Hash functions, MACs and authenticated encryption

Question 1

What are hash functions?

Answer 1

Cryptographic functions used as building block for authentication

A public function H, such that:
- Simple and fast to compute
- H takes a message m input of arbitrary length, and computes a fixed length hash output H(m)

Question 2

What are MACs?

Answer 2

symmetric key cryptographic mechanisms providing authentication and integrity services

Question 3

What does authenticated encryption combine?

Answer 3

Confidentiality and authentication

Question 4

Name 3 security properties of hash functions

Answer 4

Collision resistant
One-way (preimage resistant)
Second-preimage resistant

Question 5

What does it mean to be collision resistant?

Answer 5

It should be infeasible (impractical) to find 2 different messages x1 and x2, with H(x1)=H(x2)

Question 6

What does it mean to be preimage resistant (one-way)?

Answer 6

Given a value y, it should be infeasible to find any input x that gives H(x)=y

Question 7

What does it mean to be second-preimage resistant?

Answer 7

Given a value x1, it should be infeasible to find a different x2 such that H(X1)=H(X2)

Question 8

What can also be broken, if an attacker manages to break second-preimage resistance?

Answer 8

Collision resistance

Question 9

What is the birthday paradox?

Answer 9

If we choose sqrt(M) values from a set of size M, the probability of getting 2 equal values are around 0.5

If H has the output size of 2^k, then 2^(k/2) trials are enough to find a collision with the probability of 0.5

Question 10

Today, how many trials are considered infeasible, and because of this, how large should hash-outputs be to satisfy collision resistance?

Answer 10

2^128

This means that hash outputs should be 256 bits.

Question 11

What are iterated hash functions?

Answer 11

Split input into fixed sized blocks

Operates on each block sequentially using the same function with fixed size inputs (as done with block ciphers)

Question 12

What is the Merkle-Damgård construction?

Answer 12

Use a fixed-size compression function applied to multiple blocks of the message.

1. Breaks message m into n-bit blocks m1 || m2 || … || mr
2. Add padding and an encoding of the length of m. This may, or may not, add one block.
3. Input each block into the compression function h along with chained output; use IV to get started

h(IV, m1) = n1
h(n1, m2) = n2
…
Produces in the end H(m)

Question 13

How does a compression function h work?

Answer 13

Takes to input strings x1 and x2, and produces an n bit output string y

h(x1, x2) = n

Question 14

What is the security of Merkle-Damgård construction?

Answer 14

If compression-function h is collision-resistant, then hash-function H is collision resistant

Question 15

What are some weaknesses of Merkle-Damgård construction?

Answer 15

Length-extension attack: Once you have one collision, easy to find more

Sencond-preimage attacks are not as hard as they should be

Question 16

What are the members of the MDx family?

Answer 16

MD2, MD4, MD5

All 128-bit output

All broken

Question 17

What is SHA-0 and SHA-1

Answer 17

Secure Hash Algorithm

Based on MDx family

Both 160-bit output

Both are broke, have found collisions

Question 18

What is the SHA-2 family?

Answer 18

Developed in response to (real or theoretical) attacks on MD5 and SHA-1

Different variations with different Hash- and block sizes

Question 19

Describe the SHA-2 family

Answer 19

Block length: 512, 1024
Message length field: 64, 128

At least one bit of padding. After the first 1 in the padding, ‘0’ bits are added to achieve a exact number of blocks.

Question 20

What is SHA-3?

Answer 20

Use of sponge construction instead of Merkle-Damgård

Question 21

What are some properties that shows that hash is not encryption?

Answer 21

Hash computation aren’t dependent on a key

Not generally possible to go backwards to find the input

Question 22

How can hash functions help with providing data authentication?

Answer 22

Authenticate the hash of a message to authenticate the message

Building blocks for message authentication codes (HMAC)

Building blocks for signatures.

Question 23

How can the use of keys be combined with hash fnctions?

Answer 23

Can write hash functions that take a key s as an input:

H^s(x) = H(s, x)

It must be hard to find collision for a randomly generated key s

Key is NOT secret

Collision resistance must hold even if the adversary has the key

Question 24

How can hashes be used to store passwords?

Answer 24

Store salted hashes of passwords
- pick random salt
- compute h = H(pass, salt)
- store (salt, h)

Can check if password is valid by:
h == H(password_input, salt)

If H is preimage resistant, pass is hard to retreive from H(pass)

Question 25

What are MACs and what are they used for?

Answer 25

Message Authentication Code

Mechanisms that provides integrity and authentication

Question 26

Describe how MACs work

Answer 26

key K and message M, MAC algorithm outputs a fixed-length tag:

T = MAC(K, M)

Symmetric key algorithm, send and recv have K

Sender sends (M, T), M may- or may not be encrypted.

Receiver computes T’ = MAC(M’, K)

Then compares the tags T’ = T

Question 27

What is MAC unforgeability?

Answer 27

It is not feasible to producee a M and a T such that:

T = MAC(M, K) without knowing the K

Question 28

What is unforgeability under chosen message attack?

Answer 28

Attacker is given access to a forging oracle

Attacker can input M and the MAC tag is returned:

T = MAC(M, K)

The unforgeability property says that it is not feasible for the attacker to produce a (M, T) pair that was not already asked to the Oracle

Question 29

What is HMAC?

Answer 29

Built from iterated hash functions

Standardized, used in applications including TLS and IPsec

Question 30

How is HMAC calculated?

Answer 30

HMAC(M, K) = H ((K xor opad) || H((K xor ipad) || M))

M: Message
K: Key, padded with zeroes to be the block size of H
opad: fixed string (0x5c5c5c…5c)
ipad: fixed string (0x363636…36)
||: denotes concatination of bit strings

Question 31

When is HMAC unforgeable (secure)?

Answer 31

If H is collision resistant or H is a pseudorandom function

Question 32

Name one type of attack that HMAC is designed to resist

Answer 32

Length extension attacks, even when H is a Merkle-Damgård hash function

Question 33

What is a common usage of HMACs?

Answer 33

pseudorandom function for deriving keys in cryptographic protocols

Question 34

What is authenticated encryption?

Answer 34

Dedicated algorithms that provide both confidentiality, and authenticity and integrity

Question 35

For a shared key K between two parts, how can a message be sent with confidentiality, authentication and integrity?

Answer 35

Split key into 2 parts, K1 and K2

Encrypt with K1 (confidentiality)
Use K2 with a MAC (authenticity and integrity)

Question 36

How can encryption and message authentication be combined?

Answer 36

3 ways:

Encrypt and MAC
MAC then encrypt
Encrypt then MAC

Question 37

What is Encrypt and MAC?

Answer 37

encrypt M, apply MAC to M, send the two results

Question 38

What is MAC then encrypt?

Answer 38

Apply MAC to M to get tag,
Encrypt M||T
Send ciphertext

Question 39

What is encrypt then MAC?

Answer 39

Encrypt M to get ciphertext C
Then MAC C
Send 2 result

C = Enc(M, K1)
T = MAC(C, K2)
Send C||T

This is the safest approach

Question 40

What are some weaknesses with encrypt and MAC?

Answer 40

May not achieve the most basic level of secrecy

Even strongly secure MAC does not guarantee secrecy

A MAC can leak information about m in the tag

Question 41

What are some weaknesses with MAC then Encrypt?

Answer 41

Padding the message with the tag can cause 2 decryption errors:
- Incorrect padding
- Tag may not verify

An attacker can be able to distinguish between these two errors, and exploit this information

Question 42

What is AEAD?

Answer 42

An AEAD algorithm is a symmetric key cryptosystem

Question 43

What are the inputs and outputs of an AEAD?

Answer 43

Input:
M: Message (AEAD provides configentiality and authentication for M)
A: Associated data (provides authentication)
K: Shared key

Output:
Can contain different elements, such as ciphertext and tag

Question 44

When using an AEAD algorithm, what is sent from the sender to the recipient?

Answer 44

O and A

Question 45

When a receiver receives an AEAD message, what do they then do?

Answer 45

Either accept M and A, or report failure

Question 46

What is Galois Counter Mode (GCM)

Answer 46

Block cipher mode providing AEAD

Combines CTR mode on a block cipher, with a keyed hash function GHASH

Question 47

How does the GCM algorithm work?

Answer 47

GHASH Uses multiplication in the field GF(2^128)

Input: P, A (authenticated data), N (nonce)

u and v: values that are the minimum number 0s to expand A and C to complete number of blocks

output: C, T (tag), len_A, len_C (64 bit values)

Question 48

What does Inc_32 do in GCM?

Answer 48

Increment the right-most 32-bit of the input string by 1 mod 2^32

Question 49

How does GHASH work in GCM?

Answer 49

output = GHASH(X1, …, Xm)

operation *: multiplication in finite field GF(2^128)

HK = E(0^128, K) is the hash subkey

Question 50

How is GCM decrypted?

Answer 50

Elements transmitted to receiver: C, N, T, A

Receiver compute tag T, with a shared key

Computed tag is checked with received tag

If tag is correct, plaintext can be recomputed by generating the same key stream, from CTR mode

Question 51

What is key derivation?

Answer 51

User remembers a password that will be used to derive a key for encryption

Question 52

What are dictionary attacks?

Answer 52

Attacker have access to a dictionary of passwords, sorted by approximate frequency of use.

Attacker iterates from most to least frequent passwords

Question 53

What are a problem with storing encrypted passwords?

Answer 53

Where to store the key safely. If database/storage is compromised, key can be found and passwords retreived

Question 54

What is the safest way to store passwords?

Answer 54

Hashes: h = H(password)

Easy to check if an entered password is the correct:
H(input) == H(password)

Hard to recover password from H(password), assuming H is preimage resistant

con: Attacker can store dictionary of pw and H(pw), and compare with stolen input_password

Question 55

How can salted hashes be used to store passwords?

Answer 55

Pick random salt,
Store H(password, salt) and salt

Question 56

What are some pros and cons of using salted hashes to store passwords?

Answer 56

Pro:
- Easy to validate entered password
- Hard to recover password from H
- attacker needs to store different dictionary for each salt

con:
- doesn’t slow down per-password attacks

Question 57

What is PBKDF2?

Answer 57

Password Based Key Derivation Function 2

Uses hash, MAC or cipher

Combines pass + salt

Uses multiple iterations to slow down attacks

Can output key of arbitrary length

Question 58

How is PBKDF2 constructed?

Answer 58

PBKDF2(P, pass, salt, c) = U1 xor U2 xor…xor Uc

U1 = F(pw, salt || 1)
Uj = F(pw, U_j-1) for j >= 2

F: Pseudorandom function (e.g. HMAC with SHA256)

Question 59

What should any AEAD algorithm provide?

Answer 59

Confidentiality for M

Authentication for M and A