26. Explain why H(m h(m and H(m) h(mk) are not secure MACs when the un- derlying

Question

26. Explain why H(m h(m and H(m) h(mk) are not secure MACs when the un- derlying hash function uses the Merkle-Damgård constructions? Go through the attacks for 27. The CBC-MAC uses a block cipher in cbe-mode to create a hash fnction. Is this secure? 28. Suppose we propose the following MAC: given a message broken into blocks m, mi, ..., each. When is sccure and when is it not? mr, we compute G = AESk(m)4-1 for i L.r, where k is a shared secret key and co k. The MAC tag is the value c. Is this a secure MAC? Can you create any forgeries? Does it matter if we insist that the message length be a multiple of the block length? Does it matter if we have to pad the last block? 29. EMAC is the encrypted CBC-MAC. How does it differ from cbe-mac? Is this secure? What flaw in CBC-MAC does EMAC address?

Explanation / Answer

26.

"Secure hash work" typically implies (for a capacity H)

- >Preimage protection: Given an esteem hh, it is elusive a message xx with the goal that h=H(x)h=H(x).
- >Second preimage protection: Given a message xx, it is elusive a message xxxx with the end goal that H(x)=H(x)H(x)=H(x).
- >Collision protection: It is elusive two messages xx, xx with the end goal that H(x)=H(x)H(x)=H(x).

For a protected MAC work MM, we need:

Unforgability:

Without knowing the key kk, it is elusive a message xx and confirmation label mm to such an extent that m=M(k,x)m=M(k,x), regardless of the possibility that given some other such substantial message-label sets (which are not permitted as answers).

Tragically, characterizing M(k,x)=H(k||x)M(k,x)=H(k||x) for a safe hash work does not ensure that the MAC work is unforgeable.

Indeed, with the hash developments utilized as a part of training (i.e. the Merkle-Damgard development without a finishing round, utilized as a part of MD5, SHA-1 and the SHA-2 family), it is very simple, given a substantial combine (x,m)(x,m), to make a (x,m)(x,m) which is as yet legitimate:

To make a hash with Merkle-Damgard, the message is cushioned to some piece size, and afterward each square in arrangement is feeded to a pressure work, which refreshes an inside state. The last state is then yield as the hash.

Along these lines, H(k||x)H(k||x) is the condition of the hash machine subsequent to contributing k||x||padxk||x||padx. On the off chance that we set our hash machine to this state, and after that information subjective other information yy, trailed by another cushion padypady, we achieve the state m=H(k||x||padx||y)=M(k,x||padx||y)m=H(k||x||padx||y)=M(k,x||padx||y).

Fabrication is done, with x=x||padx||yx=x||padx||y.

This likewise works with the full-width variations of SHA-2, i.e. SHA-256 and SHA-512. For the truncated variations of SHA-2 (SHA-384, SHA-224, SHA-512/224 and SHA-512/256) this assault doesn't work, as the yield isn't the full hash state. (Despite the fact that for a length expansion assault just the truncated bits would need to be speculated, so the security is somewhat not as much as anticipated from the yield measure.)

The HMAC development isn't suspectible to this assault, as the mystery key kk is connected both previously, then after the fact the principle message, which makes the inside state non-reconstructible.

HMAC does not ensure unforgability for general secure hash capacities, either, however it has a security confirmation for the Merkle-Damgard development, if the inward pressure work is impact safe.

SHA-3 (Keccak) depends on an alternate model: we have a very enormous state into which both key and message are blended, and which is then additionally blended to yield the hash. The state itself is never yield completely. Along these lines, length augmentation needs state recuperation, and the limit (the shrouded some portion of the state) ought to be sufficiently huge this isn't achievable (and in addition speculating the key).

The paper On the security of the keyed wipe development by the Keccak group dissects the security of this development.

27.

CBC-MAC is a non specific development that takes a subjective square figure, and transforms it into a question that demonstrations like a MAC for settled length messages (much like CBC mode is a non specific development that takes a self-assertive piece figure, and transforms it into a protest that encodes variable length messages). Furthermore, much the same as "CBC" isn't really utilized with a particular square figure, nor is CBC-MAC.

Note: CBC-MAC has issues in the event that you endeavor to utilize it with variable length messages; CMAC and XCBC are two modes like CBC-MAC that maintain a strategic distance from this issue.

block cipher method of operation:

In cryptography, a block cipher method of operation is a calculation that uses a square figure to give a data administration, for example, classification or authenticity.A square figure independent from anyone else is reasonable for the safe cryptographic change (encryption or decoding) of one settled length gathering of bits called a block.A method of operation depicts how over and again to apply a figure's single-square operation safely to change measures of information bigger than a piece.

Related Questions

Navigate

• Browse (All)
• Browse 2
• Subjects

---

---

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.