MAC Security and Hash Functions Quiz

Questions and Answers

What does a message authentication code (MAC) provide in a private key setting?

• Data validation and key sharing
• Data encryption and key generation
• Data integrity and data origin authentication (correct)
• Data confidentiality and data integrity

In the equation Hk : {0, 1}∗ → {0, 1}n, what does 'k' represent?

• An n-bit key (correct)
• The number of messages
• The length of the message
• The output size of the hash function

What does Alice do after computing the MAC of the message?

• Sends the message only
• Sends both the message and the MAC to Bob (correct)
• Encrypts the message and sends it to Bob
• Stores the MAC locally

Which of the following describes a chosen-message attack?

An attacker requests tags for messages they select (A)

What is existential forgery in the context of MAC security?

Generating a valid message-tag pair for any message (A)

What is a primary property of cryptographic hash functions that differentiates them from unkeyed hash functions?

Preimage resistance (C)

What is a characteristic of a secure MAC?

It prevents creation of new message-tag pairs with high probability (A)

What does a keyed hash function use in addition to a message to generate a hash value?

A secret key (C)

What does Bob check upon receiving the message and tag from Alice?

If the received tag is equal to Hk (m0) (C)

What distinguishes selective forgery from existential forgery?

Selective forgery focuses on a chosen message only (A)

Which property of a hash function ensures that it is computationally hard to find two different inputs that produce the same output?

Collision resistance (C)

In a message authentication code (MAC), what is the role of the verification algorithm V?

To confirm the authenticity of the message (A)

Which of the following statements about unkeyed hash functions is false?

They require a secret key for computation. (B)

What is a correct application of the function S in a MAC?

Creating a tag for a message using a key. (B)

In a keyed hash function, what should be true for distinct keys k1 and k2 when hashing the same message?

hk1(m) should not equal hk2(m) for most messages (D)

What is the main purpose of the key generation algorithm G in a MAC?

To generate a key with a security parameter. (D)

What is the probability of successfully guessing Hk(m) when assuming Hk() is a random function?

2^(-n) (D)

In an exhaustive search for key k, what is the expected number of keys such that all r message-tag pairs are verified?

2^(n - nr) (A)

What does the expression Hk(m) = h(k||m) represent in the context of Message Authentication Codes?

secret prefix MAC (B)

What type of attack can be executed if the underlying hash function has a Merkle-Damgård construction and k is one block in length?

chosen-message attack (B)

What type of forgery is possible when given (m, Hk(m)) and the length of k?

selective forgery (C)

Which statement is true regarding SHA-3 in relation to extension attacks?

SHA-3 does not admit extension attacks. (C)

What additional method is hinted at with the expression Hk(m) = h(k||m||k)?

sandwich method (C)

What is the main concern when trying to create a MAC from an unkeyed hash function?

selective forgery potential (B)

What does the MAC tag in the message creation process consist of?

Polynomial coefficients combined with AES encryption (C)

Which method of authenticated encryption is considered the preferred approach?

Encrypt-then-MAC (C)

Which of the following modes are specifically mentioned for authenticated encryption?

CCM, CWC, OCB, EAX, GCM (B)

What does Galois/Counter mode primarily provide?

Data integrity and confidentiality (D)

What is a significant characteristic of the ChaCha20-Poly1305 algorithm?

It encrypts plaintext using a 256-bit key and a 96-bit nonce. (C)

In the encrypt-and-MAC method, what does the message combine with?

The plaintext and its MAC (D)

What role does the nonce play in the authentication process?

It ensures the uniqueness of encryption for every tag. (A)

Which of the following encryption approaches is utilized in SSL/TLS?

MAC-then-encrypt only (C)

What is the function of HMAC in message authentication?

It generates a keyed hash to verify message integrity. (B)

Which hash function is mentioned as being too weak for MACs?

MD4 (D)

Which of the following protocols uses HMAC for security?

TLS (A)

What is the basis for the security of HMAC?

The security of the hash function employed. (C)

Which mode of operation is generally associated with block cipher MACs?

CBC (Cipher Block Chaining) mode (D)

Which of the following is NOT a type of MAC based on block ciphers?

HMAC (A)

What is one example of a MAC that can be built using a block cipher?

OMAC (C)

Which RFC is associated with HMAC?

RFC 2104 (D)

Flashcards

Keyed Hash Function

A cryptographic hash function that uses a secret key in addition to the message as input.

MAC (Message Authentication Code)

A cryptographic method that verifies both the data's integrity and authenticity.

MAC Algorithm (G, S, V)

A triple of algorithms used for MACs: key generation (G), signing (S), and verification (V).

Key Generation Algorithm (G)

Algorithm that generates a secret key for MAC.

Signing Algorithm (S)

Creates a MAC (tag) using the message and key.

Verification Algorithm (V)

Checks if a given MAC (tag) is valid for a given key and message.

Data Integrity

Ensuring data hasn't been altered during transmission or storage.

Correctness Property of MAC

Verifying the tag correctly matches the message and key.

Message Authentication Code (MAC)

A MAC is a mechanism to verify the integrity and authenticity of a message. It ensures that the message received is the same that was sent and hasn't been tampered with.

Secret Prefix MAC

A MAC where the secret key is prepended to the message before hashing.

Secret Suffix MAC

A MAC where the secret key is appended to the message after hashing.

Collision Attack

A method to find two different inputs (messages) that produce the same hash output.

Hash Function

A one-way function that converts any input message to a fixed-size output (hash).

Merkle-Damgård Construction

A common technique in hash function design to create a secure hash function by processing the input data in blocks.

Selective Forgery

A type of attack that allows an attacker to produce a valid message-authentication tag pair for a new message, knowing some authenticated pairs.

Envelope/Sandwich MAC

A MAC method, where the secret key is placed between the message sections.

MAC Function (Hk)

A cryptographic function that takes a message (m) and a key (k) as input and produces a MAC or tag.

Secret Key in MAC

The shared key between sender (Alice) and receiver (Bob) used by the MAC function.

MAC computation

A process where Alice computes a tag (t) using the MAC function on the message (m) and the shared key.

MAC Verification

Bob receives the message-tag pair and uses the same MAC function with the shared key to verify the tag is correct.

Chosen-Message Attack

An attack where the attacker (Eve) can obtain the MAC of multiple messages of her choice.

Existential Forgery

An attack where an adversary creates a valid message-tag pair for any message without knowing the key.

Security of MAC

A MAC is considered secure if it’s computationally infeasible for an attacker to create a valid message-tag pair for a new message given previously observed pairs.

HMAC

A keyed-hash message authentication code that uses a hash function to create a message authentication code.

HMAC Security

The security of HMAC relies on the security of the underlying hash function used.

CBC-MAC

A block cipher MAC using the Cipher Block Chaining (CBC) mode of encryption.

EMAC

An authenticated encryption mode of block ciphers.

Block Cipher MACs

MAC algorithms that use block ciphers for authentication and integrity.

MAC

Message Authentication Code; verifies both the integrity and authenticity of a message.

XCBC-MAC

A block cipher MAC algorithm.

CMAC

Another block cipher MAC algorithm.

What does Authenticated Encryption provide?

Authenticated Encryption provides confidentiality, data integrity, and data origin authentication. This means it protects the secrecy, ensures data hasn't been tampered with, and verifies who sent the data.

What is the most common way to do Authenticated Encryption?

The most common and preferred method is encrypt-then-MAC. This means encrypting the message and then generating a MAC for the encrypted message.

What is the purpose of the key in Poly1305?

The key (k, r) consists of a 16-byte AES key (k) and a 16-byte secret number (r). The AES key is used for encryption, and the secret number (r) is used for MAC calculations to ensure data integrity.

What is a nonce in Poly1305?

A nonce (n) is a unique 16-byte number used for each tag. It helps prevent replay attacks because it changes for each message.

How is a message processed in Poly1305?

The message (m) is converted into polynomial coefficients (ci). This representation is needed for the MAC calculation.

How is the MAC tag calculated in Poly1305?

The MAC tag is calculated using a combination of polynomial operations, modular arithmetic, and AES encryption. It involves multiplying polynomial coefficients with r, applying modulo, and then encrypting with the AES key.

What are some other popular authenticated encryption modes?

Besides Poly1305, other popular AE modes are CCM, CWC, OCB, EAX, and GCM. These modes offer different features and strengths.

What does the ChaCha20-Poly1305 algorithm use?

ChaCha20-Poly1305 uses a 256-bit key and a 96-bit nonce to encrypt a plaintext. ChaCha20 is used in counter mode to generate a key stream that is XORed with the plaintext.

Study Notes

Applied Cryptography & Authentication

• This presentation covers Keyed Hash Functions & MACs.
• A hash function maps binary strings of any length to strings of fixed length.
• Hash functions require easy computation and compression.
• Cryptographic hash functions also require pre-image resistance, second pre-image resistance, and collision resistance.
• Unkeyed hash functions produce data integrity.
• Data integrity is verified by the hash of a message, as long as the compared hash is unchanged.
• Keyed hash functions utilize a secret key and a message for input.
• For a given key, the hash value remains constant for any repeated input.
• Different keys will always produce different hash values, except for a few messages.

Keyed Hash Functions

• Keyed hash functions use a secret key in addition to a message as input.
• For a given key, a keyed hash function generates the same hash value every time it's called for a given message.
• Two distinct keys produce distinct hash values except for a limited number of messages.
• Cryptographic algorithms often use keyed hash functions (e.g., MACs, PRFs).

Message Authentication Codes (MACs)

• A MAC is a triple of efficient algorithms (G, S, V).
• G generates a key with a security parameter.
• S generates a tag given a key and message.
• V verifies a given tag, message, and key, returning accept or reject.
• For all messages m and keys k, V(k, m, S(k, m)) must return 'accept'.
• MACs offer data integrity and data origin authentication in private key scenarios.
• The MAC function is parametrized by k (a key).
• hₖ(m) is the MAC or tag of the message m.
• Alice and Bob can verify message origin and integrity using a shared secret key k.

Security of MACs

• Alice and Bob know k.
• Eve doesn't know k.
• Eve can receive polynomially many tags for chosen messages using an oracle access to Hₖ( ).
• Eve tries to generate a valid message/tag pair (m', t') without knowing k as a chosen-message attack.
• A secure MAC prevents computationally feasible generation of a new message-tag pair for any new message.
• Security is based on the security of the hash function used.
• MACs can be forged using weak hash functions
• MACs are used in TLS (transport layer security)
• MACs are used in IPsec (Internet Protocol security).

Generic Attacks on MACs

• Choose y in (0,1)^n, guess Hk(m)=y
• Probability of success is 2^(-n) if Hₖ( ) is a random function
• Exhaustive search for key k, given r message-tag pairs.
• Test each possible key k by verifying each pair.
• The expected number of keys that verify all r pairs is 2^(l-nr) if Hₖ( ) is random.
• (where l = key length, n = number of bits).

Making a MAC from an Unkeyed Hash Function

• Hₖ(m) = h(k||m) (secret prefix MAC)
• If the underlying hash function has a Merkle-Damgård construction and k is the length of one block, then Hₖ(m) can be subject to a chosen message attack that recovers Hₖ( ).
• A hash function with a Merkle-Damgård construction is vulnerable when k is one block in length.
• First, find a collision x₁, x₂ for the hash function; then mount a chosen-message attack by asking for MAC(x₁), which will also be MAC(x₂).
• Hₖ(m) = h(m||k) (secret sufix MAC), and if the underlying hash function has Merkle-Damgård construction, then security is compromised if k is one block in length.

HMAC (Keyed-Hash Message Authentication Code)

• HMAC(k, m) = h((k + opad) || h((k + ipad) \ m)).
• Security of HMAC relies on its underlying hash function.
• HMAC can be vulnerable to forgeries if a weak hash function is used.
• MACs using MD4 are weak and forgeable.
• HMACs are used in TLS (transport layer security) and IPsec (Internet Protocol security).
• RFC 2104 and FIPS 198-1 provide HMAC specifications.

Block Cipher MACs

• CBC-MAC, ECB-MAC, and other related MACs use block cipher encryption modes like CBC, and are used in many applications.
• CBC-MAC is based on CBC mode encryption and utilizes an initialization vector (IV) of zero.
• For fixed message lengths, security is based on the underlying block cipher.
• EMAC (Encrypted MAC) improves upon CBC-MAC by encrypting the output multiple times using a change of keys, allowing it to work with arbitrary message lengths.
• Other MACs include XCBC-MAC, CMAC, and OMAC.

Authenticated Encryption

• Authenticated encryption combines confidentiality, integrity, and data origin authentication.
• Encrypt-then-mac (preferred).
• Authenticate before encrypt (for example a TLS 1.3).
• Recent addition to TLS (and DTLS), also found in SSHv2.
• Encrypt-and-mac
• Mac-then-encrypt
• Authenticated Encryption (AE) modes for block ciphers such as CCM, CWC, OCB, EAX, and GCM.
• Galois/Counter mode (GCM) is a mode of AE for block ciphers used in TLS/SSL for achieving authentication of encrypted data.
• ChaCha20-Poly1305, described in RFC 8439, uses a 256-bit key and 96-bit nonce to combine ChaCha20 and poly1305 for data.

AEAD (Authenticated Encryption with Associated Data)

• AEAD enables authentication of both encrypted data and associated data (plaintext).
• Protocols like TLS 1.3 support AEAD modes (AES-GCM, AES-CCM).
• Other examples of AEADs, include Ghost R 34.12 2015 and ChaCha20-Poly1305.

Description

Test your knowledge on Message Authentication Codes (MAC) and their properties in cryptographic systems. This quiz covers fundamental concepts such as keyed hash functions, chosen-message attacks, and the distinctions between different forgery types. Perfect for anyone studying cryptography or security protocols.