Network Security

MAC

Kamalika Bhattacharjee
 Message Authentication Requirements
1. Disclosure: Release of message contents to any person or process not possessing the
cryptographic key.
2. Traffic analysis: Discovery of the pattern of traffic between parties.
• connection-oriented application → frequency and duration of connections can be
determined Message
Confidentiality
• In general, the number and length of messages between parties could be determined.

3. Masquerade: Insertion of messages into the network from a fraudulent source.

• creation of messages by an opponent that are purported to come from an authorized entity.
• fraudulent acknowledgments of message receipt or nonreceipt by someone other than the
message recipient.
4. Content modification: Changes contents of a message, including insertion, deletion,
transposition, and modification.
5. Sequence modification: Any modification to a sequence of messages between parties,
including insertion, deletion, and reordering
Message
Authentication
 Message Authentication Requirements
6. Timing modification: Delay or replay of messages.
• In a connection-oriented application, an entire session or sequence of messages could be a
replay of some previous valid session, or individual messages in the sequence could be
delayed or replayed.
• In a connectionless application, an individual message (e.g., datagram) could be delayed or
replayed.
Message
Authentication
7. Source repudiation: Denial of transmission of message by source. Digital Signature
8. Destination repudiation: Denial of receipt of message by destination. Digital Signature +
specific protocol
➢ Message authentication is a procedure to verify that received messages come from the alleged source and
have not been altered.
• It may also verify sequencing and timeliness. 2.2

➢ Digital signature is an authentication technique that also includes measures to counter repudiation by source.
• A digital signature technique will also counter some or all of the attacks from (3) through (6).
 Message Authentication Requirements
• Any message authentication or digital signature mechanism has two levels of
functionality.
• At the lower level, a function exists that produces an authenticator: a value to be used to
authenticate a message.
• This lower-level function is then used as a primitive in a higher-level authentication protocol
that enables a receiver to verify the authenticity of a message.

• Types of functions generating Authenticator:

• Hash function: A function that maps a message of any length into a fixed-length hash value,
which serves as the authenticator
• Message encryption: The ciphertext of the entire message serves as its authenticator
• Message authentication code (MAC): A function of the message and a secret key that
produces a fixed-length value that serves as the authenticator
 Message Encryption
• Can provide a measure of authentication
• Symmetric Encryption

• Confidentiality: If no other party knows the key, then confidentiality is provided: No other party
can recover the plaintext of the message
• Authentication: B is assured that the message was generated by A.
• The message must have come from A, because A is the only other party that possesses K and
therefore the only other party with the information necessary to construct ciphertext that can be
decrypted with K
 Message Encryption
• Symmetric Encryption
• Given a decryption function D and a secret key K, the destination will accept any input X and
produce output Y = D(K, X).
• If X is the ciphertext of a legitimate message M produced by the corresponding encryption
function, then Y is some plaintext message M. Otherwise, Y will likely be a meaningless
sequence of bits.
• If the message M can be any arbitrary bit pattern, there is no way to determine
automatically, at the destination, whether an incoming message is the ciphertext of a
legitimate message.
• If M can be any bit pattern, then regardless of the value of X, the value Y = D(K, X) is
some bit pattern and therefore must be accepted as authentic plaintext.
• Only a small subset of all possible bit patterns be considered legitimate plaintext.
• Difficult to determine automatically if incoming ciphertext decrypts to intelligible plaintext.
• binary object file or digitized X-rays
• An opponent could achieve a certain level of disruption simply by issuing messages with
random content purporting to come from a legitimate user.
 Message Encryption
• Symmetric Encryption
• Solution to this problem is to force the plaintext to have some structure
• Append an error-detecting code, a frame check sequence (FCS) or checksum, to each
message before encryption

➢ Order in which FCS and encryption functions are performed is critical

➢ With internal error control, authentication is provided because an opponent would have
difficulty generating ciphertext that, when decrypted, would have valid error control bits
 Message Encryption
• Symmetric Encryption
• Solution to this problem is to force the plaintext to have some structure
• Append an error-detecting code, a frame check sequence (FCS) or checksum, to each
message before encryption

➢ Order in which FCS and encryption functions are performed is critical

• If FCS is the outer code, an opponent can construct messages with valid error-control codes.
Although the opponent cannot know what the decrypted plaintext will be, he or she can still
hope to create confusion and disrupt operations.
 Message Encryption
• Public-key Encryption
• provides confidentiality but not authentication
 Message Encryption
• Public-key Encryption
• To provide authentication, A uses its private key to encrypt the message, and B uses A’s public
key to decrypt
• Assume some internal structure to the plaintext so that the receiver can distinguish between
well-formed plaintext and random bits

• Provide authentication through digital signature

 Message Encryption
• Public-key Encryption
• both confidentiality and authentication

• Disadvantage: public-key algorithm, which is complex, must be exercised four times rather
than two in each communication
 Message Authentication Code
• Use a secret key to generate a small fixed-size block of data, known as a cryptographic checksum
or MAC, that is appended to the message.
• Assumes that two communicating parties, say A and B, share a common secret key K.
• When A has a message to send to B, it calculates the MAC as a function of the message and the
key:
MAC = C(K, M)
Where M = input message, C = MAC function, K = shared secret key,
MAC = message authentication code
 Message Authentication Code
• The receiver is assured that the message has not been altered. Because the attacker is assumed
not to know the secret key, the attacker cannot alter the MAC to correspond to the alterations in
the message.
• The receiver is assured that the message is from the alleged sender. Because no one else knows
the secret key, no one else could prepare a message with a proper MAC.
• If the message includes a sequence number (such as is used with HDLC, X.25, and TCP), then the
receiver can be assured of the proper sequence because an attacker cannot successfully alter the
sequence number.
 Message Authentication Code
• Authentication and Confidentiality

Typically, this is
preferred

In both these cases, two separate keys are needed, each of which is shared by the sender and the receiver
 Message Authentication Code
• Situations where MAC is used:
• If same message is broadcast to a number of destinations: It is cheaper and more reliable to
have only one destination responsible for monitoring authenticity. Thus, the message must be
broadcast in plaintext with an associated message authentication code.
• An exchange in which one side has a heavy load and cannot afford time to decrypt all incoming
messages. Authentication is carried out on a selective basis, messages chosen at random
• Authentication of a computer program in plaintext is an attractive service. MAC could be
checked whenever assurance was required of the integrity of the program.
• For some applications, it may not be of concern to keep messages secret, but it is important to
authenticate messages. Example: Simple Network Management Protocol Version 3 (SNMPv3)
• Separation of authentication and confidentiality functions affords architectural flexibility
• A user may wish to prolong the period of protection beyond the time of reception and yet allow
processing of message contents. With message encryption, the message is protected against
fraudulent modifications only in transit but not within the target system.

➢ MAC does not provide a digital signature, because both sender and receiver share the same key.
 Requirements of Message Authentication Code
• A MAC function is similar to encryption. One difference is that the MAC algorithm need not be
reversible, as it must be for decryption.
• In general, the MAC function is a many-to-one function.
• The domain of the function consists of messages of some arbitrary length, whereas the range
consists of all possible MACs and all possible keys.
MAC = C(K, M)
Where M = input message, C = MAC function, K = shared secret key,
MAC = message authentication code/ fixed-length authenticator/ tag

• Tag is appended to the message at the source at a time when the message is assumed or known
to be correct. The receiver authenticates that message by recomputing the tag.
• If an n-bit MAC is used, then there are 2^n possible MACs, whereas there are N possible
messages with N >> 2^n
• With a k-bit key, there are 2^k possible keys.
 Requirements of Message Authentication Code
• If entire message is encrypted for confidentiality, then for a brute-force attack using all possible
keys, on average, will require 2𝑘−1 attempts for a k-bit key.
• For a ciphertext-only attack, the opponent, given ciphertext C, performs Pi = D(Ki, C) for all
possible key values Ki until a Pi is produced that matches the form of acceptable plaintext.

• What about MAC?

• If no confidentiality, opponent has access to plaintext messages and their associated MACs
• Suppose key size (k) is greater than the MAC size (n).
• For a known M1 and T1, with T1 = MAC(K, M1), the cryptanalyst can perform Ti = MAC(Ki,
M1) for all possible key values ki.
• At least one key is guaranteed to produce a match of Ti = T1.
• A number of keys will produce the correct tag and the opponent has no way of knowing
which is the correct key.
• On average, a total of 2^k/2^n = 2^(k-n) keys will produce a match. Thus, the opponent must
iterate the attack.
 Requirements of Message Authentication Code
• If entire message is encrypted for confidentiality, then for a brute-force attack using all possible
keys, on average, will require 2𝑘−1 attempts for a k-bit key.
• For a ciphertext-only attack, the opponent, given ciphertext C, performs Pi = D(Ki, C) for all
possible key values Ki until a Pi is produced that matches the form of acceptable plaintext.

• What about MAC?

On average, α rounds will be needed k = α * n.

➢ Consider 80-bit key and 32-bit tag

 Requirements of Message Authentication Code
• If entire message is encrypted for confidentiality, then for a brute-force attack using all possible
keys, on average, will require 2𝑘−1 attempts for a k-bit key.
• For a ciphertext-only attack, the opponent, given ciphertext C, performs Pi = D(Ki, C) for all
possible key values Ki until a Pi is produced that matches the form of acceptable plaintext.

• What about MAC?

• If the key length is less than or equal to the tag length, then it is likely that a first round will
produce a single match.
• More than one key may produce such a match, in which case the opponent would need to
perform the same test on a new (message, tag) pair.

• Thus, a brute-force attempt to discover the authentication key is no less effort and may be
more effort than that required to discover a decryption key of the same length.
 Requirements of Message Authentication Code
• However, other attacks that do not require the discovery of the key are possible.
• Consider message M = (X1 ||X2|| … ||Xm), a concatenation of 64-bit blocks Xi.
• Define Δ(M) = X1 ⊕X2 ⊕ … ⊕Xm
MAC(K, M) = E(K, Δ(M))
where ⊕ is the exclusive-OR (XOR) operation and encryption algorithm is DES
• So, key length is 56 bits, and tag length is 64 bits.
• If an opponent observes {M||MAC(K, M)}, a brute-force attempt to determine K will require at
least 2^{56} encryptions.
• Opponent can attack by replacing X1 through Xm-1 with any desired values Y1 through Ym-1 and
replacing Xm with Ym, where Ym is calculated as
Ym = Y1 ⊕Y2 ⊕ … ⊕Ym-1⊕ Δ(M)
The opponent can now concatenate the new message, using the original tag to form a message that
will be accepted as authentic by the receiver.
With this tactic, any message of length 64 * (m - 1) bits can be fraudulently inserted.
 Requirements of Message Authentication Code
1. If an opponent observes M and MAC(K, M), it should be computationally infeasible for the
opponent to construct a message M′ such that MAC(K, M′) = MAC(K, M)
• The case when an opponent is able to construct a new message to match a given tag, even though the
opponent does not know and does not learn the key.

2. MAC(K, M) should be uniformly distributed in the sense that for randomly chosen messages, M
1
and M′, the probability that MAC(K, M) = MAC(K, M′) is 𝑛 , where n is the number of bits in tag.
2
• The need to thwart a brute-force attack based on chosen plaintext. If the MAC function exhibits uniform
distribution, then a brute-force method would require, on average, 2^(n-1) attempts before finding a
message that fits a given tag.

3. Let M′ be equal to some known transformation on M. That is, M′ = f(M). Then, Pr [MAC(K, M) =
1
MAC(K, M′)] = 𝑛
2
• The authentication algorithm should not be weaker with respect to certain parts or bits of message than
others. An opponent who had M and MAC(K, M) should not be able to find variations on M at the known
“weak spots” with a likelihood of early success at producing a new message that matched the old tags.
 Security of Message Authentication Code
• Brute-force Attacks
• More difficult undertaking than a brute-force attack on a hash function as it requires known
message-tag pairs.
• To attack: Given a fixed message x with n-bit hash code h = H(x), a brute-force method of
finding a collision is to pick a random bit string y and check if H(y) = H(x).
• The attacker can do this repeatedly off line.

• The attacker would like to come up with the valid MAC code for a given message x.
• Two lines of attack possible:
• attack the key space
• attack the MAC value
 Security of Message Authentication Code
• Brute-force Attacks
• If an attacker can determine the MAC key, then it is possible to generate a valid MAC value
for any input x.
• Suppose the key size is k bits and that the attacker has one known text-tag pair. Then the
attacker can compute the n-bit tag on the known text for all possible keys.
• At least one key is guaranteed to produce the correct tag, namely, the valid key that was
initially used to produce the known text-tag pair.
• This phase of the attack takes a level of effort proportional to 2^k
• MAC is a many-to-one mapping, other keys may also produce the correct value.
• Thus, if more than one key is found to produce the correct value, additional text-tag pairs
must be tested.
• It can be shown that the level of effort drops off rapidly with each additional text-MAC pair
and that the overall level of effort is roughly 2^k.
 Security of Message Authentication Code
• Brute-force Attacks
• An attacker can also work on the tag without attempting to recover the key.
• Objective: generate a valid tag for a given message or find a message that matches a given tag
• level of effort is comparable to that for attacking one-way or weak collision-resistant property
of a hash code, that is 2^n.
• The attack cannot be conducted off line without further input; the attacker will require chosen
text-tag pairs or knowledge of the key.
➢ Level of effort for brute-force attack on a MAC algorithm is min(2^k, 2^n). The key length and tag
length should satisfy a relationship such as min(k, n) >= N, where N is in the range of 128 bits.

• Cryptanalysis:
• seek to exploit some property of the algorithm to perform some attack other than an
exhaustive search.
• The way to measure the resistance of a MAC algorithm to cryptanalysis is to compare its
strength to the effort required for a brute-force attack.
• An ideal MAC algorithm requires effort greater than or equal to the brute-force effort.
 Cryptographic Hash Functions
• A hash function H accepts a variable-length block of data M as input and
produces a fixed-size hash value h = H(M).
• A “good” hash function has the property that the results of applying the function
to a large set of inputs will produce outputs that are evenly distributed and
apparently random
• The principal object of a hash function is data integrity. A change to any bit or
bits in M results, with high probability, in a change to the hash value.
• Iterated Hash Function
• All cryptographic hash functions need to create a fixed-size digest out of a variable-
size message. This is best accomplished using iteration.
• Instead of using a hash function with variable-size input, a function with fixed-size
input is created and is used a necessary number of times.
• The fixed-size input function is referred to as a compression function. It compresses
an n-bit string to create an m-bit string where n is normally greater than m.
• The scheme is referred to as an iterated cryptographic hash function.
 Merkle-Damgard Scheme
• Iterated Hash Function
• One basic requirement is that it should be computationally infeasible to find two
distinct messages that hash to the same value.
• It is collision resistant if the compression function is collision resistant
Merkle-Damgard Scheme
 Two Groups of Compression Functions
• We can design a compression function that is collision resistant and insert it in
the Merkle-Damgard scheme.
• Two Approaches:
• First, the compression function is made from scratch: it is particularly
designed for this purpose.
• Message Digest (MD), Secure Hash Algorithm (SHA), RACE Integrity Primitives Evaluation
Message Digest (RIPMED)
• HAVAL is a variable-length hashing algorithm with a message digest of size 128, 160, 192,
224, and 256. The block size is 1024 bits

• Second, a symmetric-key block cipher serves as a compression function.

• Rabin Scheme, Davies-Meyer Scheme, Matyas-Meyer-Oseas Scheme, Miyaguchi-Preneel
Scheme
 Message Digest (MD)
• Several hash algorithms designed by Ron Rivest.
• Referred to as MD2, MD4, and MD5, where MD stands for Message Digest.
• Last version, MD5, divides the message into blocks of 512 bits and creates a 128-
bit digest.
• One basic requirement of any cryptographic hash function is that it should
be computationally infeasible to find two distinct messages that hash to the same
value.
• MD5 fails this requirement catastrophically; such collisions can be found in
seconds on an ordinary home computer.
• A message digest of size 128 bits is too small to resist collision attack.
 Message Digest 5 (MD5)
• The input message is broken up into chunks of 512-bit blocks (sixteen 32-
bit words); the message is padded so that its length is divisible by 512.
• Padding Technique
• First, a single bit, 1, is appended to the end of the message.
• This is followed by as many zeros as are required to bring the length of the
message up to 64 bits fewer than a multiple of 512.
• The remaining bits are filled up with 64 bits representing the length of the
original message, modulo 264.
• Algorithm operates on a 128-bit state, divided into four 32-bit words,
denoted A, B, C, and D. These are initialized to certain fixed constants.
• It uses each 512-bit message block in turn to modify the state.
• The processing of a message block consists of four similar stages (rounds).
 Message Digest 5 (MD5)
• MD5 consists of 64 of these operations, grouped in four rounds of
16 operations.
• F is a nonlinear function; one function is used in each round.

• Mi denotes a 32-bit block of the message input, and Ki denotes a

32-bit constant, different for each operation.
• <<<s denotes a left bit rotation by s places; s varies for each
operation.
• ⊞ denotes addition modulo 2^32 One MD5 operation
 Secure Hash Algorithm (SHA)
• Standard developed by the National Institute of Standards and Technology (NIST)
and published as a Federal Information Processing standard (FIP 180).
• Sometimes referred to as Secure Hash Standard (SHS). The standard is mostly
based on MD5.

All of these versions have the same structure.

 SHA-512
• SHA-512 creates a digest of 512 bits from a multiple-block message. Each block is
1024 bits in length.
• SHA-512 insists that the length of the original message be less than 2^128 bits.

How many pages are occupied by a

message of 2^128bits?
Consider page size 2048 bits

Message digest creation SHA-512

 SHA-512
• Length Field and Padding:
• Before the message digest can be created, SHA-512 requires the addition of a 128-bit
unsigned-integer length field to the message that defines the length of the original message
in bits.
What is the number of
padding bits if the
length of the original
message is 2590 bits?

• Before the addition of the length field, we need to pad the original message to make the
length a multiple of 1024.
• The length of the padding field can be calculated as follows. Let |M| be the length of the
original message and |P| be the length of the padding field

• The format of the padding is one 1 followed by the necessary number of 0s

 SHA-512
• SHA-252 is word-oriented. Each block is 16 words; the digest is only 8 words

• Before processing, each message block must be expanded.

• A block is made of 1024 bits, or sixteen 64-bit words. We need 80 words in the
processing phase. So the 16-word block needs to be expanded to 80 words
• The 1024-bit block becomes the first 16 words; the rest of the words come from
already-made words according to the operation
 SHA-512
• Word expansion in SHA-512

RotRi(x) is actually a
circular shiftright
operation.

Example:
 SHA-512
• Message Digest Initialization

• The values are calculated from the first eight prime numbers (2, 3, 5, 7, 11, 13, 17, and 19).
• Each value is the fraction part of the square root of the corresponding prime number after
converting to binary and keeping only the first 64 bits.
• Example: Eighth prime is 19, with the square root => 4.35889894354. Converting the number
to binary with only 64 bits in the fraction part, we get

• SHA-512 keeps the fraction part as an unsigned integer

 SHA-512
• Compression Function
• Creates a 512-bit (eight 64-bit words)
message digest from a multiple-block
message where each block is 1024
bits.
• In each round, the contents of eight
previous buffers, one word from the
expanded block (Wi), and one 64-bit
constant (Ki) are mixed together and
then operated on to create a new set
of eight buffers.
• At the beginning of processing, the
values of the eight buffers are saved
into eight temporary variables.
• At the end of the processing (after
step 79), these values are added to
the values created from step 79
 SHA-512
• Majority function takes three corresponding
bits in three buffers (A, B, and C) and
calculates

• The resulting bit is the majority of three bits.

If two or three bits are 1’s, the resulting bit is
1; otherwise it is 0.
• Conditional function takes three
corresponding bits in three buffers (E, F, and
G) and calculates

• Rotate function
 SHA-512
• The values of 80 constants are calculated
from the first 80 prime numbers (2, 3,…, 409).
• Each value is the fraction part of the cubic
root of the corresponding prime number after
converting it to binary and keeping only the
first 64 bits

• With a message digest of 512 bits, SHA-512

expected to be resistant to all attacks,
including collision attacks.
• It has been claimed that this version’s
improved design makes it more efficient and
more secure than the previous versions.
However, more research and testing are
needed to confirm this claim
 RIPEMD
• RACE Integrity Primitives Evaluation Message
Digest (RIPMED)
• RIPEMD-160
• uses the same structure as MD5 but uses two
parallel lines of execution
• used in the Bitcoin standard.
• It is a strengthened version of the RIPEMD
algorithm which produces a 128 bit hash digest
while the RIPEMD-160 algorithm produces a
160-bit output
• The compression function consists of 80 stages
made up of 5 blocks that run 16 times each.
• This pattern runs twice with the results being
combined at the bottom using modulo 32
addition A sub-block from the compression function
of the RIPEMD-160 hash algorithm
 RIPEMD-160

A sub-block from the compression function

k values for left: k values for right:

1.0x00000000 1.0x50A28BE6
2.0x5A827999 2.0x5C4DD124
3.0x6ED9EBA1 3.0x6D703EF3
4.0X8F1BBCDC 4.0x7A6D76E9
5.0XA953FD4E 5.0x00000000
The full compression function
 Hash Functions Based on Block Ciphers
• An iterated cryptographic hash function can use a symmetric-key block cipher as
a compression function.
• Idea is to use from the several secure symmetric-key block ciphers, such as triple
DES or AES, to make a one-way function instead of creating a new compression
function
• The block cipher in this case only performs encryption
• Example: Whirlpool
 Rabin Scheme
• based on the Merkle-Damgard scheme.
• The compression function is replaced by any encrypting cipher.
• Message block is used as the key; the previously created digest is used as the plaintext. The
ciphertext is the new message digest.
• Size of the digest is the size of data block cipher in the underlying cryptosystem. For example, if
DES is used as the block cipher, the size of the digest is only 64 bits.

Although the scheme is very

simple, it is subject to a meet-
in-the-middle attack, because
the adversary can use the
decryption algorithm of the
cryptosystem.
 Davies-Meyer Scheme
• Same as the Rabin scheme except that it uses forward feed to protect against
meet-in-the-middle attack
 Matyas-Meyer-Oseas Scheme
• It is a dual version of the Davies-Meyer scheme: the digest block is used as the
key to the cryptosystem.
• The scheme can be used if the data block and the cipher key are the same size.
AES is a good candidate.
 Miyaguchi-Preneel Scheme
• It is an extended version of Matyas-Meyer-Oseas.
• To make the algorithm stronger against attack, the plaintext, the cipher key, and
the ciphertext are all exclusive-ored together to create the new digest.
• This is the scheme used by the Whirlpool hash function
 MACs BASED ON HASH FUNCTIONS
• In recent years, there has been increased interest in developing a MAC derived
from a cryptographic hash function. The motivations for this interest are
• Cryptographic hash functions such as MD5 and SHA generally execute faster in software than
symmetric block ciphers such as DES.
• Library code for cryptographic hash functions is widely available
• A hash function such as SHA was not designed for use as a MAC and cannot be
used directly for that purpose, because it does not rely on a secret key.
• There have been a number of proposals for the incorporation of a secret key into
an existing hash algorithm. Most supported approach is HMAC.
• HMAC has been issued as RFC 2104, has been chosen as the mandatory-to-implement MAC
for IP security, and is used in other Internet protocols, such as SSL.
• HMAC has also been issued as a NIST standard (FIPS 198).
 HMAC: Design Objectives
• To use, without modifications, available hash functions. In particular, to use hash
functions that perform well in software and for which code is freely and widely
available. ➢ HMAC treats the hash function as a “black box”
• To allow for easy replaceability of the embedded hash function in case faster or
more secure hash functions are found or required.
• To preserve the original performance of the hash function without incurring a
significant degradation.
• To use and handle keys in a simple way.
• To have a well understood cryptographic analysis of the strength of the
authentication mechanism based on reasonable assumptions about the
embedded hash function.
➢ This is the main advantage of HMAC. HMAC can be proven secure provided
that the embedded hash function has some reasonable cryptographic strengths
HMAC: Algorithm
 HMAC: Algorithm

• XOR with ipad and opad result in flipping

one-half of the bits of K.
• By passing Si and So through the
compression function of the hash
algorithm, pseudorandomly generate two
keys from K.
• f(cv, block) is the compression function for
the hash function, which takes as
arguments a chaining variable of n bits and
a block of b bits and produces a chaining
variable of n bits.
• These quantities only need to be computed
initially and every time the key changes.
➢ only one additional instance of the compression function is
added
Efficient Implementation of HMAC
 HMAC: Security
• Depends in some way on the cryptographic strength of the underlying hash
function.
• The security is expressed in terms of the probability of successful forgery
with a given amount of time spent by the forger and a given number of
message-tag pairs created with the same key.
• Proved: for a given level of effort (time, message–tag pairs) on messages
generated by a legitimate user and seen by the attacker, the probability of
successful attack on HMAC is equivalent to one of the following attacks on
the embedded hash function.
• The attacker is able to compute an output of the compression function even with an
IV that is random, secret, and unknown to the attacker.
• The attacker finds collisions in the hash function even when the IV is random and
secret.
 HMAC: Security
• First Case:
• The attacker is able to compute an output of the compression function even
with an IV that is random, secret, and unknown to the attacker.
• Compression function as equivalent to the hash function applied to a
message consisting of a single b-bit block.
• For this attack, the IV of the hash function is replaced by a secret, random
value of n bits.
• An attack on this hash function requires either a brute-force attack on the key,
which is a level of effort on the order of 2^n, or a birthday attack
 HMAC: Security
• Second Case: The attacker finds collisions in the hash function
even when the IV is random and secret.
• Attacker is looking for two messages M and M′ that produce the same
hash: H(M) = H(M′), known as Birthday Attack.
• The effort required is explained by a mathematical result referred to as
the birthday paradox.
• Counterintuitively, the probability of a shared birthday exceeds Counter-intuitively, the
50% in a group of only 23 people. probability that at least
• If we choose random variables from a uniform distribution in the range one student has the same
0 through n - 1, then the probability that a repeated element is birthday as any other
encountered exceeds 0.5 after 𝑛 choices have been made. student on any day is
• For an m-bit hash value, if we pick data blocks at random, we can
expect to find two data blocks with the same hash value within 2𝑚 =
2𝑚Τ2 attempts.
2
That is around 70% for
n=30
 HMAC: Security
• Second Case:
• On this basis, does this mean that a 128-bit hash function such as MD5 is unsuitable for
HMAC?
• No!
• To attack MD5, the attacker can choose any set of messages and work on these off line on a
dedicated computing facility to find a collision.
• Attacker knows the hash algorithm and the default IV, the attacker can generate the hash
code for each of the messages that the attacker generates.
• To attack HMAC, the attacker cannot generate message/ code pairs off line because the
attacker does not know K.
• Therefore, the attacker must observe a sequence of messages generated by HMAC under the
same key and perform the attack on these known messages.
• For a hash code length of 128 bits, this requires to observe 2^72 bits generated using the
same key.
• On a 1-Gbps link, a continuous stream of messages with no change in key for about 150,000
years!