CHAPTER 8

MESSAGE AUTHENTICATION CODE (MAC)

Learning Outcome
• Explain how to use a MAC to provide authentication.
• Describe two different approaches to constructing a MAC.
• Requirements for a message authentication code.
• Explain the concept of authenticated encryption.
Outline
• Message Authentication Code (MAC)
• Security of MACs
•MACs based on hash functions: (HMAC)
•MACS based on block ciphers: DAA and CMAC
•Authentication encryption: CCM and GCM
Introduction
• Hash functions can only provide data integrity.
• We can combine hash function with other security mechanisms to
protect the hash value from being manipulated.
• One method which introduce a key into the process of generating a
‘hash’ is called Message Authentication Code (MAC).
• MACs are cryptographic tools used to ensure the integrity and
authenticity of messages during transmission.
• MAC play a crucial role in various applications, including secure
communication protocols and data integrity checks.
Data Origin Authentication
• Consider the following active attacks on a message:
• unauthorised changing of part of a message;
• unauthorised deletion of part of a message;
• unauthorised sending of a false message; and
• trying to persuade the receiver that the message came from someone other than it did.
• We would like to prevent active attacks or to detect the attack if they have occurred.
• If Alice and Bob share a symmetric key K, and Alice encrypts a message and sends it to
Bob, then these attacks are prevented.
• From Bob’s perspective, Alice is the only other person who knows the key K, so surely
nobody else could have tampered with the message in any way since it is encrypted. But
is this argument valid?
• It might be valid, but it is certainly not always valid.
• Encryption does not provide data origin authentication.
• Data Origin Authentication can be achieved using MAC code
Message Authentication Code (MAC)
• In cryptography, a MAC, sometimes known as an authentication tag,
is a short piece of information used for authenticating a message.
• Data origin authentication : Authentication of a message is to confirm
that the message came from the stated sender (its authenticity) and
has not been changed (integrity).
• The MAC value protects the integrity of a message, as well as its
authenticity, by allowing verifiers (who also possess the secret key) to
detect any changes to the message content.
• MAC provides integrity and authenticity of a message.
Advantages of MAC
1. Data Integrity: MACs provide assurance that a message has not
been tampered with during transmission. The recipient can verify
the MAC to confirm that the data remains intact.
2. Efficient Verification: MAC is lightweight. The verification process is
quick, allowing for efficient handling of large amounts of data. This
is especially beneficial in environments requiring rapid data
exchange.
3. Protection Against Unauthorized Access: By utilizing a secret key,
MACs restrict access to authorized parties only, preventing
unauthorized modifications or access to the message content.
Disadvantages of MAC
• Key Management: The security of MACs heavily relies on the
management of secret keys. Both sender and recipient must
securely share and store these keys, which can be complex in
larger systems.
• While MACs verify data integrity, they may not adequately
protect against replay attacks, where an attacker captures
and retransmits valid messages. For countermeasure, the
message itself must contain data that assures that this same
message can only be sent once (e.g. time stamp, sequence
number or use of a one-time MAC).
1. The sender of a message runs it
through a MAC algorithm to produce a
MAC data tag.
2. The message and the MAC tag are
then sent to the receiver.
3. The receiver in turn runs the message
portion of the transmission through the
same MAC algorithm using the same
key, producing a second MAC data tag.
4. The receiver then compares the first
MAC tag received in the transmission to
the second generated MAC tag. If they
are identical, the receiver can safely
assume that the message was not
altered or tampered with during
transmission (data integrity).

• However, to allow the receiver to be able to detect replay attacks, the message
itself must contain data that assures that this same message can only be sent
once (e.g. time stamp, sequence number or use of a one-time MAC).
• Otherwise an attacker could – without even understanding its content – record
this message and play it back at a later time, producing the same result as the
original sender.
Properties of MAC
• Compression. A MAC does condense arbitrary long inputs into a fixed length output
since it produces a fixed length digest of a message, regardless of how long the input
message is.
• Easy to compute. In hash functions, this applies to anyone; however, this property is
highly restricted for MACs. A MAC must be easy to compute for anyone who knows the
symmetric MAC key, which is normally only the legitimate sender and receiver of a MAC.
However, it must be hard to compute the correct MAC on a message for anyone who
does not know the MAC key.
• Preimage/second preimage/collision resistance. These properties are important for
the security of hash functions since, without them, it might be possible for an attacker to
manipulate the ‘commitment’ properties of a hash function.
Security Strength of MAC
1. The security of MAC function depends on the security strength of
the underlying hash function.
2. The security of the keys.
3. The length of the MAC output.
Message Authentication Code (MAC)
• Practically, MACs are constructed in essentially two
different ways by using
• cryptographic hash functions (e.g. HMAC) or
• block cipher (e.g. CMAC)
Common MAC Algorithms
• HMAC (Hash-based Message Authentication Code): Utilizes a hash
function combined with a secret key for authentication.
• CMAC (Cipher-based Message Authentication Code): Based on block
ciphers, providing a secure method for generating MACs.
• KMAC (Keccak-based Message Authentication Code): A newer
algorithm derived from SHA-3 standards, offering enhanced security
features.
Hash based Message Authentication Code (HMAC)
• HMAC involving a cryptographic hash function and a secret cryptographic key.
• HMAC can provide authentication using a symmetric key, whereas digital signatures
providing authentication using asymmetric cryptography.
• Using HMAC, the communicating parties are responsible for establishing and using a
trusted channel to agree on the key prior to communication.
• Any cryptographic hash function, such as SHA-2 or SHA-3, may be used in the calculation
of an HMAC; the resulting MAC algorithm is termed HMAC-x, where x is the hash
function used (e.g. HMAC-SHA256 or HMAC-SHA3-512).
• The cryptographic strength of the HMAC depends upon the cryptographic strength of the
underlying hash function, the size of its hash output, and the size and quality of the key.
• HMAC does not encrypt the message. Instead, the message (encrypted or not) must be
concatenated with the hash. Parties with the secret key will hash the message again
themselves, and if it is authentic, the received and computed hashes will match.
Security of HMAC
1. The security of HMAC function depends on the security strength of
the underlying hash function. Thus, it should be deployed using
secure hash functions which have been approved for use by
recognised experts.
2. HMAC is not secure if the attacker finds collisions in the hash function
even when the IV is random and secret.
3. The security of the keys. HMAC employs two symmetric keys. Thus,
the length of an HMAC key can be regarded as the sum of the lengths
of these two keys.
4. The length of the MAC output.
Cipher-based Message Authentication Code (CMAC)

• There are two MACs that are based on the use of a block cipher mode of
operation:
• the Data Authentication Algorithm (DAA), which is now obsolete, and
• the Cipher-Based Message Authentication Code (CMAC), which is designed to
overcome the deficiencies of the DAA.
• CMAC is based on the use of a block cipher mode of operations for use
with AES or triple DES.
• The CMAC overcomes the limitations of the DAA which is based on DES.
• CMACs are calculating MAC codes using a block cipher coupled with a
secret key. You can use an CMAC to verify both the integrity and
authenticity of a message.
KMAC: KECCAK Message Authentication Code
• KMAC algorithm is a variable-length keyed hash function described in
NIST SP800-185 [SP800185]. It is based on KECCAK, the core SHA-3
algorithm.
• There are two variants, KMAC128 and KMAC256, which have expected
security strengths of 128 and 256 bits, respectively. The "standard" output
lengths for KMAC128 and KMAC256 are 256 bits (32 bytes) and 512 bits
(64 bytes), respectively.
• The KMAC algorithm can theoretically output an infinitely-long stream of
bytes, so it can also be used as a Pseudorandom function (PRF). Note
that you cannot truncate a KMAC output value when used as a message
authentication code.
• To obtain the expected security strength you must use keys of length at
least 128 and 256 bits respectively.
MACs Based on Block Cipher: CBC-MAC
• An early banking standard defined CBC-MAC using DES, so the MAC
operated on blocks of 64 bits. Any block cipher, such as AES, could be
used.
• Assume the sender and receiver have both agreed in advance upon a
symmetric key K.
• Assume the message M has been split into blocks of the same length as
the block length of the block cipher (64 bits for DES or 128 bits for AES) in
order to process it. If the message does not fit neatly into blocks, then we
pad the last block.
• The output length of the MAC is determined by the block size of the
cipher used.
• The security of CBC-MAC relies on the security of the symmetric key K MAC Verification:
shared by the sender and receiver. • The computation of MAC can be performed
The figure shown the MAC generation: by anyone who knows the MAC key K.
• The receiver received the message and the
MAC value, and then simply repeat the
computation as in figure above and checks
that the output of this computation is the
same as the received value .
• If it is, then the message is authenticated,
otherwise it is rejected.
 Security Requirement of MAC
Assume that an opponent knows the MAC function but does not know the key K.
Then, the MAC function should satisfy the following requirements.
• If an opponent observes message M and MAC(K, M), it should be computationally
infeasible for the opponent to construct a message M′ such that
MAC(K, M′) = MAC(K, M) where M  M’
• MAC(K, M) should be uniformly distributed in the sense that for randomly chosen
messages, M and M′, the probability that
MAC(K, M) = MAC(K, M′) is 2-n ,
where n is the number of bits in the hash tag and M  M’
 Hash, MAC and Digital Signature
• MAC is different from hash functions because MAC require the use of secret key.
• MACs differ from digital signatures as MAC values are both generated and verified using
the same secret symmetric key. This implies that the sender and receiver of a message
must agree on the same key before initiating communications. For the same reason,
MACs do not provide the property of non-repudiation as offered by digital signatures. This
is because any user who can verify a MAC is also capable of generating MACs for other
messages.
• In contrast, digital signatures offer non-repudiation. The signature is generated using the
private key of a sender. Since this private key is only accessible to its holder, a digital
signature proves that a document was signed by none other than that holder i.e. non-
repudiation.
Application Key Security Service
Hash function None Integrity
MAC Symmetric key Authentication, Integrity
Digital Signature Private and public key Authentication, Integrity,
Non-repudiation
 MAC with Encryption – Authenticated Encryption
• Combination security services namely authenticated encryption.
• Practically, some applications requiring authenticated encryption. Some message require not to be
encrypted, but should be authenticated only.
• MAC-then-encrypt:
1. the MAC is computed on the full message;
2. the message and the MAC are encrypted (but not the associated data); and
3. the ciphertext and the associated data are sent to the receiver.
• Encrypt-then-MAC:
1. the message is encrypted;
2. the MAC is computed on the combination of the ciphertext and the associated data; and
3. the ciphertext, the associated data, and the MAC are sent to the receiver.
Note: regardless of which order is used, the encryption operation and the MAC operation should be computed using
different cryptographic keys. This is because they are different cryptographic operations, providing different security
services. Using different keys follows the best-practice principle of key separation.
Confidentiality & Authentication
(a) AUTHENTICATION ONLY: The message
and MAC are transmitted in the communication
channel
(b) AUTHENTICITY AND ENCRYPTION:
• MAC concatenated to the message.
• The concatenated message is an input to
encryption algorithm.
• Then, the entire block is then encrypted.
• Two separate keys are needed, each of
which is shared by the sender and the
receiver.

(c) AUTHENTICITY AND ENCRYPTION:

• The message is encrypted first.
• Then MAC is is concatenated to the ciphertext
to form the transmitted block.
• Two separate keys are needed, each of
which is shared by the sender and the
receiver.
Brute-Force Attack
• A brute-force attack on a MAC is a more difficult undertaking than a brute-force
attack on a hash function because it requires known message-tag pairs.
• Assume a fixed message x with n-bit hash code h = H(x),
• a brute-force method of finding a collision is to pick a random bit string y and
check if H(y) = H(x).
• The attacker can do this repeatedly off-line. Whether an off-line attack can be
used on a MAC algorithm depends on the relative size of the key and the tag.

Attackers try to find the valid MAC code for a message x. Two lines of attack is possible:
• Attack the key space
• If an attacker can determine the MAC key then it is possible to generate a valid MAC value for
any input x
• Attack the MAC value
• Objective is to generate a valid tag for a given message or to find a message that matches a
given tag
Cryptanalysis
• Cryptanalytic attacks seek to exploit some property of the algorithm
to perform some attack other than an exhaustive search
• There is much more variety in the structure of MACs than in hash
functions, so it is difficult to generalize about the cryptanalysis of
MACs
Attacks and Countermeasures
1. Disclosure - Release of message contents to any person
2. Traffic analysis - Discovery of the pattern of traffic between parties
3. Masquerade - Insertion of messages into the network from a fraudulent source
4. Content modification - Changes to the contents of a message, including insertion, deletion,
transposition, and modification
5. Sequence modification - Any modification to a sequence of messages between parties, including
insertion, deletion, and reordering
6. Timing modification - Delay or replay of messages
7. Source repudiation - Denial of transmission of message by source
8. Destination repudiation - Denial of receipt of message by destination

Item 1 and 2 – use encryption/decryption

Items (3) through (6) - use message authentication or digital signature.
Item (7) – use digital signatures.
Item (8) – use a combination of digital signatures and a protocol designed to counter this attack.