270 likes | 641 Views
Message Authentication Code. July 2011. Message Authentication Problem. Message Authentication is concerned with: protecting the integrity of a message validating identity of originator How to detect changes by adversary to message? Ancient solution : sign and seal
E N D
Message Authentication Code July 2011
Message Authentication Problem • Message Authentication is concerned with: • protecting the integrity of a message • validating identity of originator • How to detect changes by adversary to message? • Ancient solution : • sign and seal • More technique: break to message part and authenticator part (“tag”) • How to do this digitally? • Create a tag t(M) and send tag securely
Communication without authentication Shared key k to generate authenticate message Very easy.. Eve Eve can simply change the message M M’ Alice Bob
Integrity Protection with MAC Shared key k to generate authenticate message k=??, MAC=?? Eve Eve can not forge MAC when k is unknown M M’ MAC (k,M) MAC?? Alice Bob Key : k Key : k
MAC Authentication (I) • MAC allows two or more mutually trusting parties to authenticate messages sent between members Only Alice and me know k, one of us sent M. Eve If I do not send M, then Alice must have sent it. Alice Bob M Key : k Key : k MAC (k,M)
MAC Authentication (II) • MAC allows two or more mutually trusting parties to authenticate messages sent between members Chris Only Alice, Chris, Doug and me know k, one of us sent M. Eve Key : k Alice Bob M Key : k Key : k Doug MAC (k,M) Key : k
Integrity with Hash Can we simply send the hash with the message to serve message authentication ? Ans: No, Eve can change the message and recompute the hash. Using hash needs more appropriate procedure to guarantee integrity Forge M’ and compute h(M’) Eve No shared key M M’ h (M) h (M) Alice Bob
Message Authentication Code • A function of the message and a secret key that produces a fixed-length value that serves as the authenticator • Generated by an algorithm : • generated from message + secret key : MAC = C(K,M) • A small fixed-sized block of data • appended to message as a signature when sent • Receiver performs same computation on message and checks it matches the MAC
MAC and Encryption • As shown the MAC provides authentication • But encryption can also provides authentication! • Why use a MAC? • sometimes only authentication is needed • sometimes need authentication to persist longer than the encryption (eg. archival use) • Note that a MAC is not a digital signature
MAC Properties • A MAC is a cryptographic checksum MAC = CK(M) • condenses a variable-length message M • using a secret key K • to a fixed-sized authenticator • A many-to-one function • potentially many messages have same MAC • but finding these needs to be very difficult
Keyed Hash Functions as MACs • Want a MAC based on a hash function • because hash functions are generally faster • crypto hash function code is widely available • Need a hashing including a key along with message • But hashing is internally has no key! • Original proposal: KeyedHash = Hash(Key|Message) • some weaknesses were found with this • Eventually led to development of HMAC
HMAC • Hash-based Message Authentication Code • Developed by Mihir Bellare, Ran Canetti, and Hugo Krawczyk in1996 • Specified as Internet standard RFC2104 • Use cryptographic hash function in combination with a secret key • Any hash function can be used • eg. MD5, SHA-1, RIPEMD-160, Whirlpool • HMAC-MD5, HMAC-SHA1, HMAC-RIPEND-160, HMAC-Whirlpool • HMAC-SHA1 and HMAC-MD5 are used within the IPsec and TLS protocols
HMAC Overview • Scheme consists of 2-stage nested : an inner and outer hash • K+ is expanded key k padded with zeros on the left so that the result is b bits in length • Intermediate result of first hash padded to increase complexity next hash • Different “round keys” generated for each hash • Stage 1: k1 = K+ ipad • Stage 2: k2 = K+ opad • Ipad : a string of repeated 0x36 • 00110110,00110110, . . .,00110110 • Opad : is a string of repeated 0x5C • 01011100,01011100, . . .,01011100 HMAC(K,M) = H( (K+⊕opad) | H( (K+ ⊕ ipad)| M) )
CMAC (Cipher-based MAC) • “Hashless” MAC • Uses an encryption algorithm (DES, AES, etc.) to generate MAC • Based on same idea as cipher block chaining • Compresses result to size of single block (unlike encryption
CMAC Overview • Message broken into N blocks • Each block fed into an encryption algorithm with key • Result XOR’d with next block before encryption to make final MAC
CMAC Facts • Advantages: • Can use existing encryption functions • Encryption functions have properties that resist preimage and collision attacks • Ciphertext designed to appear like “random noise” – good approximation of random oracle model • Most exhibit strong avalanche effect – minor change in message gives great change in resulting MAC • Disadvantage: • Encryption algorithms (particularly when chained) can be much slower than hash algorithms
Summary • A Hash is used to guarantee the integrity of data, a MAC guarantees integrity AND authentication • A Hash take a single input – a message and produces a message digest • A MAC algorithm takes two inputs -- a message and a secret key -- and produces a MAC • A HMAC algorithm is simply a specific type of MAC algorithm that uses a hash algorithm internally to generate the MAC • A CMAC algorithm is a specific type of MAC algorithm that uses a block cipher internally to generate the MAC