Podcast
Questions and Answers
What does a message authentication code (MAC) provide in a private key setting?
What does a message authentication code (MAC) provide in a private key setting?
In the equation Hk : {0, 1}∗ → {0, 1}n, what does 'k' represent?
In the equation Hk : {0, 1}∗ → {0, 1}n, what does 'k' represent?
What does Alice do after computing the MAC of the message?
What does Alice do after computing the MAC of the message?
Which of the following describes a chosen-message attack?
Which of the following describes a chosen-message attack?
Signup and view all the answers
What is existential forgery in the context of MAC security?
What is existential forgery in the context of MAC security?
Signup and view all the answers
What is a primary property of cryptographic hash functions that differentiates them from unkeyed hash functions?
What is a primary property of cryptographic hash functions that differentiates them from unkeyed hash functions?
Signup and view all the answers
What is a characteristic of a secure MAC?
What is a characteristic of a secure MAC?
Signup and view all the answers
What does a keyed hash function use in addition to a message to generate a hash value?
What does a keyed hash function use in addition to a message to generate a hash value?
Signup and view all the answers
What does Bob check upon receiving the message and tag from Alice?
What does Bob check upon receiving the message and tag from Alice?
Signup and view all the answers
What distinguishes selective forgery from existential forgery?
What distinguishes selective forgery from existential forgery?
Signup and view all the answers
Which property of a hash function ensures that it is computationally hard to find two different inputs that produce the same output?
Which property of a hash function ensures that it is computationally hard to find two different inputs that produce the same output?
Signup and view all the answers
In a message authentication code (MAC), what is the role of the verification algorithm V?
In a message authentication code (MAC), what is the role of the verification algorithm V?
Signup and view all the answers
Which of the following statements about unkeyed hash functions is false?
Which of the following statements about unkeyed hash functions is false?
Signup and view all the answers
What is a correct application of the function S in a MAC?
What is a correct application of the function S in a MAC?
Signup and view all the answers
In a keyed hash function, what should be true for distinct keys k1 and k2 when hashing the same message?
In a keyed hash function, what should be true for distinct keys k1 and k2 when hashing the same message?
Signup and view all the answers
What is the main purpose of the key generation algorithm G in a MAC?
What is the main purpose of the key generation algorithm G in a MAC?
Signup and view all the answers
What is the probability of successfully guessing Hk(m) when assuming Hk() is a random function?
What is the probability of successfully guessing Hk(m) when assuming Hk() is a random function?
Signup and view all the answers
In an exhaustive search for key k, what is the expected number of keys such that all r message-tag pairs are verified?
In an exhaustive search for key k, what is the expected number of keys such that all r message-tag pairs are verified?
Signup and view all the answers
What does the expression Hk(m) = h(k||m) represent in the context of Message Authentication Codes?
What does the expression Hk(m) = h(k||m) represent in the context of Message Authentication Codes?
Signup and view all the answers
What type of attack can be executed if the underlying hash function has a Merkle-Damgård construction and k is one block in length?
What type of attack can be executed if the underlying hash function has a Merkle-Damgård construction and k is one block in length?
Signup and view all the answers
What type of forgery is possible when given (m, Hk(m)) and the length of k?
What type of forgery is possible when given (m, Hk(m)) and the length of k?
Signup and view all the answers
Which statement is true regarding SHA-3 in relation to extension attacks?
Which statement is true regarding SHA-3 in relation to extension attacks?
Signup and view all the answers
What additional method is hinted at with the expression Hk(m) = h(k||m||k)?
What additional method is hinted at with the expression Hk(m) = h(k||m||k)?
Signup and view all the answers
What is the main concern when trying to create a MAC from an unkeyed hash function?
What is the main concern when trying to create a MAC from an unkeyed hash function?
Signup and view all the answers
What does the MAC tag in the message creation process consist of?
What does the MAC tag in the message creation process consist of?
Signup and view all the answers
Which method of authenticated encryption is considered the preferred approach?
Which method of authenticated encryption is considered the preferred approach?
Signup and view all the answers
Which of the following modes are specifically mentioned for authenticated encryption?
Which of the following modes are specifically mentioned for authenticated encryption?
Signup and view all the answers
What does Galois/Counter mode primarily provide?
What does Galois/Counter mode primarily provide?
Signup and view all the answers
What is a significant characteristic of the ChaCha20-Poly1305 algorithm?
What is a significant characteristic of the ChaCha20-Poly1305 algorithm?
Signup and view all the answers
In the encrypt-and-MAC method, what does the message combine with?
In the encrypt-and-MAC method, what does the message combine with?
Signup and view all the answers
What role does the nonce play in the authentication process?
What role does the nonce play in the authentication process?
Signup and view all the answers
Which of the following encryption approaches is utilized in SSL/TLS?
Which of the following encryption approaches is utilized in SSL/TLS?
Signup and view all the answers
What is the function of HMAC in message authentication?
What is the function of HMAC in message authentication?
Signup and view all the answers
Which hash function is mentioned as being too weak for MACs?
Which hash function is mentioned as being too weak for MACs?
Signup and view all the answers
Which of the following protocols uses HMAC for security?
Which of the following protocols uses HMAC for security?
Signup and view all the answers
What is the basis for the security of HMAC?
What is the basis for the security of HMAC?
Signup and view all the answers
Which mode of operation is generally associated with block cipher MACs?
Which mode of operation is generally associated with block cipher MACs?
Signup and view all the answers
Which of the following is NOT a type of MAC based on block ciphers?
Which of the following is NOT a type of MAC based on block ciphers?
Signup and view all the answers
What is one example of a MAC that can be built using a block cipher?
What is one example of a MAC that can be built using a block cipher?
Signup and view all the answers
Which RFC is associated with HMAC?
Which RFC is associated with HMAC?
Signup and view all the answers
Study Notes
Applied Cryptography & Authentication
- This presentation covers Keyed Hash Functions & MACs.
- A hash function maps binary strings of any length to strings of fixed length.
- Hash functions require easy computation and compression.
- Cryptographic hash functions also require pre-image resistance, second pre-image resistance, and collision resistance.
- Unkeyed hash functions produce data integrity.
- Data integrity is verified by the hash of a message, as long as the compared hash is unchanged.
- Keyed hash functions utilize a secret key and a message for input.
- For a given key, the hash value remains constant for any repeated input.
- Different keys will always produce different hash values, except for a few messages.
Keyed Hash Functions
- Keyed hash functions use a secret key in addition to a message as input.
- For a given key, a keyed hash function generates the same hash value every time it's called for a given message.
- Two distinct keys produce distinct hash values except for a limited number of messages.
- Cryptographic algorithms often use keyed hash functions (e.g., MACs, PRFs).
Message Authentication Codes (MACs)
- A MAC is a triple of efficient algorithms (G, S, V).
- G generates a key with a security parameter.
- S generates a tag given a key and message.
- V verifies a given tag, message, and key, returning accept or reject.
- For all messages m and keys k, V(k, m, S(k, m)) must return 'accept'.
- MACs offer data integrity and data origin authentication in private key scenarios.
- The MAC function is parametrized by k (a key).
- hₖ(m) is the MAC or tag of the message m.
- Alice and Bob can verify message origin and integrity using a shared secret key k.
Security of MACs
- Alice and Bob know k.
- Eve doesn't know k.
- Eve can receive polynomially many tags for chosen messages using an oracle access to Hₖ( ).
- Eve tries to generate a valid message/tag pair (m', t') without knowing k as a chosen-message attack.
- A secure MAC prevents computationally feasible generation of a new message-tag pair for any new message.
- Security is based on the security of the hash function used.
- MACs can be forged using weak hash functions
- MACs are used in TLS (transport layer security)
- MACs are used in IPsec (Internet Protocol security).
Generic Attacks on MACs
- Choose y in (0,1)^n, guess Hk(m)=y
- Probability of success is 2^(-n) if Hₖ( ) is a random function
- Exhaustive search for key k, given r message-tag pairs.
- Test each possible key k by verifying each pair.
- The expected number of keys that verify all r pairs is 2^(l-nr) if Hₖ( ) is random.
- (where l = key length, n = number of bits).
Making a MAC from an Unkeyed Hash Function
- Hₖ(m) = h(k||m) (secret prefix MAC)
- If the underlying hash function has a Merkle-Damgård construction and k is the length of one block, then Hₖ(m) can be subject to a chosen message attack that recovers Hₖ( ).
- A hash function with a Merkle-Damgård construction is vulnerable when k is one block in length.
- First, find a collision x₁, x₂ for the hash function; then mount a chosen-message attack by asking for MAC(x₁), which will also be MAC(x₂).
- Hₖ(m) = h(m||k) (secret sufix MAC), and if the underlying hash function has Merkle-Damgård construction, then security is compromised if k is one block in length.
HMAC (Keyed-Hash Message Authentication Code)
- HMAC(k, m) = h((k + opad) || h((k + ipad) \ m)).
- Security of HMAC relies on its underlying hash function.
- HMAC can be vulnerable to forgeries if a weak hash function is used.
- MACs using MD4 are weak and forgeable.
- HMACs are used in TLS (transport layer security) and IPsec (Internet Protocol security).
- RFC 2104 and FIPS 198-1 provide HMAC specifications.
Block Cipher MACs
- CBC-MAC, ECB-MAC, and other related MACs use block cipher encryption modes like CBC, and are used in many applications.
- CBC-MAC is based on CBC mode encryption and utilizes an initialization vector (IV) of zero.
- For fixed message lengths, security is based on the underlying block cipher.
- EMAC (Encrypted MAC) improves upon CBC-MAC by encrypting the output multiple times using a change of keys, allowing it to work with arbitrary message lengths.
- Other MACs include XCBC-MAC, CMAC, and OMAC.
Authenticated Encryption
- Authenticated encryption combines confidentiality, integrity, and data origin authentication.
- Encrypt-then-mac (preferred).
- Authenticate before encrypt (for example a TLS 1.3).
- Recent addition to TLS (and DTLS), also found in SSHv2.
- Encrypt-and-mac
- Mac-then-encrypt
- Authenticated Encryption (AE) modes for block ciphers such as CCM, CWC, OCB, EAX, and GCM.
- Galois/Counter mode (GCM) is a mode of AE for block ciphers used in TLS/SSL for achieving authentication of encrypted data.
- ChaCha20-Poly1305, described in RFC 8439, uses a 256-bit key and 96-bit nonce to combine ChaCha20 and poly1305 for data.
AEAD (Authenticated Encryption with Associated Data)
- AEAD enables authentication of both encrypted data and associated data (plaintext).
- Protocols like TLS 1.3 support AEAD modes (AES-GCM, AES-CCM).
- Other examples of AEADs, include Ghost R 34.12 2015 and ChaCha20-Poly1305.
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
Related Documents
Description
Test your knowledge on Message Authentication Codes (MAC) and their properties in cryptographic systems. This quiz covers fundamental concepts such as keyed hash functions, chosen-message attacks, and the distinctions between different forgery types. Perfect for anyone studying cryptography or security protocols.