Message Authentication Code

July 2011

Message Authentication Problem Message Authentication is concerned with:

protecting the integrity of a message validating identity of originator

How to detect changes by adversary to message? Ancient solution :

sign and seal More technique: break to message part and

authenticator part (“tag”) How to do this digitally?

Create a tag t(M) and send tag securely

Communication without authentication

Shared key k to generate authenticate message

Alice

M

Bob

Eve

M’

Very easy..

Eve can simply change the message

Integrity Protection with MAC

Shared key k to generate authenticate message

Alice

M

Bob

Eve

MAC (k,M)

M’

MAC??

k=??, MAC=??

Key : k Key : k

Eve can not forge MAC when k is unknown

MAC Authentication (I) MAC allows two or more mutually trusting parties to

authenticate messages sent between members

Alice

M

Bob

Eve

MAC (k,M)

Key : k Key : k

Only Alice and me know k, one of us

sent M.

If I do not send M, then Alice must have

sent it.

MAC Authentication (II) MAC allows two or more mutually trusting parties to

authenticate messages sent between members

Alice

M

Bob

Eve

MAC (k,M)

Key : k Key : k

Only Alice, Chris, Doug and me know k, one of us sent M.

Chris

Key : k

Doug

Key : k

Integrity with Hash

Can we simply send the hash with the message to serve message authentication ?

Ans: No, Eve can change the message and recompute the hash.

Using hash needs more appropriate procedure to guarantee integrity

Alice

M

Bob

Eve

h (M)

M’

h (M)

Forge M’ and

compute h(M’)

No shared key

Message Authentication Code A function of the message and a secret key that produces a

fixed-length value that serves as the authenticator Generated by an algorithm :

generated from message + secret key : MAC = C(K,M) A small fixed-sized block of data appended to message as a signature when sent

Receiver performs same computation on message and checks it matches the MAC

MAC and Encryption As shown the MAC provides authentication But encryption can also provides authentication! Why use a MAC?

sometimes only authentication is needed sometimes need authentication to persist longer than the

encryption (eg. archival use) Note that a MAC is not a digital signature

MAC Properties A MAC is a cryptographic checksum

MAC = CK(M) condenses a variable-length message M using a secret key K to a fixed-sized authenticator

A many-to-one function potentially many messages have same MAC but finding these needs to be very difficult

Keyed Hash Functions as MACs Want a MAC based on a hash function

because hash functions are generally faster crypto hash function code is widely available

Need a hashing including a key along with message But hashing is internally has no key!

Original proposal:KeyedHash = Hash(Key|Message) some weaknesses were found with this

Eventually led to development of HMAC

HMAC Hash-based Message Authentication Code Developed by Mihir Bellare, Ran Canetti, and Hugo

Krawczyk in1996 Specified as Internet standard RFC2104 Use cryptographic hash function in combination with

a secret key Any hash function can be used

eg. MD5, SHA-1, RIPEMD-160, Whirlpool HMAC-MD5, HMAC-SHA1, HMAC-RIPEND-160, HMAC-

Whirlpool HMAC-SHA1 and HMAC-MD5 are used within

the IPsec and TLS protocols

HMAC Overview

HMAC(K,M) = H( (K+ opad) | H( (⊕ K+ ipad)| M) ⊕ )

Scheme consists of 2-stage nested : an inner and outer hash K+ is expanded key k padded with zeros on

the left so that the result is b bits in length Intermediate result of first hash padded to

increase complexity next hash Different “round keys” generated for

each hash Stage 1: k1 = K+ ipad Stage 2: k2 = K+ opad Ipad : a string of repeated 0x36

00110110,00110110, . . .,00110110 Opad : is a string of repeated 0x5C

01011100,01011100, . . .,01011100

Simplified Visualize

CMAC (Cipher-based MAC) “Hashless” MAC

Uses an encryption algorithm (DES, AES, etc.) to generate MAC

Based on same idea as cipher block chaining Compresses result to size of single block (unlike

encryption

CMAC Overview

Message broken into N blocks Each block fed into an encryption algorithm

with key Result XOR’d with next block before encryption

to make final MAC

17

CMAC Facts Advantages:

Can use existing encryption functions Encryption functions have properties that resist preimage

and collision attacks Ciphertext designed to appear like “random noise” – good

approximation of random oracle model Most exhibit strong avalanche effect – minor change in message gives

great change in resulting MAC

Disadvantage: Encryption algorithms (particularly when chained) can be

much slower than hash algorithms

Summary A Hash is used to guarantee the integrity of data, a MAC

guarantees integrity AND authentication A Hash take a single input – a message and produces a

message digest A MAC algorithm takes two inputs -- a message and a

secret key -- and produces a MAC A HMAC algorithm is simply a specific type of MAC

algorithm that uses a hash algorithm internally to generate the MAC

A CMAC algorithm is a specific type of MAC algorithm that uses a block cipher internally to generate the MAC