Message Authentication Code July 2011

Message Authentication Problem  Message Authentication is concerned with:  protecting the integrity of a message  validating identity of originator  How to detect changes by adversary to message?  Ancient solution :  sign and seal  More technique: break to message part and authenticator part (“tag”)  How to do this digitally?  Create a tag t(M) and send tag securely

Communication without authentication Shared key k to generate authenticate message Alice M M Bob Eve M’ Very easy.. Eve can simply change the message

Integrity Protection with MAC Shared key k to generate authenticate message Alice M M Bob Eve MAC (k,M) M’ MAC?? k=??, MAC=?? Key : k Eve can not forge MAC when k is unknown

MAC Authentication (I)  MAC allows two or more mutually trusting parties to authenticate messages sent between members Alice M M Bob Eve MAC (k,M) Key : k Only Alice and me know k, one of us sent M. If I do not send M, then Alice must have sent it.

MAC Authentication (II)  MAC allows two or more mutually trusting parties to authenticate messages sent between members Alice M M Bob Eve MAC (k,M) Key : k Only Alice, Chris, Doug and me know k, one of us sent M. Chris Key : k Doug Key : k

Integrity with Hash Can we simply send the hash with the message to serve message authentication ? Ans: No, Eve can change the message and recompute the hash. Using hash needs more appropriate procedure to guarantee integrity Alice M M Bob Eve h (M) M’ h (M) Forge M’ and compute h(M’) No shared key

Message Authentication Code  A function of the message and a secret key that produces a fixed-length value that serves as the authenticator  Generated by an algorithm :  generated from message + secret key : MAC = C(K,M)  A small fixed-sized block of data  appended to message as a signature when sent  Receiver performs same computation on message and checks it matches the MAC

MAC and Encryption  As shown the MAC provides authentication  But encryption can also provides authentication!  Why use a MAC? sometimes only authentication is needed sometimes need authentication to persist longer than the encryption (eg. archival use)  Note that a MAC is not a digital signature

MAC Properties  A MAC is a cryptographic checksum MAC = C K (M) condenses a variable-length message M using a secret key K to a fixed-sized authenticator  A many-to-one function potentially many messages have same MAC but finding these needs to be very difficult

Keyed Hash Functions as MACs  Want a MAC based on a hash function because hash functions are generally faster crypto hash function code is widely available  Need a hashing including a key along with message  But hashing is internally has no key!  Original proposal: KeyedHash = Hash(Key|Message) some weaknesses were found with this  Eventually led to development of HMAC

HMAC  Hash-based Message Authentication Code  Developed by Mihir Bellare, Ran Canetti, and Hugo Krawczyk in1996  Specified as Internet standard RFC2104  Use cryptographic hash function in combination with a secret key  Any hash function can be used eg. MD5, SHA-1, RIPEMD-160, Whirlpool HMAC-MD5, HMAC-SHA1, HMAC-RIPEND-160, HMAC- Whirlpool  HMAC-SHA1 and HMAC-MD5 are used within the IPsec and TLS protocols

HMAC Overview HMAC(K,M) = H( (K + ⊕ opad) | H( (K + ⊕ ipad)| M) )  Scheme consists of 2-stage nested : an inner and outer hash  K + is expanded key k padded with zeros on the left so that the result is b bits in length  Intermediate result of first hash padded to increase complexity next hash  Different “round keys” generated for each hash  Stage 1: k1 = K +  ipad  Stage 2: k2 = K +  opad  Ipad : a string of repeated 0x36  , ,...,  Opad : is a string of repeated 0x5C  , ,...,

Simplified Visualize

CMAC (Cipher-based MAC)  “Hashless” MAC  Uses an encryption algorithm (DES, AES, etc.) to generate MAC  Based on same idea as cipher block chaining  Compresses result to size of single block (unlike encryption

CMAC Overview  Message broken into N blocks  Each block fed into an encryption algorithm with key  Result XOR’d with next block before encryption to make final MAC

17 CMAC Facts  Advantages:  Can use existing encryption functions  Encryption functions have properties that resist preimage and collision attacks  Ciphertext designed to appear like “random noise” – good approximation of random oracle model  Most exhibit strong avalanche effect – minor change in message gives great change in resulting MAC  Disadvantage:  Encryption algorithms (particularly when chained) can be much slower than hash algorithms

Summary  A Hash is used to guarantee the integrity of data, a MAC guarantees integrity AND authentication  A Hash take a single input – a message and produces a message digest  A MAC algorithm takes two inputs -- a message and a secret key -- and produces a MAC  A HMAC algorithm is simply a specific type of MAC algorithm that uses a hash algorithm internally to generate the MAC  A CMAC algorithm is a specific type of MAC algorithm that uses a block cipher internally to generate the MAC