Message Authentication

Requirements
• Disclosure
•
• Sequence modification
Release of message contents to
any person or process not • Any modification to a
possessing the appropriate sequence of messages
cryptographic key between parties, including
• Traffic analysis insertion, deletion, and
• reordering
Discovery of the pattern of traffic
between parties • Timing modification
• Masquerade • Delay or replay of messages
• Insertion of messages into the • Source repudiation
network from a fraudulent source
• Denial of transmission of
• Content modification
message by source
• Changes to the contents of a
message, including insertion, • Destination repudiation
deletion, transposition, and • Denial of receipt of message
modification
by destination
 Message Authentication
Functions
• Hash function
• Two levels of • A function that maps a
Lower level message of any length into a
fixed-length hash value which
functionality:
• There must be some sort of function
that produces an authenticator serves as the authenticator

• Message encryption
• The ciphertext of the entire
message serves as its
authenticator

• Message authentication code

(MAC)
Higher-level • A function of the message and
• Uses the lower-level function as a primitive in an a secret key that produces a
authentication protocol that enables a receiver to fixed-length value that serves
verify the authenticity of a message as the authenticator
 Public-Key Encryption
• The straightforward use of public-key encryption
provides confidentiality but not authentication
• To provide both confidentiality and authentication, A
can encrypt M first using its private key which provides
the digital signature, and then using B’s public key,
which provides confidentiality
• Disadvantage is that the public-key algorithm must be
exercised four times rather than two in each
communication
 Requirements for MACs

The final
The first requirement requirement
deals with message The second dictates that the
replacement attacks,
in which an opponent requirement authentication
Taking into account deals with the algorithm should
is able to construct a
the types of attacks,
the MAC needs to
new message to need to thwart a not be weaker
match a given MAC, brute-force with respect to
satisfy the following:
even though the
opponent does not attack based on certain parts or
know and does not chosen plaintext bits of the
learn the key message than
others
 Brute-Force Attack
• Requires known message-tag pairs
• A brute-force method of finding a collision is to
pick a random bit string y and check if H(y) = H(x)

Two lines of attack:

• Attack the key space
• If an attacker can determine the MAC key then it is possible
to generate a valid MAC value for any input x
• Attack the MAC value
• Objective is to generate a valid tag for a given message or
to find a message that matches a given tag
 Cryptanalysis
• Cryptanalytic attacks seek to exploit some property of
the algorithm to perform some attack other than an
exhaustive search
• An ideal MAC algorithm will require a cryptanalytic
effort greater than or equal to the brute-force effort
• There is much more variety in the structure of MACs
than in hash functions, so it is difficult to generalize
about the cryptanalysis of MACs
 MACs Based on Hash
Functions: HMAC
• There has been increased interest in developing a MAC
derived from a cryptographic hash function
• Motivations:
• Cryptographic hash functions such as MD5 and SHA
generally execute faster in software than symmetric
block ciphers such as DES
• Library code for cryptographic hash functions is widely
available

• HMAC has been chosen as the mandatory-to-

implement MAC for IP security
• Has also been issued as a NIST standard (FIPS 198)
 HMAC Design Objectives

RFC 2104 lists the following

objectives for HMAC:
To have a well
To allow for easy understood
To preserve the
replaceability of cryptographic
To use, without original analysis of the
the embedded
performance of To use and handle strength of the
modifications, hash function in
the hash function keys in a simple authentication
available hash case faster or
without incurring way mechanism based on
functions more secure hash reasonable
a significant
functions are assumptions about
degradation
found or required the embedded hash
function
 Security of HMAC
• Depends in some way on the cryptographic strength of
the underlying hash function
• Appeal of HMAC is that its designers have been able to
prove an exact relationship between the strength of
the embedded hash function and the strength of
HMAC
• Generally expressed in terms of the probability of
successful forgery with a given amount of time spent
by the forger and a given number of message-tag pairs
created with the same key
Authenticated Encryption (AE)
• A term used to describe encryption systems that simultaneously
protect confidentiality and authenticity of communications
• Approaches:
• Hashing followed by encryption
• Authentication followed by encryption
• Encryption followed by authentication
• Independently encrypt and authenticate

• Both decryption and verification are straightforward for each

approach
• There are security vulnerabilities with all of these approaches
Counter with Cipher Block Chaining-
Message Authentication Code (CCM)
• Was standardized by NIST specifically to support the security
requirements of IEEE 802.11 WiFi wireless local area networks
• Variation of the encrypt-and-MAC approach to authenticated
encryption
• Defined in NIST SP 800-38C

• Key algorithmic ingredients:

• AES encryption algorithm
• CTR mode of operation
• CMAC authentication algorithm

• Single key K is used for both encryption and MAC algorithms

The input to the CCM encryption process
consists of three elements:

Associated data A A nonce N that is

Data that will be
that will be assigned to the
both authenticated
authenticated but payload and the
and encrypted
not encrypted associated data

An example is a This is a unique value

protocol header that is different for
This is the that must be every instance
plaintext transmitted in the during the lifetime
of a protocol
message P of clear for proper association and is
the data protocol intended to prevent
operation but replay attacks and
block which needs to be certain other types
authenticated of attacks
Galois/Counter Mode (GCM)
• NIST standard SP 800-38D

• Designed to be parallelizable so that it can provide high

throughput with low cost and low latency
• Message is encrypted in variant of CTR mode
• Resulting ciphertext is multiplied with key material and
message length information over GF (2128) to generate the
authenticator tag
• The standard also specifies a mode of operation that supplies
the MAC only, known as GMAC

• Makes use of two functions:

• GHASH - a keyed hash function
• GCTR - CTR mode with the counters determined by simple
increment by one operation
 Key Wrap (KW)
• Most recent block cipher mode of operation defined by
NIST
• Uses AES or triple DEA as the underlying encryption
algorithm

• Purpose is to securely exchange a symmetric key to be

shared by two parties, using a symmetric key already
shared by those parties
• The latter key is called a key encryption key (KEK)

• Robust in the sense that each bit of output can be

expected to depend in a nontrivial fashion on each bit of
input
• Only used for small amounts of plaintext
Pseudorandom Number Generation
Using Hash Functions and MACs
• Essential elements of any pseudorandom number generator
(PRNG) are a seed value and a deterministic algorithm for
generating a stream of pseudorandom bits
• If the algorithm is used as a pseudorandom function (PRF) to
produce a required value, the seed should only be known to the
user of the PRF
• If the algorithm is used to produce a stream encryption function,
the seed has the role of a secret key that must be known to the
sender and the receiver

• A hash function or MAC produces apparently random output

and can be used to build a PRNG
 Summary
• Message authentication • MACs based on hash
requirements functions: (HMAC)
• HMAC design objectives
• Message authentication functions
• Message encryption
• HMAC algorithm
• Message authentication code • Security of HMAC

• Requirements for message • MACS based on block

authentication codes ciphers: DAA and CMAC

• Security of MACs • Authentication encryption:

• Brute-force attacks CCM and GCM
• Cryptanalysis
• Key wrapping
• Pseudorandom number • Background
generation using hash functions • Key wrapping algorithm
and MACs
• Key unwrapping