W4 Flashcards
What do stream ciphers NOT protect?
How can this be achieved instead?
How are these defined?
The integrity of messages
Through Message Authentication Codes (MACs)
Using hash functions
Are Message Authentication codes symmetric-key or dual-key?
What is the downside of this?
Symmetric key
Receiver convinced of authenticity of message but cannot convince third party as well
What is a cryptographic hash functions?
What three types of resistance does it need to provide?
A mapping that maps an arbitrary length string to a fixed length string
Pre-image resistance, Second pre-image resistance, and collision resistance
What is meant by preimage resistance?
The property of a hash function that makes it computationally infeasible to find any input x that hashes to a given output h(x)
What is meant by second preimage resistance?
The property of a hash function that makes it computationally infeasible to find another input x’ that hashes to the same output as x
What is meant by collision resistance?
The property of a hash function that makes it computationally infeasible to find any two distinct inputs x,y that are unequal to one another and hash to the same output
For an output of a hash function with n bits, how many trials to find a preimage or second preimage?
How about a collision?
O(2^n)
O(2^n/2)
What is the hamming weight hash function?
Simple hash function that outputs the number of 1s in a binary string
What is the Merkle Damgard design?
What function does it use?
What are the steps involved in it?
Method for creating cryptographic hash functions that process messages of any length into fixed-size outputs.
Compression Function C that combines a fixed-size block of the message and an intermediate hash value (chaining value) to produce a new hash value.
The chaining values can come from the previous block or be the IV for the first block.
- The message is padded to ensure the message length is a multiple of the block size.
- Message is split into n-bit blocks
- Each block is processed using the compression function: H_i = C(H_i-1, M_i)
- The final hash value from the last iteration is outputted.
How do MAC functions work?
A and B share a key k for authenticity protection.
MAC computes a short tag on message and k:
MAC(m, k) = t
It is a cryptographic checksum.
What are the motivations for MAC?
Encryption requires integrity protection, as flipping a bit in the ciphertext means flipping a bit in the plaintext
How is MAC used alongside a ciphertext?
Send the ciphertext c along with a Message Authentication Code (MAC), H(m), computed using the original plaintext m and a shared secret key.
This ensures that the MAC is tied to both the plaintext and the key, making it impossible for an attacker to forge or modify without knowledge of the key.
The receiver verifies the MAC by decrypting c to obtain m and recomputing H(m) to ensure it matches the received MAC, thereby guaranteeing both message authenticity and integrity.
What is a simple MAC?
Why is Simple MAC insecure when using Merkle-Damgard hash functions?
What are the fixes for this insecurity?
A Simple MAC is defined as:
MAC(c,k)=H(k,c), where k is the secret key, c is the message or ciphertext, and H is a cryptographic hash function.
Length-Extension Attack: Since Merkle-Damgard hash functions process inputs iteratively, allowing hackers to extend the input and compute the hash further without knowing k
Use fixed padding at the end of the message.
Switch to hash function not based on Merkle-Damgard.
Use Encrypt-then-MAC for added security
How does HMAC deal with issues such as length-extension attacks or collisions in H ?
By putting k at beginning and end
Also uses two different padding strings
What is an attacker requirement for the security of MACs?
Attacker sees pairs (m_i, MAC(m_i, k_auth)) and shouldn’t be able to produce any other valid pair (m_i’, t’) with t’=MAC(m’, k_auth) such that (m’,t’) != (m_i,t_i) without knowing k_auth
What is the issue with iterative hash functions and colliding messages?
If an attacker finds two distinct messages m≠m’ such that H(m)=H(m′), the collision extends to concatenated inputs:H(m ∣∣ x)=H(m′ ∣∣ x).
This allows the attacker to forge valid hashes for extended messages without detection, compromising integrity.
To mitigate, use collision-resistant hash functions, HMAC, or non-iterative designs like sponge constructions.
What is a block cipher?
A block cipher encrypts fixed-size blocks of messages:
Enc:{0,1}^n×{0,1}^l→{0,1}^n, where n is the block size, l is the key size, and Enc(m,k)=c.
It is invertible for a fixed key k, meaning:
Dec(Enc(m,k),k)=m.
This ensures that encrypted blocks can be decrypted back to the original message using the same key.
What is DES?
What type of cipher is DES?
How are the left and right halves updated in DES?
What happens at the start and end of DES?
How is the key handled in DES?
How does the function fif_ifi work in DES?
What role do S-boxes play in DES?
What happens after all rounds in DES?
DES (Data Encryption Standard) is an example of a block cipher that encrypts 64-bit blocks of data using a 56-bit key in an invertible manner
DES is a Feistel cipher, where a 64-bit block is split into a left half (32 bits) and a right half (32 bits). The halves are processed iteratively, with the right half used to encrypt the left half in each round.
For each round i:
Li=Ri−1, Ri=Li−1⊕fi(Ri−1), where f_i is a function that depends on the round key ki.
At the beginning, the input is permuted using the initial permutation (IP). At the end, the bits are permuted again using the final permutation (FP), which is the inverse of IP.
The 64-bit key is reduced to 56 bits (8 bits used for parity), then expanded into 16 subkeys, k1,k2,…,k16, each 48 bits, for the 16 rounds of DES.
The function f_i:
1. Expands the 32-bit R_{i-1} to 48 bits.
2. XORs it with the round key k_i
3. Splits the result into 8 blocks of 6 bits.
4. Passes each block through an S-box, reducing it to 4 bits.
5. Combines and permutes the 32 resulting bits.
S-boxes substitute 6-bit inputs with 4-bit outputs to add non-linearity to the encryption process, making it resistant to linear attacks.
After the 16th round, the left and right halves are swapped, permuted using the final permutation (FP), and the 64-bit ciphertext is output.
What is ECB mode in cryptography?
How does ECB divide and process plaintext?
What is the encryption and decryption formula in ECB?
Why is ECB considered insecure for structured data?
What are the main drawbacks of ECB?
What is an example of a block cipher that can use ECB?
ECB (Electronic Code Book) is a mode of operation for block ciphers, where each plaintext block is independently encrypted or decrypted using the same key.
The plaintext is divided into fixed-sized blocks (e.g., 128 bits), and each block is encrypted or decrypted independently using the same key.
Encryption:
Ciphertext_i= E_k (Plaintext_i)
Decryption:
Plaintext_i = D_k(Ciphertext_i)
where E_k is the encryption function and D_k is the decryption function, both using the same key k.
ECB is insecure for structured data because identical plaintext blocks produce identical ciphertext blocks, revealing patterns in the plaintext.
Does not hide data patterns, making it vulnerable to cryptanalysis.
Ineffective for encrypting highly structured or repetitive data.
AES or DES can operate in ECB mode, but it is typically not recommended due to its security weaknesses.
What is Cipher Block Chaining (CBC)?
How does CBC encryption and decryption work?
What is the role of the Initialization Vector (IV) in CBC?
How does a change in plaintext MiM_iMi affect CBC encryption?
A change in M_i affects both C_i and all subsequent ciphertext blocks Ci+1,Ci+2,…
How does a change in ciphertext C_i affect CBC decryption?
Why is CBC preferred over ECB?
CBC is a classical mode of operation for block ciphers where each plaintext block is XORed with the previous ciphertext block before encryption.
Encryption:
C_i = E_k(P_i ⊕ C_{i-1})
where C_0 is the Initialization Vector (IV).
Decryption:
P_i = D_k(C_i) ⊕ C_{i-1}.
The IV ensures that identical plaintexts encrypt to different ciphertexts, adding randomness to the process.
A change in C_i corrupts both the decrypted plaintext M_i and M_{i+1}.
CBC avoids the main weakness of ECB by ensuring that identical plaintext blocks do not produce identical ciphertext blocks, hiding patterns in the plaintext.
