Hash functions, MACs and authenticated encryption Flashcards
What are hash functions?
Cryptographic functions used as building block for authentication
A public function H, such that:
- Simple and fast to compute
- H takes a message m input of arbitrary length, and computes a fixed length hash output H(m)
What are MACs?
symmetric key cryptographic mechanisms providing authentication and integrity services
What does authenticated encryption combine?
Confidentiality and authentication
Name 3 security properties of hash functions
Collision resistant
One-way (preimage resistant)
Second-preimage resistant
What does it mean to be collision resistant?
It should be infeasible (impractical) to find 2 different messages x1 and x2, with H(x1)=H(x2)
What does it mean to be preimage resistant (one-way)?
Given a value y, it should be infeasible to find any input x that gives H(x)=y
What does it mean to be second-preimage resistant?
Given a value x1, it should be infeasible to find a different x2 such that H(X1)=H(X2)
What can also be broken, if an attacker manages to break second-preimage resistance?
Collision resistance
What is the birthday paradox?
If we choose sqrt(M) values from a set of size M, the probability of getting 2 equal values are around 0.5
If H has the output size of 2^k, then 2^(k/2) trials are enough to find a collision with the probability of 0.5
Today, how many trials are considered infeasible, and because of this, how large should hash-outputs be to satisfy collision resistance?
2^128
This means that hash outputs should be 256 bits.
What are iterated hash functions?
Split input into fixed sized blocks
Operates on each block sequentially using the same function with fixed size inputs (as done with block ciphers)
What is the Merkle-Damgård construction?
Use a fixed-size compression function applied to multiple blocks of the message.
- Breaks message m into n-bit blocks m1 || m2 || … || mr
- Add padding and an encoding of the length of m. This may, or may not, add one block.
- Input each block into the compression function h along with chained output; use IV to get started
h(IV, m1) = n1
h(n1, m2) = n2
…
Produces in the end H(m)
How does a compression function h work?
Takes to input strings x1 and x2, and produces an n bit output string y
h(x1, x2) = n
What is the security of Merkle-Damgård construction?
If compression-function h is collision-resistant, then hash-function H is collision resistant
What are some weaknesses of Merkle-Damgård construction?
Length-extension attack: Once you have one collision, easy to find more
Sencond-preimage attacks are not as hard as they should be
What are the members of the MDx family?
MD2, MD4, MD5
All 128-bit output
All broken
What is SHA-0 and SHA-1
Secure Hash Algorithm
Based on MDx family
Both 160-bit output
Both are broke, have found collisions
What is the SHA-2 family?
Developed in response to (real or theoretical) attacks on MD5 and SHA-1
Different variations with different Hash- and block sizes
Describe the SHA-2 family
Block length: 512, 1024
Message length field: 64, 128
At least one bit of padding. After the first 1 in the padding, ‘0’ bits are added to achieve a exact number of blocks.
What is SHA-3?
Use of sponge construction instead of Merkle-Damgård
What are some properties that shows that hash is not encryption?
Hash computation aren’t dependent on a key
Not generally possible to go backwards to find the input
How can hash functions help with providing data authentication?
Authenticate the hash of a message to authenticate the message
Building blocks for message authentication codes (HMAC)
Building blocks for signatures.
How can the use of keys be combined with hash fnctions?
Can write hash functions that take a key s as an input:
H^s(x) = H(s, x)
It must be hard to find collision for a randomly generated key s
Key is NOT secret
Collision resistance must hold even if the adversary has the key