAC calculated?

Answer 32

HMAC(M, K) = H ((K xor opad) || H((K xor ipad) || M))

M: Message
K: Key, padded with zeroes to be the block size of H
opad: fixed string (0x5c5c5c…5c)
ipad: fixed string (0x363636…36)
||: denotes concatination of bit strings

Question 33

When is HMAC unforgeable (secure)?

Answer 33

If H is collision resistant or H is a pseudorandom function

Question 34

Name one type of attack that HMAC is designed to resist

Answer 34

Length extension attacks, even when H is a Merkle-Damgård hash function

Question 35

What is a common usage of HMACs?

Answer 35

pseudorandom function for deriving keys in cryptographic protocols

Question 36

What is authenticated encryption?

Answer 36

Dedicated algorithms that provide both confidentiality, and authenticity and integrity

Question 37

For a shared key K between two parts, how can a message be sent with confidentiality, authentication and integrity?

Answer 37

Split key into 2, K1 and K2

Encrytp K1 (confidentiality)
Use K2 with a MAC (authenticity and integrity)

Question 38

How can encryption and message authentication be combined?

Answer 38

3 ways:

Encrypt and MAC
MAC then encrypt
Encrypt then MAC

Question 39

What is Encrypt and MAC?

Answer 39

encrypt M, apply MAC to M, send the two results

Question 40

What is MAC then encrypt?

Answer 40

Apply MAC to M to get tag,
Encrypt M||T
Send ciphertext

Question 41

What is encrypt then MAC?

Answer 41

Encrypt M to get ciphertext C
Then MAC C
Send 2 result

C = Enc(M, K1)
T = MAC(C, K2)
Send C||T

Question 42

What are some weaknesses with encrypt and MAC?

Answer 42

Does not achieve the most basic level of secrecy

Even strongly secure MAC does not guarantee secrecy

A MAC can leak information about m in the tag

Question 43

What are some weaknesses with MAC then Encrypt?

Answer 43

Padding the message with the tag can cause 2 decryption errors:
- Incorrect padding
- Tag may not verify

An attacker can be able to distinguish between these two errors, and exploit this information

Question 44

What is AEAD?

Answer 44

An AEAD algorithm is a symmetric key cryptosystem

Question 45

What are the inputs and outputs of an AEAD?

Answer 45

Input:
M: Message (AEAD provides configentiality and authentication for M)

A: Associated data (provides authentication)
K: Shared key

Output:
Can contain different elements, such as ciphertext and tag

Question 46

When using an AEAD algorithm, what is sent from the sender to the recipient?

Answer 46

O and A

Question 47

When a receiver receives an AEAD message, what do they then do?

Answer 47

Either accept M and A, or report failure

Question 48

What is Galois Counter Mode (GCM)

Answer 48

Block cipher mode providing AEAD

Combines CTR mode on a block cipher, with a keyed hash function GHASH

Question 49

How does the GCM algorithm work?

Answer 49

GHASH Uses multiplication in the field GF(2^128)

Input: P, A (authenticated data), N (nonce)

u and v: minimum number 0s to expand A and C to complete number of blocks

output: C, T (tag), len_A, len_C (64 bit values)

(Figure page 35, L7)

Question 50

What does Inc_32 do in GCM?

Answer 50

Increment the right-most 32-bit of the input string by 1 mod 2^32

Question 51

How does GHASH work in GCM?

Answer 51

output = GHASH(X1, …, Xm)

operation *: multiplication in finite field GF(2^128)

HK = E(0^128, K) is the hash subkey

Question 52

How is GCM decrypted?

Answer 52

Elements transmitted to receiver: C, N, T, A

Receiver compute tag T, with a shared key

Computed tag is checked with received tag

If tag is correct, plaintext can be recomputed by generating the same key stream, from CTR mode

Question 53

What is key derivation?

Answer 53

User remembers a password that will be used to derive a key for encryption

Question 54

What are dictionary attacks?

Answer 54

Attacker have access to a dictionary of passwords, sorted by approximate frequency of use.

Attacker iterates from most to least frequent passwords

Question 55

What are a problem with storing encrypted passwords?

Answer 55

Where to store the key safely. If database/storage is compromised, key can be found and passwords retreived

Question 56

What is the safest way to store passwords?

Answer 56

Hashes: h = H(password)

Easy to check if an entered password is the correct:
H(input) == H(password)

Hard to recover password from H(password), assuming H is preimage resistant

con: Attacker can store dictionary of pw and H(pw), and compare with stolen input_password

Question 57

How can salted hashes be used to store passwords?

Answer 57

Pick random salt,
Store H(password, salt) and salt

Question 58

What are some pros and cons of using salted hashes to store passwords?

Answer 58

Pro:
- Easy to validate entered password
- Hard to recover password from H
- attacker needs to store different dictionary for each salt

con:
- doesn’t slow down per-password attacks

Question 59

What is PBKDF2?

Answer 59

Password Based Key Derivation Function 2

Uses hash, MAC or cipher

Combines pass + salt

Uses multiple iterations to slow down attacks

Can output key of arbitrary length

Question 60

How is PBKDF2 constructed?

Answer 60

PBKDF2(P, pass, salt, c) = U1 xor U2 xor…xor Uc

U1 = F(pw, salt||1)
Uj = F(pw, U_j-1) for j >= 2

F: Pseudorandom function (e.g. HMAC with SHA256)