Glossary
Cryptographic Hash Function
It is a one-way function that maps data of arbitrary size (often called the message) to a bit array of a fixed size (the hash value, hash, or message digest). Ideally, it should be infeasible to invert and the only way to find a message that produces a given hash is to attempt a brute-force search of possible inputs to see if they produce a match.
Salt
Salt is random data that is used as an additional input to a one-way function. Salts defend against attacks that use precomputed tables (e.g. rainbow table) as they can make the size of table needed for a successful attack extremely large.
Reuse Salt
Reusing the same salt for numerous inputs is dangerous because it allows precomputed table which simply apply same salt to all the items in the brute force dictionary.
Short Salt
If a salt is too short, an attacker may precompute a table of all combinations of every possible salts and every likely plaintext.
Message Authentication Code
MAC is cryptographic checksum that are used to detect when an attacker has tampered with a message, so we can confirm that the message come from the trusted sender(ourselves). The MAC value protects a message integrity as well as its authenticity.
Comparison
| Security Goal | Hash | MAC | Digital Signature |
|---|---|---|---|
| Integrity | Yes | Yes | Yes |
| Authentication | No | Yes | Yes |
| Non-Repudiation | No | No | Yes |
| Keys | N/A | Symmetric | Asymmetric |
Example Application: Tamper-Proof Query Parameter
Since URLs can easily be changed by even the most novice user, you need to validate to ensure that the user has not modified the query parameter to an unacceptable state.
The standard approach is a proper authentication and authorization control system in the backend or avoid passing such critical information through query parameter by using data store or external service.
However, there are time when important state needs to be passed through the query parameter and, under no circumstances, should be it be able to be modified by the end user. In order to preserve the integrity of query parameter you will have to apply some security mechanisms.
Approach 1: Cryptographic Hash Function
You can use a cryptographic hash function to sign the value of query parameter that you do not want to be edited by user and append this signature to the query parameter. We can validate the value of query parameter by applying the same hash function to ensure that it matches to the signature we have included previously.
However, this approach presents a problem, even the hash function is private to us, user might end up realizing the hash function we are using, e.g. sha256. Then the user can forge the value of query parameter and update the signature manually.
Approach 2: Cryptographic Hash Function With Salt
To mitigate user generating signature of query parameter, we can add the additional input (salt) before hashing. However, this approach still present certain problems, e.g. vulnerable to reply attack, authenticated users could cut and paste valid query parameter value to other users or cached by search engine, to prevent this from happening we need to create our own protocol, e.g. ensure the salt value is bind to each user e.g. session id, or make it expire after a period of time e.g. timestamp. However, most of the time salt value is not meant to be completely invisible to user, e.g. we can often retrieve session id from the browser cookie or other header and saving salt for each user might be expensive since the length of salt should be long enough and different for each user to prevent precomputed dictionary attack.
Approach 3: Message Authentication Code
We can use MAC to provide better data integrity and authenticity, MAC resist signature forgery under chosen-plaintext attacks while cryptographic hash functions doesn’t. However, MAC doesn’t provide confidentiality of query parameter value, it is still visible to the user, same problem with reply attack and doesn’t provide confidentiality of query parameter value.
Approach 4: Authenticated Encryption
In addition to the benefits of previous approach it provides confidentiality of message. Authenticated encryption schemes can recognize improperly-constructed ciphertexts and refuse to decrypt them.
Approach 4.1: Encrypt-then-MAC
Reference
- Passing Tamper-Proof Query Parameters
- Wikipedia: Message Authentication Code
- Wikipedia: HMAC
- Wikipedia: Block_cipher_mode_of_operation
- Wikipedia: Authenticated Encryption
- Wikipedia: Salt
- Wikipedia: Rainbow table
- Stack Exchange: Difference between salt and MAC
- Wikipedia: Digital Signature Forgery
- Wikipedia: Chosen-Plaintext Attack
- Stack Exchange: What are the differences between a digital signature, a MAC and a hash?
- Stack Exchange: What is the difference between a mac and a digital signiture
- RFC: An Interface and Algorithms for Authenticated Encryption
- Royal Holloway University: Authenticated Encryption