Message Authentication Code

2015.03.30

임 형 진 Email: imhj9121@gmail.com

SeoulTech UCS Lab

Table of Contents

1. Message Authentication Requirements

2. Message Authentication Functions

3. Requirements for Message Authentication Code

4. Security of MACs

5. MACs Based on Hash Functions:HMAC

6. MACs Based on Block Ciphers: DAA and CMAC

7. Authenticated Encryption:CCM and GCM

8. Key Wrapping

9. Pseudorandom Number Generation Using Hash

Functions and MACs

2

Message Authentication Requirements (1/2)

• 1. Disclosure: Release of message contents to any person or process not

possessing the appropriate cryptographic key.

• 2. Traffic analysis: Discovery of the pattern of traffic between parties

• 3. Masquerade: Insertion of messages into the network from a fraudulent

source.

• 4. Content modification: Changes to the contents of a message, including

insertion, deletion, transposition, and modification.

• 5. Sequence modification: Any modification to a sequence of messages

between parties, including insertion, deletion, and reordering.

• 6. Timing modification: Delay or replay of messages.

• 7. Source repudiation: Denial of transmission of message by source.

• 8. Destination repudiation: Denial of receipt of message by destination.

3

Message Authentication Requirements (2/2)

• a procedure to verify that received messages come from

the alleged source and have not been altered.

• verify sequencing and timeliness.

• A digital signature is an authentication technique that also

includes measures to counter repudiation by the source.

4

Message Authentication Functions (1/10)

Autenticator may be grouped into three classes.

• Hash function: A function that maps a message of any

length into a fixedlength hash value, which serves as the

authenticator

• Message encryption: The ciphertext of the entire message

serves as its authenticator

• Message authentication code (MAC): A function of the

message and a secret key that produces a fixed-length

value that serves as the authenticator

5

Message Authentication Functions (2/10)

6

Symmetric Encryption

A message M transmitted from source A to destination B is

encrypted using a secret key K shared by A and B. If no other

party knows the key, then confidentiality is provided: No other

party can recover the plaintext of the message.

In addition, B is assured that the message was generated by A

M M E D

Key Key E(K, M)

Source Destination

Message Authentication Functions (3/10)

7

M M E D

PUb PRb E(PUb, M)

Source A Destination B

Public-key Encryption (1/3)

Public-Key encryption: confidentiality

The source (A) uses the public key PUb of the destination (B) to encrypt M.

Because only B has the corresponding private key PRb,

only B can decrypt the message.

Provides no authentication, because any opponent could also use

B’s public key to encrypt a message and claim to be A.

Message Authentication Functions (4/10)

Public-key Encryption (2/3)

The message must have come from A because A is the only party that

possesses PRa and therefore the only party with the information

necessary to construct ciphertext that can be decrypted with PUa.

8

M M E D

PRa PUa E(PRa, M)

Source A Destination B

Public-Key encryption: authentication and signature

Message Authentication Functions (5/10)

Public-key Encryption (3/3) • To provide both confidentiality and authentication, A can encrypt M first using its

private key, which provides the digital signature, and then using B’s public key,

which provides confidentiality. The disadvantage of this approach is that the

public-key algorithm, which is complex, must be exercised four times rather than

two in each communication

9

M E E

PRa PUa E(PRa, M)

Source A Destination B

Public-Key encryption: confidentiality, authentication, and signature

M D D

PRb PUa E(PRa, M) E(PUb, E(PRa, M))

Message Authentication Functions (6/10)

Message Authentication Code (1/5)

• This technique assumes that two communicating parties,

say A and B, share a common secret key K. When A has a

message to send to B, it calculates the MAC as a function

of the message and the key

MAC = C(K, M)

• M = input message

• C = MAC function

• K = shared secret key

• MAC = message authentication code

10

Message Authentication Functions (7/10)

Message Authentication Code (2/5)

11

M M

C

K

Source A Destination B

C(K, M)

C

K

Compare

Message authentication

Message Authentication Functions (8/10)

Message Authentication Code (3/5)

12

M M

C

K1

E(K2, [M||C(K1, M)])

Message authentication and confidentiality:

authentication tied to plaintext

E

K2

M

C(K, M)

C

K1

Compare

D

K2

Message Authentication Functions (9/10)

Message Authentication Code (4/5)

13

M

C

K1

C(K1, E(K2, M))

E

K2

M

C K1

Compare

D

K2

E(K2, M)

Message authentication and confidentiality:

authentication tied to ciphertext

Message Authentication Functions (10/10)

Message Authentication Code (5/5)

• There are a number of applications in which the same

message is broadcast to a number of destinations

• An exchange in which one side has a heavy load and

cannot afford the time to decrypt all incoming messages.

• The computer program can be executed without having to

decrypt it every time, which would be wasteful of

processor resources.

14

Requirements for Message Authentication Codes

• If an opponent observes M and MAC(K, M), it should be

computationally infeasible for the opponent to construct a

message M such that

MAC(K, M) = MAC(K, M)

• MAC(K, M) should be uniformly distributed in the sense

that for randomly chosen messages, M and M, the

probability that

MAC(K, M) = MAC(K, M)

is 2-n, where n is the number of bits in the tag.

• Let M be equal to some known transformation on M. That

is, M = f(M). For example, f may involve inverting one or

more specific bits. In that case,

Pr [MAC(K, M) = MAC(K, M)] = 2-n 15

Security of MACs

• Brute-Force Attacks

– Computation resistance: Given one or more text-MAC pairs [xi,

MAC(K, xi)], it is computationally infeasible to compute any text-

MAC pair [x, MAC(K, x)] for any new input x≠xi.

– the level of effort for brute-force attack on a MAC algorithm can be

expressed as min(2k, 2n)

– k: key length

– n: number of MAC bits

• Cryptanalysis – That is, an ideal MAC algorithm will require a cryptanalytic effort greater than or equal to the

brute-force effort.

16

MACs Based on Hash Functions:HMAC (1/6)

• There has been increased interest in developing a MAC

derived from a cryptographic hash function

– Cryptographic hash functions such as MD5 and SHA generally

execute faster in software than symmetric block ciphers such as

DES.

– Library code for cryptographic hash functions is widely available.

• HMAC

– issued as RFC 2104,

– has been chosen as the mandatory-to-implement MAC for IP security

– is used in other Internet protocols, such as SSL

17

MACs Based on Hash Functions:HMAC (2/6)

• HMAC Design Objectives (RFC 2104)

– To use, without modifications, available hash functions.

– To allow for easy replaceability of the embedded hash function

– To preserve the original performance of the hash function

– To use and handle keys in a simple way

– To have a well understood cryptographic analysis

18

MACs Based on Hash Functions:HMAC (3/6)

• HMAC(K,M)

= H[(K+ ⊕ opad) ∥

H[(K+ ⊕ ipad) ∥M]]

• H = embedded hash function (e.g., MD5,

SHA-1, RIPEMD-160)

• IV = initial value input to hash function

• M = message input to HMAC (including the

padding specified in the embedded

• hash function)

• Yi = i th block of M, 0 … i … (L - 1)

• L = number of blocks in M

• b = number of bits in a block

• n = length of hash code produced by

embedded hash function

• K = secret key; recommended length is Ú n; if

key length is greater than b, the

• key is input to the hash function to produce an

n-bit key

• K+ = K padded with zeros on the left so that

the result is b bits in length • ipad = 00110110 (36 in hexadecimal) repeated b/8

times

• opad = 01011100 (5C in hexadecimal) repeated b/8

times

19

MACs Based on Hash Functions:HMAC (4/6)

1. Append zeros to the left end of K to create a b-bit string K+

2. XOR (bitwise exclusive-OR) K+ with ipad to produce the b-bit

block Si.

3. Append M to Si.

4. Apply H to the stream generated in step 3.

5. XOR K+ with opad to produce the b-bit block So.

6. Append the hash result from step 4 to So.

7. Apply H to the stream generated in step 6 and output the result.

20

MACs Based on Hash Functions:HMAC (5/6)

• Efficient Implementation

of HMAC

21

MACs Based on Hash Functions:HMAC (6/6)

• Security of HMAC – the probability of successful attack on HMAC is equivalent to

one of the following attacks on the embedded hash function. The attacker is able to compute an output of the compression

function even with an IV that is random, secret, and unknown to the

attacker

For a hash code length of 128 bits, this requires 264 observed blocks

(272 bits) generated using the same key.

if speed is a concern, it is fully acceptable to use MD5 rather than

SHA-1 as the embedded hash function for HMAC.

22

MAC s Based on Block Ciphers: DAA and CMAC (1/3)

• Data Authentication Algorithm (DAA) – (FIPS PUB 113) and an ANSI standard

– Security weaknesses in this algorithm have been discovered

– using the cipher block chaining (CBC) mode of operation of DES

• Cipher-Based Message Authentication Code (CMAC) – use with AES and triple DES

• AES; key length: 128, 192, 256bit. Block size: 128bit

• Triple-DES; key length: 112 or 168bit. Block size: 64bit

– NIST 800-38B

23

MAC s Based on Block Ciphers: DAA and CMAC (2/3)

24

• Data Authentication Algorithm (DAA)

MAC s Based on Block Ciphers: DAA and CMAC (3/3)

• Cipher-Based Message Authentication Code (CMAC)

25

Authenticated Encryption: CCM and GCM (1/7)

• Authenticated encryption: AE – simultaneously protect confidentiality and authenticity (integrity) of

communications.

• Four common approaches to providing both confidentiality and encryption for a message M.

– Hashing followed by encryption (H->E) • First compute the cryptographic hash function over M as h = H(M).

• Then encrypt the message plus hash function: E(K, (M} h))

– Authentication followed by encryption (A->E) • First authenticate the plaintext by computing the MAC value as T = MAC(K1, M).

• Then encrypt the message plus tag: E(K2, [M||T ]).

– Encryption followed by authentication (E->A) • First encrypt the message to yield the ciphertext C = E(K2, M).

• Then authenticate the ciphertext with T = MAC(K1, C) to yield the pair (C, T).

– Independently encrypt and authenticate (E+A). • Encrypt the message to yield the ciphertext C = E(K2, M).

• Authenticate the plaintext with T = MAC(K1, M) to yield the pair (C, T).

26

Authenticated Encryption: CCM and GCM

• Counter with Cipher Block Chaining-Message Authentication

Code

– a variation of the encrypt-and-MAC approach to authenticated

encryption.

– AES, CTR, CMAC

– A single key K is used for both encryption and MAC algorithms.

27

Authenticated Encryption: CCM and GCM (2/7)

Authenticated Encryption: CCM and GCM (

28

Authenticated Encryption: CCM and GCM (3/7)

Authentication of CCM

29

Authenticated Encryption: CCM and GCM (4/7)

• Encryption of CCM

Authenticated Encryption: CCM and GCM (5/7)

• Galois/Counter Mode

– standardized by NIST in NIST SP 800-38D

– designed to be parallelizable so that it can provide high throughput

with low cost and low latency.

– the message is encrypted in variant of CTR mode

– GHASH, which is a keyed hash function, and GCTR, which is

essentially the CTR mode

30

GHash

Authenticated Encryption: CCM and GCM (6/7)

• GCTRK

31

Authenticated Encryption: CCM and GCM (7/7)

• Galois Counter—Message Authentication Code

32

Key Wrap (1/3)

• Most recent block cipher mode of operation defined by NIST

– Uses AES or triple DEA as the underlying encryption algorithm

• Purpose is to securely exchange a symmetric key to be shared

by two parties, using a symmetric key already shared by these

parties

– The latter key is called a key encryption key (KEK)

• Robust in the sense that each bit of output can be expected to

depend in a nontrivial fashion on each bit of input

• Only used for small amounts of plaintext

33

Key Wrap (2/3)

• Key Wrap

34

Key Wrapping Operation for 256-bit Key

Key Wrap (3/3)

35

Pseudorandom Number Generation Using Hash

Functions and MACs (1/2)

• The essential elements of any pseudorandom number

generator

– Seed value

– Deterministic algorithm for generating a stream of pseudorandom

bits

36

PRNG using cryptographic hash function PRNG using HMAC

Pseudorandom Number Generation Using Hash

Functions and MACs (2/2)

37

m = [n/outlen] w0 = V W = the null string For i = 1 to m wi = MAC(K, wi-1) W = W||wii Return leftmost n bits of W

m = [n/outlen] W = the null string For i = 1 to m wi = MAC(K, (V|| i)) W = W||wi Return leftmost n bits of W

m = [n/outlen] A(0) = V W = the null string For i = 1 to m A(i) = MAC(K, A(i - 1)) wi = MAC(K, (A(i) }V) W = W||wi

Return leftmost n bits of W

NIST SP 800-90 IEEE 802.11i TLS/WTLS

Q & A

38