Cryptography and Network Security

Unit – 6

Chapter 12 – Message
Authentication Codes

Reference: Cryptography and Network Security, 5/e or 6/e,

By William Stallings
 Security Requirements
In the context of communications across a network, the following
attacks can be identified:

• Disclosure - Release of message contents to any person or

process not possessing the appropriate cryptographic key.

• Traffic analysis - Discovery of the pattern of traffic between

parties.

• Masquerade - Insertion of messages into the network from a

fraudulent source.

• Content modification – changes to the content of the message

including insertion, deletion, transposition, and modification.
 Security Requirements
• sequence modification - Any modification to a sequence of
messages between parties, including insertion, deletion, and
reordering.

• timing modification - Delay or replay of messages.

• source repudiation - Denial of transmission of message by

source.

• destination repudiation - Denial of receipt of message by

destination.
 Message Authentication
• message authentication is concerned with:
– protecting the integrity of a message
– validating identity of originator
– non-repudiation of origin (dispute resolution)
• will consider the security requirements
• then three alternative functions used:
– message encryption - The ciphertext of the entire message serves as its
authenticator.
– message authentication code (MAC) - A function of the message and a
secret key that produces a fixed-length value that serves as the authenticator.
– Hash function - A function that maps a message of any length into a fixed-
length hash value, which serves as the authenticator.
 Message Encryption
• message encryption by itself also provides a
measure of authentication
• if symmetric encryption is used then:
– receiver know sender must have created it
– since only sender and receiver now key used
– know content cannot of been altered
– if message has suitable structure, redundancy or a
checksum to detect any changes
 Message Encryption
• if public-key encryption is used:
– encryption provides no confidence of sender
– since anyone potentially knows public-key
– however if
• sender signs message using their private-key
• then encrypts with recipients public key
• have both secrecy and authentication
– again need to recognize corrupted messages
– but at cost of two public-key uses on message
 Message Authentication Code (MAC)
• generated by an algorithm that creates a small
fixed-sized block
– depending on both message and some key
– like encryption though need not be reversible
• appended to message as a signature
• receiver performs same computation on
message and checks it matches the MAC
• provides assurance that message is unaltered
and comes from sender
• MAC = C(K,M)
Message Authentication Code
 Message Authentication Codes
• If we assume that only the receiver and the sender know the
identity of the secret key, and if the received MAC matches
the calculated MAC, then

1. The receiver is assured that the message has not been altered. If
an attacker alters the message but does not alter the MAC, then
the receiver’s calculation of the MAC will differ from the received
MAC. Because the attacker is assumed not to know the secret
key, the attacker cannot alter the MAC to correspond to the
alterations in the message.
 Message Authentication Codes
• If we assume that only the receiver and the sender know the
identity of the secret key, and if the received MAC matches
the calculated MAC, then

2. The receiver is assured that the message is from the alleged

sender. Because no one else knows the secret key, no one else
could prepare a message with a proper MAC.

3. If the message includes a sequence number (such as is used with

HDLC, X.25, and TCP), then the receiver can be assured of the
proper sequence because an attacker cannot successfully alter
the sequence number.
• A MAC function is similar to encryption. One difference is that
the MAC algorithm need not be reversible, as it must be for
decryption.
 Message Authentication Codes
• The process depicted in Figure(a) provides authentication but
not confidentiality, because the message as a whole is
transmitted in the clear.
• Confidentiality can be provided by performing message
encryption either after (Figure(b)) or before (Figure(c)) the
MAC algorithm.
• In both these cases, two separate keys are needed, each of
which is shared by the sender and the receiver.

• In the first case, the MAC is calculated with the message as

input and is then concatenated to the message. The entire
block is then encrypted.
 Message Authentication Codes
• In the second case, the message is encrypted first. Then the
MAC is calculated using the resulting ciphertext and is
concatenated to the ciphertext to form the transmitted block.
• Typically, it is preferable to tie the authentication directly to
the plaintext, so the method of Figure(b) is used.
 Message Authentication Codes
• Because symmetric encryption will provide authentication
and because it is widely used with readily available products,
why not simply use this instead of a separate message
authentication code? [DAVI89] suggests three situations in
which a message authentication code is used.
1. There are a number of applications in which the same
message is broadcast to a number of destinations. Examples are
notification to users that the network is now unavailable or an
alarm signal in a military control center. It is cheaper and more
reliable to have only one destination responsible for monitoring
authenticity.
 Message Authentication Codes
2. Another possible scenario is an exchange in which one side
has a heavy load and cannot afford the time to decrypt all
incoming messages. Authentication is carried out on a selective
basis, messages being chosen at random for checking.
3. Authentication of a computer program in plaintext is an
attractive service. The computer program can be executed
without having to decrypt it every time, which would be wasteful
of processor resources. However, if a message authentication
code were attached to the program, it could be checked
whenever assurance was required of the integrity of the
program.
 Message Authentication Codes
• Three other rationales may be added.
4. For some applications, it may not be of concern to keep
messages secret, but it is important to authenticate messages.
An example is the Simple Network Management Protocol
Version 3 (SNMPv3), which separates the functions of
confidentiality and authentication. For this application, it is
usually important for a managed system to authenticate
incoming SNMP messages, particularly if the message contains a
command to change parameters at the managed system. On the
other hand, it may not be necessary to conceal the SNMP traffic.
 Message Authentication Codes
5. Separation of authentication and confidentiality functions
affords architectural flexibility. For example, it may be desired to
perform authentication at the application level but to provide
confidentiality at a lower level, such as the transport layer.
6. A user may wish to prolong the period of protection beyond
the time of reception and yet allow processing of message
contents. With message encryption, the protection is lost when
the message is decrypted, so the message is protected against
fraudulent modifications only in transit but not within the target
system.
• Finally, note that the MAC does not provide a digital
signature, because both sender and receiver share the same
key.
 MAC Properties
• a MAC, also kinown as a cryptographic
checksum is generated by function C of the
form T = MAC(K, M)
– condenses a variable-length message M
– using a secret key
– to a fixed-sized authenticator
• is a many-to-one function
– potentially many messages have same MAC
– but finding these needs to be very difficult
 Requirements for MACs
• taking into account the types of attacks
• need the MAC to satisfy the following:
1. knowing a message and MAC, is infeasible to
find another message with same MAC
2. MACs should be uniformly distributed
3. MAC should depend equally on all bits of the
message
 Security of MACs
Brute-Force Attacks
• A brute-force attack on a MAC is a more difficult undertaking
than a brute-force attack on a hash function because it
requires known message-tag pairs.
• An off-line attack can be used on a MAC algorithm depends on
the relative size of the key and the tag.
• To proceed, we need to state the desired security property of a
MAC algorithm,
• which can be expressed as follows.
• Computation resistance: Given one or more text-MAC pairs [xi ,
MAC(K, xi)], it is computationally infeasible to compute any text-
MAC pair [x, MAC(K, x)] for any new input x != xi.
 Security of MACs
Cryptanalysis
• The way to measure the resistance of a MAC algorithm to
cryptanalysis is to compare its strength to the effort required
for a brute force attack.
• That is, an ideal MAC algorithm will require a cryptanalytic
effort greater than or equal to the brute-force effort.
• There is much more variety in the structure of MACs than in
hash functions, so it is difficult to generalize about the
cryptanalysis of MACs.
• Furthermore, far less work has been done on developing such
attacks.
• A useful survey of some methods for specific MACs is
[PREN96].
 MAC based on Hash functions
HMAC
• Hashed Message Authentication Code
• Objectives for HMAC:
- To use, without modification, hash fun. available. perform well in
software, code is freely and widely available.
- To allow, easy replaceability of embedded hash function in case faster or
more secure hash fun are found or required.
- To preserve the original performance of hash fun w/o incurring a
significant degradation.
- To use and handle keys in a simple way
- To have a well understood cryptographic analysis of the strength of the
authentication mechanism based on the reasonable assumption on the
embedded hash function.
• HMAC algorithm:

H = embedded hash function (e.g. MD5, SHA-1,RIPEMD-160)

IV = initial value input to hash function

M = message input to HMAC

Yi = ith block of M , 0 ≤ i ≤ L-1

L = no. of blocks in M

b = no. of bits in a block

• HMAC algorithm:

n = length of hash code produced by embedded hash function

K = secret key, if key length greater than b, the key is input to the
hash function to produce n-bit key; recommend length is >= n

K+ = K appended with zeros on the left so that the result is b bits in

length

ipad = 00110110 (36 in Hexadecimal) repeated b/8 times

opad = 01011010 (5C in Hexadecimal) repeated b/8 times

- HMAC can be expressed as follows:

We can describe algorithm as:

1. Append zeros to the left end of K to create a b-bit string K+
2. XOR( bitwise XOR) K+ with ipad to produce the b-bit block Si
3. Append M to Si
4. Apply H to the stream generated in step 3
5. XOR K+ with opad to produce the b-bit block So
6. Append the hash result from step 4 to So
7. Apply H to the stream generated in step 6 and output the result
• Two quantities are computed:
f ( IV, (K+ ipad ))
f ( IV, (K+ opad ))
Where, f ( cv, block ) is the compression function for the hash
function
 Security of HMAC

• The security of any MAC function based on an embedded hash

function depends in some way on the cryptographic strength of
the underlying hash function.

• The appeal of HMAC is that its designers have been able to prove
an exact relationship between the strength of the embedded hash
function and the strength of HMAC.

• The security of a MAC function is generally expressed in terms of

the probability of successful forgery with a given amount of time
spent by the forger and a given number of message–tag pairs
created with the same key
 Security of HMAC

• In essence, it is proved in [BELL96a] that for a given level of effort

(time, message–tag pairs) on messages generated by a legitimate
user and seen by the attacker,

• the probability of successful attack on HMAC is equivalent to one

of the following attacks on the embedded hash function.

1. The attacker is able to compute an output of the compression

function even with an IV that is random, secret, and unknown to the
attacker.

2. The attacker finds collisions in the hash function even when the IV
is random and secret.
 Security of HMAC

- Cryptographic strength of HMAC depends upon size of secret key

that is used

- Brute force - most common attack against HMAC

- HMAC are less affected by collisions

 MAC based on Block Ciphers
DAA and CMAC
DAA
• can use any block cipher chaining mode and
use final block as a MAC
• Data Authentication Algorithm (DAA) is a
widely used MAC based on DES-CBC
– using IV=0 and zero-pad of final block
– encrypt message using DES in CBC mode
– and send just the final block as the MAC
• or the leftmost M bits (16≤M≤64) of final block
• but final MAC is now too small for security
Data Authentication Algorithm
 CMAC
• previously saw the DAA (CBC-MAC)
• widely used in govt & industry
• but has message size limitation
• can overcome using 2 keys & padding
• thus forming the Cipher-based Message
Authentication Code (CMAC)
• adopted by NIST SP800-38B
Cipher based Message Authentication Code
(CMAC)
Cipher based Message Authentication Code
(CMAC)
Cipher based Message Authentication Code
(CMAC)