Untitled Quiz

Questions and Answers

What is the approximate time it takes for Eve to launch an attack using a hash function with a 64-bit digest?

1 week

1 month

1 hour (correct)

1 day

How many tests does the adversary need to perform a collision attack on MD5?

264 (correct)

230

280

232

What is the digest size of the hash function SHA-1?

512 bits

160 bits (correct)

256 bits

128 bits

What is the primary design difference between SHA-1 and the revised Secure Hash Standard versions?

The revised versions provide higher security levels.

How long does it take to launch an attack on SHA-1 assuming the adversary can perform $2^{30}$ tests per second?

10,000 years

What size is the digest produced by the new hash function SHA-512?

512 bits

How many rounds does the SHA-512 compression function consist of?

80 rounds

From what values are the round constants in SHA-512 derived?

First 80 prime numbers

Why is a message authentication code (MAC) needed?

To prove the sender's identity.

What does a modification detection code (MDC) assure?

The message has not been modified.

What is the output size of SHA-512 hash values?

512 bits

What is processed in 1024-bit blocks during SHA-512 computation?

Message data

What is the approximate number of tests required to find a collision using SHA-512?

2256

Which function is NOT part of the round structure in SHA-512?

Binary search function

Which of the following describes the SHA-256 hashing process?

It is more secure than SHA-1.

What is the leftmost hexadecimal digit of the result when applying the Majority function on buffers with values 0x7, 0xA, and 0xE?

0xE

What is the primary purpose of a message digest (MDC) in message transmission?

To ensure the message has not changed during transmission

Which of the following is NOT a concern of message authentication?

Ensuring message confidentiality

How does symmetric message encryption contribute to authentication?

By ensuring only the sender and receiver know the key used

In public-key encryption, what can provide both secrecy and authentication?

Signing the message with the sender's private key and encrypting with the recipient's public key

What happens to the size of a message during the signing and encryption process using public-key encryption?

The size may double due to encryption and signing overhead

What security requirement relates to ensuring that a sender cannot deny sending a message?

Non-repudiation

Which function is NOT typically used for message authentication?

Asymmetric encryption

What is a primary challenge when using public-key encryption for messaging?

Public-key encryption does not confirm the sender's identity

What is the primary purpose of using salt in password hashing?

To deter precomputation attacks

Which of the following best describes the role of the server in Lamport one-time passwords?

The server hashes the user's password for verification

In the context of the Birthday Paradox, what is the implication of a 64-bit hash?

It can be considered unreliable for generating unique signatures.

What action does Alice perform when using the Lamport one-time password protocol?

She sends a hash derived from her password to the server.

Which mechanism is ineffective for security but reasonable for data integrity checking?

One-bit circular shift on hash value

What is a primary feature of the birthday attack as described?

It can produce valid signatures for both original and forged messages.

How does the Lamport one-time password protocol enhance security against interception?

It prevents an attacker from obtaining the password even if they intercept communications.

What is a limitation of simple hash functions highlighted in the content?

They offer reasonable data integrity but lack security.

What is the implication of using a formula like h(M) = M mod n for creating message digests?

It can lead to a violation of randomness requirements.

Given that messages are 6 bits long and digests are 4 bits long, what is the conclusion based on the pigeonhole principle?

At least one digest corresponds to multiple messages.

How long would it take Eve to create enough digests to find the original message if each digest is 64 bits long?

More than 500 years.

What is the probability threshold for Eve to find two messages with the same digest in a collision attack?

More than 0.5.

In a collision attack with a 64-bit digest, how many digests must Eve create to have more than a 50% chance of a collision?

About 1.18 × 2^32 digests.

What happens when the number of messages exceeds the number of possible unique digests?

It increases the risk of collision attacks.

What does the generalized pigeonhole principle state about occupied pigeonholes?

If n pigeonholes are occupied, k + 1 messages can exist in one.

If Eve can create digests at a rate of 1 million messages per second, how long will it take to perform a collision attack?

About two hours.

What is the maximum length of padding that can be added to a message according to SHA-512 specifications?

1023 bits

What is necessary for padding to be required in SHA-512?

A length field needs to be added.

If the length of the original message is 2590 bits, how many padding bits are added?

353 bits

What is the minimum possible length of padding in SHA-512 if the original message is such that (−|M| − 128) mod 1024 = 0?

0 bits

How long can a message be to be compliant with SHA-512 before needing to be shortened?

Less than 2^128 bits

What is the digest size produced by SHA-512?

512 bits

How many pages would a message of 2^128 bits occupy if each page holds approximately 2048 bits worth of characters?

2^110 pages

What occurs when the original message's length is already a multiple of 1024 bits?

Only the length field needs to be added.

Study Notes

Message Integrity

• Cryptography systems presented so far offer secrecy but not integrity
• Integrity ensures the message hasn't been altered
• A fingerprint, like a cryptographic hash function, can be used to check for integrity.

Document and Fingerprint

• A physical document's integrity can be ensured using a fingerprint
• Alice can ensure the contents of her document aren't changed by affixing her fingerprint at the bottom
• A document fingerprint is analogous to a message digest.

Message and Message Digest

• The digital equivalent of a document and fingerprint is a message and a digest pair
• A hash function transforms the message into its digest (fingerprint)
• A message's integrity is verified by comparing the calculated digest with the stored digest.

Difference

• Documents and fingerprints are physically linked
• Messages and digests can be unlinked and compared separately
• The message digest must be protected from tampering to maintain integrity.

Checking Integrity

• Hash functions calculate a current digest
• Comparison with the previous digest determines if a message has been altered
• Discard an altered message, or re-transmit it.

Cryptographic Hash Function Criteria

• Cryptographic hash functions must satisfy three criteria
• Preimage resistance: Infeasible to find an input (preimage) producing a given output.
• Second preimage resistance: Infeasible to find a second input producing the same output as a given input.
• Collision resistance: Infeasible to find two different inputs producing the same output.

Preimage Resistance

• A preimage attack attempts to find an input that produces a given output
• Given a hash value, it's computationally infeasible to find its corresponding message.
• The difficulty is proportional to 2^n, where n is the hash value's length.

Lossless Compression

• Lossless compression methods are not suitable for cryptographic hash functions
• They create reversible compressed messages.

Checksums

• Checksums are not robust enough for cryptographic hash functions
• They're not preimage resistant, meaning multiple messages might have the same checksum.

Second Preimage Resistance

• A second preimage attack tries to find a second message with the same hash value as a known message
• Finding a second preimage is computationally infeasible, proportional to 2^n

Collision Resistance

• A collision attack finds two different messages with the same hash value
• Finding collisions is computationally infeasible, proportional to 2^(n/2)

Random Oracle Model

• Introduced by Bellare and Rogaway in 1993, it's an ideal mathematical model for hash functions.
• It assumes the hash function acts like a random oracle, outputting random values for every input.

Oracle Table

• A table used to store messages and their corresponding digests generated by an oracle.
• The oracle checks the table for a matching message before calculating the digest.

Pigeonhole Principle

• If n pigeonholes contain more than n pigeons, at least one pigeonhole must contain more than one pigeon.
• This concept is applicable to hash functions, where if more messages map to fewer possible digests, there's a high probability of collisions.

Example of collisions

• If messages have 6 bits and digests have only 4 bits, there are more messages than possible digests (2^6 > 2^4)
• The probability of collision is greater than zero in this simplified example.

Algorithms Attacks

• Algorithms to attack preimage, second preimage, & collision attacks.
• Calculating difficult attack costs against input lengths (2^n, 2^(n/2).

Message Authentication Code(MAC)

• Message digests don't authenticate the sender
• A MAC adds a proof of authorship
• MACs use cryptographic hash functions combined with secret keys for message authentication

Modification Detection Code (MDC)

• A MDC is a message digest that serves as proof of integrity
• Alice creates an MDC and sends it along with the message to Bob
• Bob calculates a new MDC from the received message.
• If the new MDC is the same as the received one, then the message is undamaged.

MAC Security

• MAC security relies on the underlying hash function’s strength
• Brute-force and cryptanalytic threats exist
• Increased bit sizes of hash functions offer increased security

Keyed Hash Functions

• A hash function used to generate MACs
• This method uses both a message and a secret key to derive the MAC.
• The keyed hash includes a key along with the message to create unique hash values.

HMAC

• An improvement over keyed hash functions, HMAC ensures wider security against attacks.
• HMACs use a hash function combined with a key and padding to increase the security and resistance of the MACs.
• It's a secure way to apply hash functions to messages paired with a secret key.

Hash Function Uses

• Hash functions can condense arbitrary-length messages into fixed-size digests.
• They're used to detect changes to messages, verify data integrity, and in processes like password storage.
• Hash functions provide one-way mappings and are collision-resistant for security purposes

Cryptographic Hash Function

• A mathematical function that maps a message of arbitrary length to a fixed-size hash value—a digest—that acts as a message fingerprint.

Hash Function Uses

• Message Integrity Check (MIC): Calculating a hash of message for integrity checks
• Message Authentication Code (MAC): Using a keyed hash function to protect a message's integrity
• Digital Signatures (Non-repudiation): Encrypting a hash with a private key for non-repudiation

Birthday Attacks

• Birthday paradox demonstrates that the probability of a collision increases significantly given more inputs when there are a limited number of possible outcomes.
• Attackers aim to find collisions by generating many messages with the same hash function result.
• When the number of possible hashed messages exceeds the square root of the total hashes, there's a greater probability of collisions.

Hash Function Cryptanalysis

• Hash functions use an iterative structure involving multiple message blocks
• Cryptanalytic attacks seek to exploit the structure of hash functions to find collisions faster than an exhaustive search.

Block Ciphers as Hash Functions

• Block ciphers can be adapted into hash functions, but their output can be too small for security.
• Vulnerable to birthday and meet-in-the-middle attacks due to their relatively short output lengths

Secure Hash Algorithms (SHAs)

• Designed by NIST and NSA in 1993
• Reimplemented with additional versions in 1995 for increased security
• Produces longer, 160-bit hash values, which make it more resistant to attacks.

Revised Secure Hash Standard

• NIST introduced revisions with additional SHA versions.
• Enhanced versions of SHA designed for security compatibility with the AES cipher.

SHA-512 Overview

• Processing messages in 1024-bit blocks
• 80 rounds of iterations in the compression functions

SHA-512 Compression Function

• Compressing messages in 1024-bit blocks during SHA-512 operation.
• 80 rounds, updating a 512-bit buffer
• 64-bit values derived from the message block
• Round constant values extracted by cube roots of 80 prime numbers

SHA-512 Round Function

Structure of Each Round

Majority Function

Conditional Function

Rotate Functions

Compression Function

Message Digest Initialization

• Initialization values of constants utilized in the SHA-512 message digest.

Message Preparation

• SHA-512 requires the length of the message to be under 2^128 bits.

Padding and length field in SHA-512

Padding Calculation

Padding Necessity

Minimum and Maximum Padding

Characteristics of Secure Hash Algorithms (SHAs)

SHA-3

• A new hash algorithm designed to address vulnerabilities in older SHA versions

SHA-3 Requirements

• Replacing SHA-2 with SHA-3 to uphold similar hash sizes and the online procedures in smaller block sizes.

Two groups of compression functions

Iterated Hash Function (Merkle-Damgård Scheme)

• A hash function that processes the message in multiple blocks, using a compression function iteratively.

Rabin Scheme

Davies-Meyer Scheme

Miyaguchi-Preneel Scheme

Secure Hash Algorithm (SHA-1)

• A 160-bit hash algorithm, designed by NIST & NSA

SHA Overview

SHA-1 Compression Function

Message-Digest 5 (MD5)

• Designed by Ronald Rivest
• 128-bit message hash, widely used, later found to have vulnerabilities.

MD5 Overview

MD5 Compression Function

MD4

• Precursor to MD5
• Designed for speed with little-endian architecture

Strength of MD5

• Hash is dependent on all message bits, but vulnerabilities exist in newer analyses.

SHA-1 Verses MD5

• Brute force attack is harder for SHA-1 than MD5
• SHA-1 is a bit Slower than MD5

Revised Secure Hash Standard

• Provides additional SHA versions with higher security standards

Whirlpool

• A 512-bit hash algorithm based on the Miyaguchi-Preneel scheme with a customized AES block cipher as the compression function.

Whirlpool Cipher

SubBytes

ShiftColumns

MixRows

AddRoundKey

Key expansion in the Whirlpool cipher

CMAC

CMAC Overview

CMAC

Authenticated Encryption

Counter with Cipher Block Chaining-Message Authentication Code (CCM)

Galois/Counter Mode (GCM)

GCM Functions

Authenticated Encryption

Generic Composition

Comparison

Inclusion

Verification Method

Relationship

Duplicity

Process

Digital Signature Process

Need for Keys

Signing the Digest

Services

Message Integrity

Nonrepudiation

Confidentiality

Attack Types

Forgery Types

Digital Signature Schemes

RSA Digital Signature Scheme

Key Generation

Signing and Verifying

ElGamal Digital Signature Scheme

Key Generation

Verifying and Signing