Lecture 11: Hash functions and MACs Flashcards
What are MACs built from?
block ciphers
What type of MAC is widely used in TLS?
HMAC
What mode is widely used in TLS?
Authentication encryption mode GCM
What are hash functions typical building blocks in cryptograph for?
MACs and digital signatures
What does MAC stand for?
Message authentication code
Define a hash function
A hash function H is a PUBLIC function s.t.:
1) H is simple and fast to compute
2) H takes as input a message of ARBITRARY length and outputs a message digest H(m) of FIXED length
What are the three security properties of hash functions?
1) collision resistant
2) second-preimage resistant
3) preimage resistant (one-way)
Define collision resistant
It should be infeasible to find any 2 different values x1, x2 s.t. H(x1) = H(x2)
- -> two different inputs will never give the same output
- -> many possibilities reduced
Define second-preimage resistant. Why is it stronger than collision resistant property?
Given a value x1, it should be infeasible to find a different value x2 s.t. H(x1) = H(x2)
Stronger as put restriction on 1 input
Define preimage resistant (one-way)
Given a value y (output), it should be infeasible to find any input x such that H(x) = y
If an attacker can break second-preimage resistance, what else can they break? Why?
break collision resistance as second preimage resistance is stronger than collision resistant
Comment on the strength of collision resistant, second-preimage resistant and preimage-resistant (one-way).
From least strong to strongest:
1) collision resistant
2) second-preimage resistant
3) preimage resistant (one-way)
Explain the birthday paradox
[need to review YouTube video]
Let a group of 23 randomly chosen people, the probability that at least 2 have the same birthday is over 0.5.
If choosing around √|S| from a set S, then probability of getting 2 values the same is around 0.5
(pigeonhole principle –> if n items are put into m containers, with n > m, then at least one container must contain more than one item)
In terms of the birthday paradox, how many trials are enough to find a collision with probability around 0.5 when a hash function with output size of k bits is used?
Let H be seen as a random function.
Then √(2^k) = 2^(k/2) trials are enough to find a collision with probability around 0.5
How many trials are considered infeasible today for a hash function with output size of k bits?
What is the size of the output that hash functions need to satisfy collision resistance?
output of at least 256 bit to
From block ciphers, how can arbitrary-sized data can be processed?
1) having a function processing fixed-sized data
2) using it repeatedly
What does an iterated hash function do?
splits the input blocks of fixed size and operates on each block sequentially using the same function with fixed-sized inputs.
I.t.o iterated hash functions, what does Merkle-Damgård do?
using a compression function h taking fixed-sized inputs and applied to multiple blocks of the message
compression as reduces output length w.r.t. input
Outline the compression function h and give the diagram
h takes 2 n-bit input strings x1 and x2 and produces an n-bit output string y
diagram: slide 10, set 11
What type of function is Merkle-Damgård?
an iterated hash fuction
Explain Merkle-Damgård construction and give the diagram
1) Break message m into n-bit blocks m1 || m2 || … ||ml
2) Add padding and an encoding of the length of m –> this process may or may not add one block (depends if needed)
3) Input each block into compression function h along with chained output –> use IV to get started
Diagram: slide 11, set 11
What security does using Merkle-Damgård construction provide?
if compression function h is collision-resistant then hash function H is collision-resistant
What are the security weaknesses of Merkle-Damgård construction?
1) length extension attacks: once there is one collision, easy to find more
2) second preimage attacks not as hard as they should be
3) collisions for multiple messages: found without much more difficulty than collisions for 2 messages
What are examples of where Merkle-Damgård construction is used?
MD5, SHA-1, SHA-2 family
When was the MDx family used and who proposed it?
Proposed by Ron Rivest and widely used in the 90s
What are the deployed family members in the MDx family?
MD2, MD4 and MD5
What is size of the output in the MDx family and comment on its security
128-bit output
too small bits to be secure, should be 256
Which family members in the MDx family are broken?
ALL –> real collisions have been found
What does SHA stand for?
Secure hash algorithm
What is SHA based on?
MDx family design but has a more complex design and larger output of 160 bits
Has SHA-0 been broken?
yes
Has SHA-1 been broken?
yes
Why was the SHA-2 family developed?
in response to (real and theoretical) attacks onMD5 and SHA-1
What standard is SHA-2 in?
FIPS PUB 180-4 (Aug. 2015).
What is the hash size, block size and security match for SHA-224? Comment on if it is okay to use today
Hash size: 224 bits
Block size: 512 bits
Security match: 2 key 3DES
Hash size is too small so DON’T use
What is the hash size, block size and security match for SHA-512/224? Comment on if it is okay to use today
Hash size: 224 bits
Block size: 1024 bits
Security match: 2 key 3DES
Hash size is too small so DON’T use
What is the hash size, block size and security match for SHA-256? Comment on if it is okay to use today
Hash size: 256 bits
Block size: 512 bits
Security match: AES-128
Okay to use
What is the hash size, block size and security match for SHA-512/256? Comment on if it is okay to use today
Hash size: 256 bits
Block size: 1024 bits
Security match: AES-128
Okay to use
What is the hash size, block size and security match for SHA-384? Comment on if it is okay to use today
Hash size: 384 bits
Block size: 1024 bits
Security match: AES-192
Okay to use
What is the hash size, block size and security match for SHA-512? Comment on if it is okay to use today
Hash size: 512 bits
Block size: 1024 bits
Security match: AES-256
Okay to use
Comment on the message length field in terms of the SHA-2 family
64 bits when block length is 512 bits
128 bits when block length is 1024 bits
Comment on the padding used in SHA-2 family
always at least one bit of padding
There is an exact number of complete blocks, so:
1) After the 1st bit “1”, enough bits “0” are added.
2) Length field is then added (encoded)
Adding the padding and length field sometimes add an extra block, and sometimes does not –> depends on original message length
How and why was SHA-3 created?
attacks on MDx and SHA families as all based on same design
NIST competition –> Kecak (SHA-3) chosen which does not use a compression function, instead SPONGE function
What standard is SHA-3 (Keccak) in?
FIPS PUB 202 (Aug. 2015)
Why is applying a hash function NOT encryption?
1) hash computation does NOT depend on key
2) not possible to go backwards to find input in general –> linked blocks so difficult to update too
What do hash functions help provide?
data authentication, but not providing it alone!
Authenticating the hash of a message to authenticate the message
How and where are users’ passwords stored?
on server using hash functions, store salted hashes of passwords
How are salted hashes of passwords created?
1) pick random salt
2) compute h = H(pw, salt)
3) store (salt, hash)
Is it easy to check entered password for a user? If so, how?
h = H(pw’, salt)?
Comment on the hardness of recovering password pw from hash h
Hard to recover, assuming that H is preimage resistant (at least)
What would an attack need to store in order to recover a user’s password?
a different dictionary for EACH salt
What can be used to slow down password guessing?
slower hash function
What is the purpose of MAC?
It is a cryptographic mechanism to ensure message integrity:
What are the inputs and outputs of MAC?
Inputs: message M of arbitrary length, secret key K
Output: (short) fixed-sized tag T=MAC(M,K)
Outline how Alice sends a tag T and Bob use this info
1) Alice, the sender, appends the tag T to the message M (in the clear).
2) Bob, the recipient, computes T’ = MAC(M’,K) with the received message M’, and checks whether T = T’
Define unforgeability i.t.o MAC’s properties
it is not feasible to produce a valid pair(M,T) s.t. T = MAC(M,K) without knowledge of K
Define unforgeability under chosen message attack: i.t.o MAC’s properties
The attacker has access to a forging oracle (can compute valid tag) s.t. on input any message M of the attacker’s choice, the oracle outputs the tag T = MAC(M,K)
The attacker should not be able to produce a valid forgery that was not asked to the oracle (has not seen message for tag)
What does HMAC stand for?
MAC from hash function
When was HMAC proposed and by who?
Proposed by Bellare, Canetti and Krawczyk in 1996
What is HMAC built from?
Built from ANY iterated hash function H
What examples of HMAC usage?
MD5, SHA-1, SHA-256, …
What standard is HMAC in?
FIPS PUB 198-1 (July 2008).
Where is HMAC applied in?
Used in many applications such as TLS and IPSec
What are the 5 components used in constructing a HMAC?
H: iterated cryptographic hash function
M: message to be authenticated
K: key padded with zeros to be of block size of H
opad: fixed string 0x5c5c5c…5c
ipad: fixed string 0x363636…36
What does || mean?
concatenation of bit strings
Give the formula for computing HMAC(M,K)
HMAC(M,K) = H((K ⊕ opad) || H((K ⊕ ipad) || M))
How many times is the hash function applied in the formula for HMAC(M,K)?
twice
When is HMAC secure?
If:
1) either H is collision resistant
2) or H is a pseudorandom function
What type of attacks is HMAC design to resist?
length extension attacks, even if H is a Merkle-Damgård hash function
What is HMAC often used as?
pseudorandom function for deriving keys in cryptographic protocols
Let Alice and Bob share a key K.
Alice wants to send to Bob a message M with confidentiality and authenticity/integrity.
What are the options to do so?
1) Split K into 2 parts K1 and K2, encrypt with K1 (confidentiality) and use K2 with a MAC (authenticity/integrity)
2) Use the authentication encryption algorithm providing both confidentiality and authenticity/integrity
What are three options for combining encryption and MAC?
1) Encrypt and MAC
2) MAC then encrypt
3) Encrypt then MAC
What is the encrypt-and-MAC option?
encrypt M, apply MAC to M, and send the ciphertext C and the tag T
What is the MAC-then-encrypt option?
apply MAC to M, then encrypt M||T, and send the ciphertext C
What is the encrypt-then-MAC option?
encrypt M, apply MAC to the ciphertext C, and send C and the tag T
Which option out of the following is the safest and most secure approach?
1) Encrypt and MAC
2) MAC then encrypt
3) Encrypt then MAC
Encrypt and MAC
Give the steps in the encrypt and MAC option for combining encryption and MAC
1) C = Enc(M,K1)
2) T = MAC(C, K2)
3) Send C||T
What option for combining encryption and MAC is used in older versions of TLS SSL 3, TLS 1.0 and 1.1)?
What does this mean?
MAC-then-encrypt construction
Several security vulnerabilities.
What authenticatoin methods are used in TLS 1.2 and 1.3?
Combined authentication encryption modes
–> supporting CCM and GCM modes of operation for block ciphers
–> allowing data to be only authenticated (not encrypted) with authenticated encryption wit associated data (AEAD)
What does AEAD stand for?
authenticated encryption wit associated data
What does GCM stand for?
Galois counter mode
Explain what is meant by CTR being a synchronous stream cipher
1) a counter is initialized using a randomly chosen nonce N
2) keystream generated by encrypting successive values of the counter
How is the keystream generated in CTR?
Ot = E(Tt, K) where Tt = N||t is the concatenation of N and block number t
–> encryption applied on counter (nonce N)
Give the diagram for CTR mode for block ciphers
Slide 30 in set 11
What is the encryption formula to produce Ct?
Ct = Ot ⊕ Pt
What is the decryption formula to produce Pt?
Pt = Ot ⊕ Ct
Is CCM suitable for processing streaming data? Why?
NO
Formatting function for N, A, P requires knowledge of length of A and P
What limitation of CCM does GCM overcome?
Needing to know the size of A and P for CCM
What standard is GCM in?
NIST SP-800 38D
Which is faster?
AES with GCM or AES with HMAC
Why?
AES with GCM is faster
Hardware support of AES and carry-less addition in modern Intel chips
What is the algorithm for GCM?
Combining CTR mode on block cipher E (e.g. AES but could be something else) with special keyed hash function GHASH
GHASH uses multiplication in finite field GF(2^(128))
What are the inputs for GCM’s algorithm?
plaintext P, authenticated data A and nonce N
What are the outputs of GCM’s algorithm?
ciphertext C and tag T
What are the lengths lenA of A and lenC of C i.t.o GCM’s algorithm?
64-bit values
–> u and v are minimum numbers of zeros required to expand A and C to complete blocks respectively
What are the length t of T and length of N i.t.o GCM’s algorithm?
Length t of T is 128 bits and length of N is 96 bits
What is the initial block i.t.o GCM’s algorithm?
J0 = N || 0^(31) || 1
What does the function inc32 do i.t.o GCM’s algorithm?
increments the 32 MSB (most sig bit) of input string by 1 modulo 2^32
Explain the diagram for the GCM algorithm on slide 33 in set 11
TODO
Explain the diagram for the GCM algorithm on slide 34 in set 11
TODO
I.t.o decryption in GCM, what are the elements transmitted by Bob, the recipient?
ciphertext C
nonce N
tag T
authenticated data A
Explain the decryption process in GCM
1) bob computes the tag T’ using the shared key K and received C, N, A
2) bob compares T’ with received T:
- -> If T’ ≠ T the output “invalid”
- -> if T’ = T then the plaintext P is computed by generating the same keystream from CTR mode as for encryption
XOR to get plaintext
