Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

COSC362 > Lecture 11: Hash functions and MACs > Flashcards

Lecture 11: Hash functions and MACs Flashcards

1
Q

What are MACs built from?

A

block ciphers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What type of MAC is widely used in TLS?

A

HMAC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What mode is widely used in TLS?

A

Authentication encryption mode GCM

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are hash functions typical building blocks in cryptograph for?

A

MACs and digital signatures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What does MAC stand for?

A

Message authentication code

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Define a hash function

A

A hash function H is a PUBLIC function s.t.:

1) H is simple and fast to compute
2) H takes as input a message of ARBITRARY length and outputs a message digest H(m) of FIXED length

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the three security properties of hash functions?

A

1) collision resistant
2) second-preimage resistant
3) preimage resistant (one-way)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Define collision resistant

A

It should be infeasible to find any 2 different values x1, x2 s.t. H(x1) = H(x2)

  • -> two different inputs will never give the same output
  • -> many possibilities reduced
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Define second-preimage resistant. Why is it stronger than collision resistant property?

A

Given a value x1, it should be infeasible to find a different value x2 s.t. H(x1) = H(x2)

Stronger as put restriction on 1 input

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Define preimage resistant (one-way)

A

Given a value y (output), it should be infeasible to find any input x such that H(x) = y

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

If an attacker can break second-preimage resistance, what else can they break? Why?

A

break collision resistance as second preimage resistance is stronger than collision resistant

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Comment on the strength of collision resistant, second-preimage resistant and preimage-resistant (one-way).

A

From least strong to strongest:

1) collision resistant
2) second-preimage resistant
3) preimage resistant (one-way)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Explain the birthday paradox

[need to review YouTube video]

A

Let a group of 23 randomly chosen people, the probability that at least 2 have the same birthday is over 0.5.

If choosing around √|S| from a set S, then probability of getting 2 values the same is around 0.5

(pigeonhole principle –> if n items are put into m containers, with n > m, then at least one container must contain more than one item)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

In terms of the birthday paradox, how many trials are enough to find a collision with probability around 0.5 when a hash function with output size of k bits is used?

A

Let H be seen as a random function.

Then √(2^k) = 2^(k/2) trials are enough to find a collision with probability around 0.5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

How many trials are considered infeasible today for a hash function with output size of k bits?

What is the size of the output that hash functions need to satisfy collision resistance?

A

output of at least 256 bit to

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

From block ciphers, how can arbitrary-sized data can be processed?

A

1) having a function processing fixed-sized data

2) using it repeatedly

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What does an iterated hash function do?

A

splits the input blocks of fixed size and operates on each block sequentially using the same function with fixed-sized inputs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

I.t.o iterated hash functions, what does Merkle-Damgård do?

A

using a compression function h taking fixed-sized inputs and applied to multiple blocks of the message

compression as reduces output length w.r.t. input

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Outline the compression function h and give the diagram

A

h takes 2 n-bit input strings x1 and x2 and produces an n-bit output string y

diagram: slide 10, set 11

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What type of function is Merkle-Damgård?

A

an iterated hash fuction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Explain Merkle-Damgård construction and give the diagram

A

1) Break message m into n-bit blocks m1 || m2 || … ||ml
2) Add padding and an encoding of the length of m –> this process may or may not add one block (depends if needed)
3) Input each block into compression function h along with chained output –> use IV to get started

Diagram: slide 11, set 11

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What security does using Merkle-Damgård construction provide?

A

if compression function h is collision-resistant then hash function H is collision-resistant

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What are the security weaknesses of Merkle-Damgård construction?

A

1) length extension attacks: once there is one collision, easy to find more
2) second preimage attacks not as hard as they should be
3) collisions for multiple messages: found without much more difficulty than collisions for 2 messages

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What are examples of where Merkle-Damgård construction is used?

A

MD5, SHA-1, SHA-2 family

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
When was the MDx family used and who proposed it?
Proposed by Ron Rivest and widely used in the 90s
26
What are the deployed family members in the MDx family?
MD2, MD4 and MD5
27
What is size of the output in the MDx family and comment on its security
128-bit output | too small bits to be secure, should be 256
28
Which family members in the MDx family are broken?
ALL --> real collisions have been found
29
What does SHA stand for?
Secure hash algorithm
30
What is SHA based on?
MDx family design but has a more complex design and larger output of 160 bits
31
Has SHA-0 been broken?
yes
32
Has SHA-1 been broken?
yes
33
Why was the SHA-2 family developed?
in response to (real and theoretical) attacks onMD5 and SHA-1
34
What standard is SHA-2 in?
FIPS PUB 180-4 (Aug. 2015).
35
What is the hash size, block size and security match for SHA-224? Comment on if it is okay to use today
Hash size: 224 bits Block size: 512 bits Security match: 2 key 3DES Hash size is too small so DON'T use
36
What is the hash size, block size and security match for SHA-512/224? Comment on if it is okay to use today
Hash size: 224 bits Block size: 1024 bits Security match: 2 key 3DES Hash size is too small so DON'T use
37
What is the hash size, block size and security match for SHA-256? Comment on if it is okay to use today
Hash size: 256 bits Block size: 512 bits Security match: AES-128 Okay to use
38
What is the hash size, block size and security match for SHA-512/256? Comment on if it is okay to use today
Hash size: 256 bits Block size: 1024 bits Security match: AES-128 Okay to use
39
What is the hash size, block size and security match for SHA-384? Comment on if it is okay to use today
Hash size: 384 bits Block size: 1024 bits Security match: AES-192 Okay to use
40
What is the hash size, block size and security match for SHA-512? Comment on if it is okay to use today
Hash size: 512 bits Block size: 1024 bits Security match: AES-256 Okay to use
41
Comment on the message length field in terms of the SHA-2 family
64 bits when block length is 512 bits 128 bits when block length is 1024 bits
42
Comment on the padding used in SHA-2 family
always at least one bit of padding There is an exact number of complete blocks, so: 1) After the 1st bit “1”, enough bits “0” are added. 2) Length field is then added (encoded) Adding the padding and length field sometimes add an extra block, and sometimes does not --> depends on original message length
43
How and why was SHA-3 created?
attacks on MDx and SHA families as all based on same design NIST competition --> Kecak (SHA-3) chosen which does not use a compression function, instead SPONGE function
44
What standard is SHA-3 (Keccak) in?
FIPS PUB 202 (Aug. 2015)
45
Why is applying a hash function NOT encryption?
1) hash computation does NOT depend on key | 2) not possible to go backwards to find input in general --> linked blocks so difficult to update too
46
What do hash functions help provide?
data authentication, but not providing it alone! Authenticating the hash of a message to authenticate the message
47
How and where are users' passwords stored?
on server using hash functions, store salted hashes of passwords
48
How are salted hashes of passwords created?
1) pick random salt 2) compute h = H(pw, salt) 3) store (salt, hash)
49
Is it easy to check entered password for a user? If so, how?
h = H(pw', salt)?
50
Comment on the hardness of recovering password pw from hash h
Hard to recover, assuming that H is preimage resistant (at least)
51
What would an attack need to store in order to recover a user's password?
a different dictionary for EACH salt
52
What can be used to slow down password guessing?
slower hash function
53
What is the purpose of MAC?
It is a cryptographic mechanism to ensure message integrity:
54
What are the inputs and outputs of MAC?
Inputs: message M of arbitrary length, secret key K Output: (short) fixed-sized tag T=MAC(M,K)
55
Outline how Alice sends a tag T and Bob use this info
1) Alice, the sender, appends the tag T to the message M (in the clear). 2) Bob, the recipient, computes T' = MAC(M',K) with the received message M', and checks whether T = T'
56
Define unforgeability i.t.o MAC's properties
it is not feasible to produce a valid pair(M,T) s.t. T = MAC(M,K) without knowledge of K
57
Define unforgeability under chosen message attack: i.t.o MAC's properties
The attacker has access to a forging oracle (can compute valid tag) s.t. on input any message M of the attacker’s choice, the oracle outputs the tag T = MAC(M,K) The attacker should not be able to produce a valid forgery that was not asked to the oracle (has not seen message for tag)
58
What does HMAC stand for?
MAC from hash function
59
When was HMAC proposed and by who?
Proposed by Bellare, Canetti and Krawczyk in 1996
60
What is HMAC built from?
Built from ANY iterated hash function H
61
What examples of HMAC usage?
MD5, SHA-1, SHA-256, ...
62
What standard is HMAC in?
FIPS PUB 198-1 (July 2008).
63
Where is HMAC applied in?
Used in many applications such as TLS and IPSec
64
What are the 5 components used in constructing a HMAC?
H: iterated cryptographic hash function M: message to be authenticated K: key padded with zeros to be of block size of H opad: fixed string 0x5c5c5c...5c ipad: fixed string 0x363636...36
65
What does || mean?
concatenation of bit strings
66
Give the formula for computing HMAC(M,K)
HMAC(M,K) = H((K ⊕ opad) || H((K ⊕ ipad) || M))
67
How many times is the hash function applied in the formula for HMAC(M,K)?
twice
68
When is HMAC secure?
If: 1) either H is collision resistant 2) or H is a pseudorandom function
69
What type of attacks is HMAC design to resist?
length extension attacks, even if H is a Merkle-Damgård hash function
70
What is HMAC often used as?
pseudorandom function for deriving keys in cryptographic protocols
71
Let Alice and Bob share a key K. Alice wants to send to Bob a message M with confidentiality and authenticity/integrity. What are the options to do so?
1) Split K into 2 parts K1 and K2, encrypt with K1 (confidentiality) and use K2 with a MAC (authenticity/integrity) 2) Use the authentication encryption algorithm providing both confidentiality and authenticity/integrity
72
What are three options for combining encryption and MAC?
1) Encrypt and MAC 2) MAC then encrypt 3) Encrypt then MAC
73
What is the encrypt-and-MAC option?
encrypt M, apply MAC to M, and send the ciphertext C and the tag T
74
What is the MAC-then-encrypt option?
apply MAC to M, then encrypt M||T, and send the ciphertext C
75
What is the encrypt-then-MAC option?
encrypt M, apply MAC to the ciphertext C, and send C and the tag T
76
Which option out of the following is the safest and most secure approach? 1) Encrypt and MAC 2) MAC then encrypt 3) Encrypt then MAC
Encrypt and MAC
77
Give the steps in the encrypt and MAC option for combining encryption and MAC
1) C = Enc(M,K1) 2) T = MAC(C, K2) 3) Send C||T
78
What option for combining encryption and MAC is used in older versions of TLS SSL 3, TLS 1.0 and 1.1)? What does this mean?
MAC-then-encrypt construction Several security vulnerabilities.
79
What authenticatoin methods are used in TLS 1.2 and 1.3?
Combined authentication encryption modes --> supporting CCM and GCM modes of operation for block ciphers --> allowing data to be only authenticated (not encrypted) with authenticated encryption wit associated data (AEAD)
80
What does AEAD stand for?
authenticated encryption wit associated data
81
What does GCM stand for?
Galois counter mode
82
Explain what is meant by CTR being a synchronous stream cipher
1) a counter is initialized using a randomly chosen nonce N | 2) keystream generated by encrypting successive values of the counter
83
How is the keystream generated in CTR?
Ot = E(Tt, K) where Tt = N||t is the concatenation of N and block number t --> encryption applied on counter (nonce N)
84
Give the diagram for CTR mode for block ciphers
Slide 30 in set 11
85
What is the encryption formula to produce Ct?
Ct = Ot ⊕ Pt
86
What is the decryption formula to produce Pt?
Pt = Ot ⊕ Ct
87
Is CCM suitable for processing streaming data? Why?
NO Formatting function for N, A, P requires knowledge of length of A and P
88
What limitation of CCM does GCM overcome?
Needing to know the size of A and P for CCM
89
What standard is GCM in?
NIST SP-800 38D
90
Which is faster? AES with GCM or AES with HMAC Why?
AES with GCM is faster Hardware support of AES and carry-less addition in modern Intel chips
91
What is the algorithm for GCM?
Combining CTR mode on block cipher E (e.g. AES but could be something else) with special keyed hash function GHASH GHASH uses multiplication in finite field GF(2^(128))
92
What are the inputs for GCM's algorithm?
plaintext P, authenticated data A and nonce N
93
What are the outputs of GCM's algorithm?
ciphertext C and tag T
94
What are the lengths lenA of A and lenC of C i.t.o GCM's algorithm?
64-bit values --> u and v are minimum numbers of zeros required to expand A and C to complete blocks respectively
95
What are the length t of T and length of N i.t.o GCM's algorithm?
Length t of T is 128 bits and length of N is 96 bits
96
What is the initial block i.t.o GCM's algorithm?
J0 = N || 0^(31) || 1
97
What does the function inc32 do i.t.o GCM's algorithm?
increments the 32 MSB (most sig bit) of input string by 1 modulo 2^32
98
Explain the diagram for the GCM algorithm on slide 33 in set 11
TODO
99
Explain the diagram for the GCM algorithm on slide 34 in set 11
TODO
100
I.t.o decryption in GCM, what are the elements transmitted by Bob, the recipient?
ciphertext C nonce N tag T authenticated data A
101
Explain the decryption process in GCM
1) bob computes the tag T' using the shared key K and received C, N, A 2) bob compares T' with received T: - -> If T' ≠ T the output "invalid" - -> if T' = T then the plaintext P is computed by generating the same keystream from CTR mode as for encryption XOR to get plaintext

COSC362 (21 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions