1 Let H be a cryptographic hash function eg MD5 or SHA1 And

1. Let H be a cryptographic hash function, e.g., MD5, or SHA-1. And let M1 and M2 be any two given messages. If the hash values of these two messages are equal, is it then true that the messages are equal? Justify your answer. HTML Editor Keyboard Shortcuts 2. Is it possible for two different passwords to unlock the same account? Explain your answer in the basis of hash function properties we learned in class. 3.Your www browser contains a cache of self-signed root CA certificates. If a malefactor wants your browser to trust a \"black market\" WWW server (for example, they might want to perpetrate a phishing attack for the purpose of stealing the login/password for your bank account), what would they need to do to this cache to make that possible?

Solution

Collision resistance is a property of cryptographic hash function. Any hash function say H is collision resistant for two inputs a and b

If and only if H(a) = H(b) when a=b .

Every hash function with more inputs than outputs will necessarily have collision.

If we talk about SHA-1 then there is a 1 in 2^160 chance that two given messages have the same hash(SHA-1 produce 160-bit hash)

For MD5 Probability of 2 hashes accidently colliding is 1/2¹²⁸ .
So the conclusion is 2 string can produce same hash but the probability is very very low for it.

2. Yes it is possible for two different password to unlock same account. The explaination is same as the above answer. If the two password generate same hash value then it is possible to unlock the account from both of it. But again we have discussed how rare this case can be. There is concept of using salt and pepper with password. So instead of password the hash function is applied to SALT+PASSWORD, where SALT is unique value to particular user account. So the SALT values should be chosen in such a manner that it should be unique to each account, this ensures that both username and password must match with a specific account to allow logging in. Another concept is PEPPER+PASSWORD(PEPPER is site wide constant).A script is run detecting same password case and put the hash on reject list. It automatically sends mail to users to change password if their password is on reject list.

3.There can be man in middle attack where the attacker intercept your request to the original server. And fool you into using their certificate (and therefore their public key); this way, your browser will happily encrypt data such that it can be easily decrypted by the “man in the middle.” So the thing they need to do in the cache is to change the public key in the certificate by their public key and then decrypt at their end by their private key.

4.SSL protocol is used. Secure Sockets Layer (SSL) is a protocol developed by Netscape for transmitting private documents via the Internet. SSL uses a cryptographic system that uses two keys to encrypt data a public key known to everyone and a private or secret key known only to the recipient of the message.