Message Authentication

Codes
Network Security
 Afifa Info.tech 16019

Maryam Riaz Info.tech 16034

Members Hafsa Riaz Info.tech 16022

Aqsa Bibi Info.tech 16033

Mahnoor Info.tech 16028

Message Authentication

• Why is Message Authentication?

• Protecting the integrity of a message
• Validating identity of originator
• Non-repudiation of origin (dispute
resolution)
Message Security Requirements

Content
Traffic
Disclosure Masquerade modification
analysis

Timing
Sequence Source Destination
modification
modification repudiation repudiation
 Message Authentication Requirements
In the context of communications across a network, the following attacks can be identified

Description Measures
Disclosure Release of message contents to any person  Measures to deal with the first two
or process not possessing the appropriate attacks are in the realm of message
cryptographic key confidentiality and are dealt with in
Part One.
Traffic Analysis Traffic analysis Discovery of the pattern of
traffic between parties. In a connection-
oriented application, the frequency and
duration of connections could be
determined. In either a connection-oriented
or connectionless environment, the number
and length of messages between parties
could be determined.
 Message Authentication Requirements

Description Measures
Masquerade Insertion of messages into the network from a To deal with these items are generally
fraudulent source. This includes the creation of regarded as message authentication.
messages by an opponent that are purported to
come from an authorized entity. Also included are
fraudulent acknowledgments of message receipt or
non-receipt by someone other than the message
recipient.
Generally, a digital signature technique
Content modification Changes to the contents of a message, including
will also counter some or all of the
insertion, deletion, transposition, and modification.
attacks here.

Source repudiation Denial of transmission of message by source. Mechanisms for dealing specifically with
this comes under the heading of digital
signatures.
 Message Authentication Requirements

Description Measures
Sequence modification Any modification to a sequence of messages Measures to deal with these items are
between parties, including insertion, deletion, generally regarded as message
and reordering. authentication.
Generally, a digital signature technique
Timing modification Delay or replay of messages. In a connection-
will also counter some or all of the
oriented application, an entire session or
attacks here.
sequence of messages could be a replay of some
previous valid session, or individual messages in
the sequence could be delayed or replayed. In a
connectionless application, an individual message
(e.g., datagram) could be delayed or replayed.

Destination Denial of receipt of message by destination.  Dealing with this item may require a
combination of the use of digital
repudiation signatures and a protocol designed to
counter this attack.
• Message Encryption
• Message Authentication Code (MAC)
• Hash Function

Message Authentication
Functions
 Message encryption

• We have learned symmetric encryption algorithms and asymmetric

encryption algorithms.
• Now let’s review what security goals these algorithms can achieve.
Here we are interested in the following security properties:
• Confidentiality,
• Message authentication, and
• Non-repudiation.
 Source authentication, which
verifies the identity of the source,
Message prevents the acceptance of
messages from a fraudulent source.
authentication
involves two
aspects: Data integrity, which protects the
data from modification
Symmetric encryption limitations

• A sends B a message M encrypted by their shared secret

key K.
• Because a third party is unable to recover the plaintext of
the message without the knowledge of K, confidentiality is
provided.
• Now let’s examine how encryption mechanism can provide
message authentication.
• Generally, B is assured that the message is from A,
because A is the only person (other than B) who is able to
generate the ciphertext that can be decrypted using K.
• Further, if M is fully recovered, B knows none of the bits of
M have been altered.
• However, to achieve this goal B needs to be able to
identify the “correct plaintext” from the ones that is
decrypted from an altered ciphertext, or the ciphertext
generated with a different key
 Symmetric encryption limitations

• There are several scenarios:

• If M is in ordinary English, then B can recognize the message by
reading off it. But this “plaintext” is difficult to be recognized
automatically.
• If M is in binary code, and can be any arbitrary bit pattern, then there
is no way to determine automatically, whether the recovered message
is legitimate or not.
• Lacking of an automatic way to verify the recovered message limits the
usage of symmetric encryption as a mechanism for message
authentication.
• If a block cipher (such as DES, AES) is used, then modes of operations need
to be applied for messages whose length is larger than a block, no data
integrity protection is provided by any mode of operation. This means that
an attacker is able to alter the message (such as re-arranging the
blocks) without being detected by the receiver.
Asymmetric encryption limitations

• With public key encryption, if A

sends a message M to B, which is
encrypted with B’s public key
KUb , then message
confidentiality can be preserved.

• This is because the ciphertext of

M can only be decrypted by B’s
private key.
• No authentication is provided,
as any one may have access to
B’s public key and generate
such a ciphertext of M
Asymmetric encryption limitations

• If M is encrypted by A’s private

key, the encryption provides
both authentication and source
non-repudiation in limited
scenarios.
• This is because only A could
have prepared the ciphertext of
M.
• Since any other person with the
knowledge of A’s public key is
able to decrypt the message,
confidentiality is not provided
Double use of the public and private key encryption

• Due to the same reasoning as symmetric

encryption, the authentication is only
provided in limited scenarios such
• Receiver is able to distinguish the well-
formed plaintext and random bits, and
• Modes of operation are not used in
encryption procedure.
• A double use of the public 3 key and
private key encryption is needed to
achieve
• Confidentiality,
• Authentication, and
• Non-repudiation simultaneously.
Need of MAC

• The authentication support from the encryption mechanism

(including symmetric and asymmetric encryption) is
• Limited
• Inefficient
• So additional message authentication mechanism needs to be
developed.
• In what follows, we will study Message Authentication Code,
which is one of such mechanisms.
 Message authentication code(MAC)

o A message authentication code (MAC), also known as a

cryptographic checksum, is an authentication technique involves
the use of a secret key to generate a small fixed-size block of data.

o When A has a message to send to B, it calculates the MAC as a

function of the message and the key:
MAC= C(M,K)
o Where: M= input message
o C = MAC function
o K= shared secret key
Message authentication code(MAC)

The tag is appended to the message at the source.

The message and the MAC are transmitted to the recipient.

The receiver recomputes the MAC from the secret key and the message data
received.

The receiver MAC is compared to the calculated MAC for message

authentication

MAC function is similar to encryption and is Many to one in nature.

Message authentication code(MAC)

If we assume that only the receiver and the sender know the identity of the
secret key, and if the received MAC matches the calculated MAC, then:
o The receiver is assured that the message has not been altered. If an attacker
alters the message but does not alter the MAC, then the receiver’s
calculation of the MAC will differ from the received MAC. Because the
attacker is assumed not to know the secret key, the attacker cannot alter the
MAC to correspond to the alterations in the message.
o The receiver is assured that the message is from the alleged sender. Because
no one else knows the secret key, no one else could prepare a message with
a proper MAC.
o If the message includes a sequence number (such as is used with HDLC, X.25,
and TCP), then the receiver can be assured of the proper sequence because
an attacker cannot successfully alter the sequence number
 Message
authentication
 Message authentication
code(MAC)

A->B: E(K2, [M|| C(K1, M)])

• Provides authentication:
• Only sender and receiver share the
key K1

• Provides confidentiality:
• Only sender and receiver share the
key K2

Message Authentication and Confidentiality, authentication tied to plaintext

 Message authentication
code(MAC)

A->B: E(K2, M)|| C(K1, E(K2, M))

• Provides authentication:
• Using K1
• Provides confidentiality:
• Using K2
 CBC
NMAC
MAC
MAC
algorithms
PMAC HMAC
 CBC MAC

• It works similarly to encryption performed in the CBC mode, with a difference that

intermediate values are not returned. Moreover, after encryption of the last data
block, one additional encryption of the current result is performed using
the second secret key.
• The additional encryption is performed to protect the calculated code. The whole
process, including the last additional step, is often referred to as ECBC MAC
(Encrypted MAC), in contrast to the previous algorithm steps called Raw CBC MAC.
• CBC MAC can protect a message of any length, from one to many blocks. To ensure
security, while using CBC MAC one should change the secret key every some time.
It can be proved that after sending the number of messages that is equal roughly to
the square of the number of all possible values of data blocks, the key is no longer
safe.
CBC MAC

• CBC MAC is used
in various applications,
for example in banking
systems (ANSI X9.9,
X9.19 and FIPS 186-3
standards). It is often
based on
the AES algorithm,
that is used as
F function.
 NMAC

• The NMAC algorithm (Nested MAC) is similar to the CBC MAC algorithm described earlier. It
uses a slightly different pseudorandom function F. The function F returns numbers that are
correct values of secret keys (thus, not the values of data blocks).
• As in the case of CBC MAC, after encryption of the last data block, one additional encryption
of the result is performed, using the second secret encryption key. Because the previous
result of encryption of the last data block consists of the same amount of bits as the secret
key, an additional sequence of bits (a fix pad) should be append, to assure that the result has
the same size as data blocks. NMAC is usually used in systems, where the length of data
blocks is much bigger than the size of secret keys.
• Without the last step of the algorithm (that is, without encryption using the second key),
an intruder would be able to append any number of blocks to the intercepted message with
the correctly calculated authentication code. Then, he could calculate a new authentication
code and attach it to the modified message. As input to the first new added function F,
the attacker would use the original authentication code of the original message.
NMAC

• To ensure NMAC security, one

should change the secret key
from time to time. It can be
proved that after sending
the number of messages
equal roughly to the square
of the number of all possible
values of secret keys, the key
is no longer safe.
• The NMAC algorithm uses
the same methods for adding
padding bits to the end of
the last incomplete message
block, as the CBC MAC
algorithm.
Any Question
Thanks