Table of Contents
1. Message Authentication Requirements
2. Message Authentication Functions
3. Requirements for Message Authentication Code
4. Security of MACs
5. MACs Based on Hash Functions:HMAC
6. MACs Based on Block Ciphers: DAA and CMAC
7. Authenticated Encryption:CCM and GCM
8. Key Wrapping
9. Pseudorandom Number Generation Using Hash
Functions and MACs
2
Message Authentication Requirements (1/2)
• 1. Disclosure: Release of message contents to any person or process not
possessing the appropriate cryptographic key.
• 2. Traffic analysis: Discovery of the pattern of traffic between parties
• 3. Masquerade: Insertion of messages into the network from a fraudulent
source.
• 4. Content modification: Changes to the contents of a message, including
insertion, deletion, transposition, and modification.
• 5. Sequence modification: Any modification to a sequence of messages
between parties, including insertion, deletion, and reordering.
• 6. Timing modification: Delay or replay of messages.
• 7. Source repudiation: Denial of transmission of message by source.
• 8. Destination repudiation: Denial of receipt of message by destination.
3
Message Authentication Requirements (2/2)
• a procedure to verify that received messages come from
the alleged source and have not been altered.
• verify sequencing and timeliness.
• A digital signature is an authentication technique that also
includes measures to counter repudiation by the source.
4
Message Authentication Functions (1/10)
Autenticator may be grouped into three classes.
• Hash function: A function that maps a message of any
length into a fixedlength hash value, which serves as the
authenticator
• Message encryption: The ciphertext of the entire message
serves as its authenticator
• Message authentication code (MAC): A function of the
message and a secret key that produces a fixed-length
value that serves as the authenticator
5
Message Authentication Functions (2/10)
6
Symmetric Encryption
A message M transmitted from source A to destination B is
encrypted using a secret key K shared by A and B. If no other
party knows the key, then confidentiality is provided: No other
party can recover the plaintext of the message.
In addition, B is assured that the message was generated by A
M M E D
Key Key E(K, M)
Source Destination
Message Authentication Functions (3/10)
7
M M E D
PUb PRb E(PUb, M)
Source A Destination B
Public-key Encryption (1/3)
Public-Key encryption: confidentiality
The source (A) uses the public key PUb of the destination (B) to encrypt M.
Because only B has the corresponding private key PRb,
only B can decrypt the message.
Provides no authentication, because any opponent could also use
B’s public key to encrypt a message and claim to be A.
Message Authentication Functions (4/10)
Public-key Encryption (2/3)
The message must have come from A because A is the only party that
possesses PRa and therefore the only party with the information
necessary to construct ciphertext that can be decrypted with PUa.
8
M M E D
PRa PUa E(PRa, M)
Source A Destination B
Public-Key encryption: authentication and signature
Message Authentication Functions (5/10)
Public-key Encryption (3/3) • To provide both confidentiality and authentication, A can encrypt M first using its
private key, which provides the digital signature, and then using B’s public key,
which provides confidentiality. The disadvantage of this approach is that the
public-key algorithm, which is complex, must be exercised four times rather than
two in each communication
9
M E E
PRa PUa E(PRa, M)
Source A Destination B
Public-Key encryption: confidentiality, authentication, and signature
M D D
PRb PUa E(PRa, M) E(PUb, E(PRa, M))
Message Authentication Functions (6/10)
Message Authentication Code (1/5)
• This technique assumes that two communicating parties,
say A and B, share a common secret key K. When A has a
message to send to B, it calculates the MAC as a function
of the message and the key
MAC = C(K, M)
• M = input message
• C = MAC function
• K = shared secret key
• MAC = message authentication code
10
Message Authentication Functions (7/10)
Message Authentication Code (2/5)
11
M M
C
K
Source A Destination B
C(K, M)
C
K
Compare
Message authentication
Message Authentication Functions (8/10)
Message Authentication Code (3/5)
12
M M
C
K1
E(K2, [M||C(K1, M)])
Message authentication and confidentiality:
authentication tied to plaintext
E
K2
M
C(K, M)
C
K1
Compare
D
K2
Message Authentication Functions (9/10)
Message Authentication Code (4/5)
13
M
C
K1
C(K1, E(K2, M))
E
K2
M
C K1
Compare
D
K2
E(K2, M)
Message authentication and confidentiality:
authentication tied to ciphertext
Message Authentication Functions (10/10)
Message Authentication Code (5/5)
• There are a number of applications in which the same
message is broadcast to a number of destinations
• An exchange in which one side has a heavy load and
cannot afford the time to decrypt all incoming messages.
• The computer program can be executed without having to
decrypt it every time, which would be wasteful of
processor resources.
14
Requirements for Message Authentication Codes
• If an opponent observes M and MAC(K, M), it should be
computationally infeasible for the opponent to construct a
message M such that
MAC(K, M) = MAC(K, M)
• MAC(K, M) should be uniformly distributed in the sense
that for randomly chosen messages, M and M, the
probability that
MAC(K, M) = MAC(K, M)
is 2-n, where n is the number of bits in the tag.
• Let M be equal to some known transformation on M. That
is, M = f(M). For example, f may involve inverting one or
more specific bits. In that case,
Pr [MAC(K, M) = MAC(K, M)] = 2-n 15
Security of MACs
• Brute-Force Attacks
– Computation resistance: Given one or more text-MAC pairs [xi,
MAC(K, xi)], it is computationally infeasible to compute any text-
MAC pair [x, MAC(K, x)] for any new input x≠xi.
– the level of effort for brute-force attack on a MAC algorithm can be
expressed as min(2k, 2n)
– k: key length
– n: number of MAC bits
• Cryptanalysis – That is, an ideal MAC algorithm will require a cryptanalytic effort greater than or equal to the
brute-force effort.
16
MACs Based on Hash Functions:HMAC (1/6)
• There has been increased interest in developing a MAC
derived from a cryptographic hash function
– Cryptographic hash functions such as MD5 and SHA generally
execute faster in software than symmetric block ciphers such as
DES.
– Library code for cryptographic hash functions is widely available.
• HMAC
– issued as RFC 2104,
– has been chosen as the mandatory-to-implement MAC for IP security
– is used in other Internet protocols, such as SSL
17
MACs Based on Hash Functions:HMAC (2/6)
• HMAC Design Objectives (RFC 2104)
– To use, without modifications, available hash functions.
– To allow for easy replaceability of the embedded hash function
– To preserve the original performance of the hash function
– To use and handle keys in a simple way
– To have a well understood cryptographic analysis
18
MACs Based on Hash Functions:HMAC (3/6)
• HMAC(K,M)
= H[(K+ ⊕ opad) ∥
H[(K+ ⊕ ipad) ∥M]]
• H = embedded hash function (e.g., MD5,
SHA-1, RIPEMD-160)
• IV = initial value input to hash function
• M = message input to HMAC (including the
padding specified in the embedded
• hash function)
• Yi = i th block of M, 0 … i … (L - 1)
• L = number of blocks in M
• b = number of bits in a block
• n = length of hash code produced by
embedded hash function
• K = secret key; recommended length is Ú n; if
key length is greater than b, the
• key is input to the hash function to produce an
n-bit key
• K+ = K padded with zeros on the left so that
the result is b bits in length • ipad = 00110110 (36 in hexadecimal) repeated b/8
times
• opad = 01011100 (5C in hexadecimal) repeated b/8
times
19
MACs Based on Hash Functions:HMAC (4/6)
1. Append zeros to the left end of K to create a b-bit string K+
2. XOR (bitwise exclusive-OR) K+ with ipad to produce the b-bit
block Si.
3. Append M to Si.
4. Apply H to the stream generated in step 3.
5. XOR K+ with opad to produce the b-bit block So.
6. Append the hash result from step 4 to So.
7. Apply H to the stream generated in step 6 and output the result.
20
MACs Based on Hash Functions:HMAC (5/6)
• Efficient Implementation
of HMAC
21
MACs Based on Hash Functions:HMAC (6/6)
• Security of HMAC – the probability of successful attack on HMAC is equivalent to
one of the following attacks on the embedded hash function. The attacker is able to compute an output of the compression
function even with an IV that is random, secret, and unknown to the
attacker
For a hash code length of 128 bits, this requires 264 observed blocks
(272 bits) generated using the same key.
if speed is a concern, it is fully acceptable to use MD5 rather than
SHA-1 as the embedded hash function for HMAC.
22
MAC s Based on Block Ciphers: DAA and CMAC (1/3)
• Data Authentication Algorithm (DAA) – (FIPS PUB 113) and an ANSI standard
– Security weaknesses in this algorithm have been discovered
– using the cipher block chaining (CBC) mode of operation of DES
• Cipher-Based Message Authentication Code (CMAC) – use with AES and triple DES
• AES; key length: 128, 192, 256bit. Block size: 128bit
• Triple-DES; key length: 112 or 168bit. Block size: 64bit
– NIST 800-38B
23
MAC s Based on Block Ciphers: DAA and CMAC (2/3)
24
• Data Authentication Algorithm (DAA)
MAC s Based on Block Ciphers: DAA and CMAC (3/3)
• Cipher-Based Message Authentication Code (CMAC)
25
Authenticated Encryption: CCM and GCM (1/7)
• Authenticated encryption: AE – simultaneously protect confidentiality and authenticity (integrity) of
communications.
• Four common approaches to providing both confidentiality and encryption for a message M.
– Hashing followed by encryption (H->E) • First compute the cryptographic hash function over M as h = H(M).
• Then encrypt the message plus hash function: E(K, (M} h))
– Authentication followed by encryption (A->E) • First authenticate the plaintext by computing the MAC value as T = MAC(K1, M).
• Then encrypt the message plus tag: E(K2, [M||T ]).
– Encryption followed by authentication (E->A) • First encrypt the message to yield the ciphertext C = E(K2, M).
• Then authenticate the ciphertext with T = MAC(K1, C) to yield the pair (C, T).
– Independently encrypt and authenticate (E+A). • Encrypt the message to yield the ciphertext C = E(K2, M).
• Authenticate the plaintext with T = MAC(K1, M) to yield the pair (C, T).
26
Authenticated Encryption: CCM and GCM
• Counter with Cipher Block Chaining-Message Authentication
Code
– a variation of the encrypt-and-MAC approach to authenticated
encryption.
– AES, CTR, CMAC
– A single key K is used for both encryption and MAC algorithms.
27
Authenticated Encryption: CCM and GCM (2/7)
Authenticated Encryption: CCM and GCM (
28
Authenticated Encryption: CCM and GCM (3/7)
Authentication of CCM
29
Authenticated Encryption: CCM and GCM (4/7)
• Encryption of CCM
Authenticated Encryption: CCM and GCM (5/7)
• Galois/Counter Mode
– standardized by NIST in NIST SP 800-38D
– designed to be parallelizable so that it can provide high throughput
with low cost and low latency.
– the message is encrypted in variant of CTR mode
– GHASH, which is a keyed hash function, and GCTR, which is
essentially the CTR mode
30
GHash
Authenticated Encryption: CCM and GCM (6/7)
• GCTRK
31
Authenticated Encryption: CCM and GCM (7/7)
• Galois Counter—Message Authentication Code
32
Key Wrap (1/3)
• Most recent block cipher mode of operation defined by NIST
– Uses AES or triple DEA as the underlying encryption algorithm
• Purpose is to securely exchange a symmetric key to be shared
by two parties, using a symmetric key already shared by these
parties
– The latter key is called a key encryption key (KEK)
• Robust in the sense that each bit of output can be expected to
depend in a nontrivial fashion on each bit of input
• Only used for small amounts of plaintext
33
Key Wrap (2/3)
• Key Wrap
34
Key Wrapping Operation for 256-bit Key
Key Wrap (3/3)
35
Pseudorandom Number Generation Using Hash
Functions and MACs (1/2)
• The essential elements of any pseudorandom number
generator
– Seed value
– Deterministic algorithm for generating a stream of pseudorandom
bits
36
PRNG using cryptographic hash function PRNG using HMAC
Pseudorandom Number Generation Using Hash
Functions and MACs (2/2)
37
m = [n/outlen] w0 = V W = the null string For i = 1 to m wi = MAC(K, wi-1) W = W||wii Return leftmost n bits of W
m = [n/outlen] W = the null string For i = 1 to m wi = MAC(K, (V|| i)) W = W||wi Return leftmost n bits of W
m = [n/outlen] A(0) = V W = the null string For i = 1 to m A(i) = MAC(K, A(i - 1)) wi = MAC(K, (A(i) }V) W = W||wi
Return leftmost n bits of W
NIST SP 800-90 IEEE 802.11i TLS/WTLS
Q & A
38