Message Authentication Codes

(MAC)
Unit-3
 Message Authentication
Message authentication is concerned with:
protecting the integrity of a message (i.e
protection from modification)
validating identity of sender
non-repudiation of origin (refers to the
ability to ensure that a party to a contract
or a communication cannot refuse the
authenticity of their signature on a
document or that a message was actually
sent)
Message Authentication Requirements
In the context of communications across a
network, the following attacks can be
identified.
disclosure
traffic analysis
masquerade
content modification
sequence modification
timing modification
source repudiation
destination repudiation
Message Authentication Requirements
disclosure
traffic analysis

The first two requirements i.e.

Disclosure: Release of message contents; and
Traffic analysis: Discovery of the pattern of
traffic between parties
are generally regarded to message
confidentiality, and are handled using the
encryption techniques already discussed
Message Authentication Requirements
masquerade
content modification
sequence modification
timing modification
Masquerade: Insertion of messages into the
network from a fraudulent source
Content modification: of the contents of a message
Sequence modification: to a sequence of messages
between parties
Timing modification: Delay or replay of messages
are generally regarded as message authentication
Message Authentication Requirements
source repudiation
destination repudiation

Mechanisms for dealing specifically with Source

repudiation: Denial of transmission of message by
source come under the heading of digital
signatures.
Destination repudiation: Denial of receipt of
message by destination may require a combination
of the use of digital signatures and a protocol
designed to counter this attack.
❑ Message authentication is a procedure to
verify that received messages have come
from the so-called source and have not
been altered.

❑ A digital signature is a mathematical

scheme for verifying the authenticity of
digital messages or documents.
Message Authentication Functions
There are three types of functions that may be used
to produce an authenticator: a value to be used to
authenticate a message
❑ hash function: A function that maps a message of
any length into a fixed length hash value, which
serves as the authenticator
❑ message encryption: The ciphertext of the entire
message serves as its authenticator
❑ message authentication code (MAC): A function of
the message and a secret key that produces a
fixed-length value that serves as the authenticator
Message authentication using encryption

❑ Message encryption by itself can

provide a measure of authentication.
❑ The analysis differs for symmetric
and public-key encryption schemes.
 Symmetric Encryption
A message M transmitted from source A to destination B is encrypted using a
secret key K shared by A and B. If no other party knows the key, then
confidentiality is provided: No other party can recover the plaintext of the
message.
In addition, B is assured that the message was generated by A as the message
must have come from A, because A is the only other party that possesses K
and therefore the only other party with the information necessary to construct
ciphertext that can be decrypted with K. Furthermore, if M is recovered, B
knows that none of the bits of M have been altered, because an opponent that
does not know K would not know how to alter bits in the ciphertext to
produce the desired changes in the plaintext.
 Public-Key Encryption
The straightforward use of public-key encryption
provides only confidentiality.
The source (A) uses the public key PUb of the
destination (B) to encrypt M. Because only B has the
corresponding private key PRb, only B can decrypt
the message. This scheme provides no authentication,
because any opponent could also use B’s public key
to encrypt a message and claim to be A.
Source A Destination B
 Public-Key Encryption
To provide authentication, A uses its private key to
encrypt the message and B uses A’s public key to
decrypt. This provides authentication using the same
type of reasoning as in the symmetric encryption: The
message must have come from A because A is the
only party that possesses PRa and therefore the only
party with the information necessary to construct
ciphertext that can be decrypted with PUa.

Source A Destination B
 Public-Key Encryption
To provide both confidentiality and authentication, A
can encrypt M first using its private key, which
provides the digital signature, and then encrypt using
B’s public key, which provides confidentiality.

The disadvantage of this approach is that the public-key

algorithm, which is complex, must be exercised four
times rather than two in each communication.
Source A Destination B
 Message Authentication Code (MAC)

An alternative authentication technique involves the use

of a secret key to generate a small fixed-size block of
data, known as a cryptographic checksum or MAC,
that is appended to the message.
 How Does a Message Authentication Code Work?
The first step in the MAC process is the establishment of a secure
channel between the receiver and the sender.
To encrypt a message, the MAC system uses an algorithm, which
uses a common secret key and the plain text message being sent.
The MAC algorithm then generates authentication tags of a fixed
length by processing the message. The resulting computation is
the message's MAC.
This MAC is then appended to the message and transmitted to the
receiver.

The receiver computes the MAC using the same algorithm. If the
resulting MAC is equal to the one sent by the sender, the
message is verified as authentic, legitimate, and not tampered
with.
In effect, MAC uses a secure key only known to the
sender and the recipient. Without this information,
the recipient will not be able to open, use, read, or
even receive the data being sent. If the data is to be
altered between the time the sender initiates the
transfer and when the recipient receives it, the MAC
information will also be affected.

Therefore, when the recipient attempts to verify the

authenticity of the data, the key will not work, and
the end result will not match that of the sender.
When this kind of discrepancy is detected, the data
packet can be discarded, protecting the recipient’s
system.
 Message Authentication Code (MAC)
This technique assumes that two communicating parties, say A
and B, share a common secret key K. When A has a message to
send to B, it calculates the MAC as a function of the message
and the key:
MAC = C(K, M)
where,
M = input message
C = MAC function
K = shared secret key
MAC = message authentication code
The message along with the MAC are transmitted to the intended
recipient. The recipient performs the same calculation on the
received message, using the same secret key, to generate a new
MAC. The received MAC is compared to the calculated MAC.
 Message Authentication Code
If we assume that only the receiver and the sender know the identity of
the secret key, and if the received MAC matches the calculated MAC,
then
1. The receiver is assured that the message has not been altered. If an
attacker alters the message but does not alter the MAC, then the
receiver’s calculation of the MAC will differ from the received MAC.
Because the attacker is assumed not to know the secret key, the
attacker cannot alter the MAC to correspond to the alterations in the
message.
2. The receiver is assured that the message is from the claimed sender.
Because no one else knows the secret key, no one else could prepare a
message with a proper MAC.
3. If the message includes a sequence number (such as in TCP), then the
receiver can be assured of the proper sequence because an attacker
cannot successfully alter the sequence number.
 Message Authentication Code
The process depicted earlier provides only authentication
because the message as a whole is transmitted.
Confidentiality can be provided by performing message
encryption either after (Figure b) or before (Figure c) the
MAC algorithm. In both these cases, two separate keys are
needed, each of which is shared by the sender and the
receiver.
 Message Authentication Code
In the first case, the MAC is calculated with the message
as input and is then concatenated to the message. The
entire block is then encrypted.
 Message Authentication Code
In the second case, the message is encrypted first. Then
the MAC is calculated using the resulting ciphertext
and is concatenated to the ciphertext to form the
transmitted block.
Typically, it is preferable to tie the authentication directly
to the plaintext, so the method of (Figure b) is used.
 Message Authentication Codes

Why use a MAC?

● sometimes only authentication is needed
● sometimes need authentication to persist longer than
the encryption (e.g. archival use)
note that a MAC is not a digital signature
•Does NOT provide non-repudiation
 Message Authentication Code (MAC)
❑ Message Authentication Code (MAC), also referred to
as a tag, is used to authenticate the origin and nature
of a message.
❑ MACs use authentication cryptography to verify the
authenticity of data sent through a network or
transferred from one person to another.
❑ In other words, MAC ensures that the message is
coming from the correct sender, has not been
changed, and that the data transferred over a network
does not contain harmful code.
❑ MACs can be stored on a hardware security module,
which is a device used to manage sensitive digital
keys.
 Requirements for MAC
MAC, also known as a cryptographic checksum, is
generated by a function C of the form
MAC = C(K, M)
where
M - variable-length message
K - secret key shared only by sender and receiver
C(K, M) – fixed length authenticator, called tag

The tag is appended to the message at the source at a

time when the message is assumed or known to be
correct.
The receiver authenticates that message by recomputing
the tag.
 Requirements for MAC
When an entire message is encrypted for confidentiality, using
either symmetric or asymmetric encryption, the security of the
scheme generally depends on the bit length of the key.

Barring some weakness in the algorithm, the opponent must resort

to a brute-force attack using all possible keys.

On average, such an attack will require 2(k-1) attempts for a k-bit

key.

In particular, for a ciphertext-only attack, the opponent, given

ciphertext C, performs Pi = D(Ki, C) for all possible key values
Ki until a Pi is produced that matches the form of acceptable
plaintext.
 taking into account the types of attacks
MAC need to satisfy the following:
✔ knowing a message and MAC, it is infeasible to find
another message with same MAC
✔ MACs should be uniformly distributed
✔ MAC should depend equally on all bits of the
message
In recent years, there has been increased interest in
developing a MAC derived from a cryptographic
hash function because
1. Cryptographic hash functions such as MD5 and
SHA generally execute faster in software than
symmetric block ciphers such as DES.
2. Library code for cryptographic hash functions is
widely available.
MACs Based on Hash Functions: HMAC
A hash function such as SHA was not designed for
use as a MAC and cannot be used directly for that
purpose, because it does not rely on a secret key.

There have been a number of proposals for the

incorporation of a secret key into an existing hash
algorithm. The approach that has received the most
support is HMAC.

HMAC has been issued as RFC 2104 and has been

chosen as the mandatory-to-implement MAC for IP
security, and is used in other Internet protocols, such
as SSL.
HMAC has also been issued as a NIST standard
 HMAC Design Objectives
RFC 2104 lists the following design objectives for
HMAC.
use, without modifications, hash functions
allow for easy replacement of embedded hash function
preserve original performance of hash function without
This has two benefits. First, an existing implementation of a
significant degradation
hash function can be used as a module in implementing
use and handle
HMAC. In thiskeys in athe
way, simple
bulkway.
of the HMAC code is
prepackaged
have well and ready to usecryptographic
understood without modification.
analysis of
Second, if it is mechanism
authentication ever desired strength
to replace a given hash function
in an HMAC implementation, all that is required is to
remove the existing hash function module and drop in the
new module.
HMAC Algorithm
 HMAC Algorithm
We can describe the algorithm as
follows:
1. Append zeros to the left end of K to
create a b-bit string K+
2. XOR (bitwise exclusive-OR) K+
with ipad to produce the b-bit block
Si.
3. Append M to Si.
4. Apply H to the stream generated in
Step-3.
5. XOR K+ with opad to produce the
b-bit block So.
6. Append the hash result from Step-4
to So.
7. Apply H to the stream generated in
Step-6 and output the result.
 HMAC
❖ Note that the XOR with ipad results in flipping one-half of the
bits of K.

❖ Similarly, the XOR with opad results in flipping one-half of

the bits of K, using a different set of bits.

❖ In effect, by passing Si and So through the compression

function of the hash algorithm, we have pseudo randomly
generated two keys from K.
Security of MACs & HMAC

Study from text book