--- title: 'Lecture 06 Message Auth Code' disqus: hackmd --- :::info ST2504 Applied Cryptography ::: Lecture 06 Message Auth Code === <style> img{ /* border: 2px solid red; */ margin-left: auto; margin-right: auto; width: 80%; display: block; } </style> ## Table of Contents [TOC] Message Auth Code (MAC) --- - crypto checksum of msg - provides - data integrity - unaltered - auth - MAC (generated by MAC func) provides msg auth by validating the sender - receiver verify msg is from sender by - re-generating MAC - compare against sent MAC - generated by algo that creates small fixed-size blk - appended to msg as "signature" - receiver performs same computations on msg & checks if matches with MAC - provides assurance that msg unaltered & comes from particular sender - would hash digests help? - hash provides assurance that msg is unaltered accidentally - data integrity - but not protected against MITM atk - atker intercept orig msg & send fake one with required msg digest based on fake msg - __note__ - when using MAC, both sender & receiver have common secret key ### MAC Function Requirements  ### MAC Application - MAC algos - generate small fixed-size blk called __authenticator/auth tag/tag/MAC/MAC code/crypto checksum__ - output depending on msg + key - need not be reversible - MAC appended to msg, validated by receiver  - MAC with msg encryption - for secrecy with auth - preferred processing (from most to least secure) - encrypt-then-MAC - encrypt msg then generate MAC from ciphertext + IV - MAC-and-encrypt - generate MAC & encrypt both MAC & msg - encrypt-and-MAC - generate MAC & encrypt msg only - MAC w/o msg encryption - for auth & data integrity only - usually separate keys for ea comm pair ### Keyed Hash Function as MAC - MAC algo based on hash func - faster - widely available/understood - need modification to use key - original (bad) proposal -  - prepending key to msg > hash - weaknesses found - development of HMAC Hash-based MAC --- - specified as internet standard RFC2104  - where K+ is key padded to blk size - opad, ipad are specified padding consts - small overhead - 3 more blks of hash calculations - no encryption computation required - can use any hash func - Eg. MD5, SHA-1, RIPEMD-160, Whirlpool  ### Overview   ### HMAC Security - security of HMAC relates to underlying hash algo - atking HMAC requires either - brute force atk on key used 2^n - bday atk - 1 wanting matching pair from any 2 sets & need 2^(m/2) in ea to get matching m-bit hash - however, HMAC is keyed - need to observe large num of msgs - note - MD5 is considered safe when used with HMAC Using Symmetric Ciphers for MACs --- - can use any blk cipher chaining mode & use final blk as MAC - __Data Auth Algo (DAA)__ is former US gov standard widely used for producing MAC codes - use IV=0 & zero-pad of final blk - encrypt msg using DES in CBC mode - send just final blk as MAC - or leftmost M bits (16 <= M <= 64) of final blk - however, final MAC, output of DAA, 64bits checksum is now too small for security ### Data Auth Algo (DAA) - blk cipher in chaining mode (DES-CBC) - DES (data encryption standard) is blk cipher - cipher blk chaining (CBC) is way of chaininig up blk cipher as shown - D = data - O = output  Summary ---  ###### tags: `ACG` `DISM` `School` `Notes`