Question 1: Hash & MAC Security (30 Marks)
In a certain network protocol, each datagram consists of a 256-bit header and a 256-bit payload.
An organisation decides to store hashed datagrams for analytic purposes. These hash values
need to be calculated on resource-limited devices that can only process data in 256-bit chunks.
Thankfully, the devices have hardware implementations of the following cryptographic algorithms:
• SHACAL, a block cipher with 256-bit keys, 256-bit input blocks, and 256-bit outputs, and
• H, a secure internal hash function with 256-bit inputs and 128-bit outputs.
Since the internal hash function H cannot process entire datagrams, it is necessary to design a
hashing method that can compute datagram hashes based on the internally implemented
algorithms. The engineers come up with the following designs for hashing datagrams:
Design A: Hash separately, then XOR, i.e.,
Hash(datagram) := H(header) ⊕ H(payload) .
Design B: Hash separately, then hash the concatenated results, i.e.,
Hash(datagram) := H( H(header) k H(payload) ) .
Design C: Apply SHACAL to the payload (as input block) using the header as key, then XOR
the result with the header, i.e.,
Hash(datagram) := SHACALheader(payload) ⊕ header .
In these deigns, ⊕ denotes the bit-wise exclusive-or operation and k denotes string
concatenation. The designed datagram-hashing method is called Hash to distinguish it from the
internal hash function H.
Questions
(i) [5 Marks] The organisation needs to develop a program that looks at the stored datagram
hash values and for any two hashed datagrams reliably distinguishes if the original
datagrams were identical or not. Identify the security requirement on datagram hashing in
this case, and briefly justify your answer.
(ii) [12 Marks] Consider the three candidate designs A, B, and C above. For each design,
discuss whether or not it satisfies the security requirement identified in part (i). In each
case, provide a convincing argument or an attack to support your answer.
Page 3 of 8
Module Code
COM00093M
Now assume that beside calculating datagram hash values, the devices are to transmit the
datagrams to a central monitoring platform over a public network. The devices apply a
message-authentication code MAC to hashed datagrams and send the following information to
the monitoring platform.
datagram, MACK( Hash(datagram) )
Assume that MAC is secure and the MAC key K is securely pre-shared between a device and
the monitoring platform. Since datagrams are not required to remain confidential, no encryption
is used, and the above information is sent in the clear over the network. Hence, the network
communication might be observed, blocked, or modified by third parties. The monitoring platform
performs MAC verification upon receiving any communication and only accepts the incoming
communication if MAC verification succeeds.
Questions
(iii) [5 Marks] The authenticity and integrity of the received communication are important to
the monitoring platform. In other words, the platform needs to make sure any
communication it accepts is indeed from the device and that the information has not been
tampered with in transit. Identify the security requirement on the MAC component for the
above protocol to provide authenticity and integrity guarantees. Briefly justify your answer.
(iv) [8 Marks] Consider Designs B and C only. For each design when used in the protocol
above, discuss if the required goals of authenticity and integrity are met. In each case,
provide a convincing argument or an attack to support your answer.
Page Limit
Your answer to this question must not exceed 2 sides of A4 in total.