fbpx
Wikipedia

Message authentication code

April 13, 2024

In cryptography, a message authentication code (MAC), sometimes known as an authentication tag, is a short piece of information used for authenticating and integrity-checking a message. In other words, to confirm that the message came from the stated sender (its authenticity) and has not been changed (its integrity). The MAC value allows verifiers (who also possess a secret key) to detect any changes to the message content.

Terminology edit

The term message integrity code (MIC) is frequently substituted for the term MAC, especially in communications[1] to distinguish it from the use of the latter as media access control address (MAC address). However, some authors[2] use MIC to refer to a message digest, which aims only to uniquely but opaquely identify a single message. RFC 4949 recommends avoiding the term message integrity code (MIC), and instead using checksum, error detection code, hash, keyed hash, message authentication code, or protected checksum.

Definitions edit

Informally, a message authentication code system consists of three algorithms:

  • A key generation algorithm selects a key from the key space uniformly at random.
  • A signing algorithm efficiently returns a tag given the key and the message.
  • A verifying algorithm efficiently verifies the authenticity of the message given the same key and the tag. That is, return accepted when the message and tag are not tampered with or forged, and otherwise return rejected.

A secure message authentication code must resist attempts by an adversary to forge tags, for arbitrary, select, or all messages, including under conditions of known- or chosen-message. It should be computationally infeasible to compute a valid tag of the given message without knowledge of the key, even if for the worst case, we assume the adversary knows the tag of any message but the one in question.[3]

Formally, a message authentication code (MAC) system is a triple of efficient[4] algorithms (G, S, V) satisfying:

  • G (key-generator) gives the key k on input 1n, where n is the security parameter.
  • S (signing) outputs a tag t on the key k and the input string x.
  • V (verifying) outputs accepted or rejected on inputs: the key k, the string x and the tag t.

S and V must satisfy the following:

Pr [ kG(1n), V( k, x, S(k, x) ) = accepted ] = 1.[5]

A MAC is unforgeable if for every efficient adversary A

Pr [ kG(1n), (x, t) ← AS(k, · )(1n), x ∉ Query(AS(k, · ), 1n), V(k, x, t) = accepted] < negl(n),

where AS(k, · ) denotes that A has access to the oracle S(k, · ), and Query(AS(k, · ), 1n) denotes the set of the queries on S made by A, which knows n. Clearly we require that any adversary cannot directly query the string x on S, since otherwise a valid tag can be easily obtained by that adversary.[6]

Security edit

While MAC functions are similar to cryptographic hash functions, they possess different security requirements. To be considered secure, a MAC function must resist existential forgery under chosen-message attacks. This means that even if an attacker has access to an oracle which possesses the secret key and generates MACs for messages of the attacker's choosing, the attacker cannot guess the MAC for other messages (which were not used to query the oracle) without performing infeasible amounts of computation.

MACs differ from digital signatures as MAC values are both generated and verified using the same secret key. This implies that the sender and receiver of a message must agree on the same key before initiating communications, as is the case with symmetric encryption. For the same reason, MACs do not provide the property of non-repudiation offered by signatures specifically in the case of a network-wide shared secret key: any user who can verify a MAC is also capable of generating MACs for other messages. In contrast, a digital signature is generated using the private key of a key pair, which is public-key cryptography.[4] Since this private key is only accessible to its holder, a digital signature proves that a document was signed by none other than that holder. Thus, digital signatures do offer non-repudiation. However, non-repudiation can be provided by systems that securely bind key usage information to the MAC key; the same key is in the possession of two people, but one has a copy of the key that can be used for MAC generation while the other has a copy of the key in a hardware security module that only permits MAC verification. This is commonly done in the finance industry.[citation needed]

Implementation edit

MAC algorithms can be constructed from other cryptographic primitives, like cryptographic hash functions (as in the case of HMAC) or from block cipher algorithms (OMAC, CCM, GCM, and PMAC). However many of the fastest MAC algorithms, like UMAC-VMAC and Poly1305-AES, are constructed based on universal hashing.[7]

Intrinsically keyed hash algorithms such as SipHash are also by definition MACs; they can be even faster than universal-hashing based MACs.[8]

Additionally, the MAC algorithm can deliberately combine two or more cryptographic primitives, so as to maintain protection even if one of them is later found to be vulnerable. For instance, in Transport Layer Security (TLS), the input data is split in halves that are each processed with a different hashing primitive (SHA-1 and SHA-2) then XORed together to output the MAC.

One-time MAC edit

Universal hashing and in particular pairwise independent hash functions provide a secure message authentication code as long as the key is used at most once. This can be seen as the one-time pad for authentication.[9]

The simplest such pairwise independent hash function is defined by the random key, key = (a, b), and the MAC tag for a message m is computed as tag = (am + b) mod p, where p is prime.

More generally, k-independent hashing functions provide a secure message authentication code as long as the key is used less than k times for k-ways independent hashing functions.

Message authentication codes and data origin authentication have been also discussed in the framework of quantum cryptography. By contrast to other cryptographic tasks, such as key distribution, for a rather broad class of quantum MACs it has been shown that quantum resources do not offer any advantage over unconditionally secure one-time classical MACs.[10]

Standards edit

Various standards exist that define MAC algorithms. These include:

  • FIPS PUB 113 Computer Data Authentication,[11] withdrawn in 2002,[12] defines an algorithm based on DES.
  • FIPS PUB 198-1 The Keyed-Hash Message Authentication Code (HMAC)[13]
  • NIST SP800-185 SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and ParallelHash [14]
  • ISO/IEC 9797-1 Mechanisms using a block cipher[15]
  • ISO/IEC 9797-2 Mechanisms using a dedicated hash-function[16]
  • ISO/IEC 9797-3 Mechanisms using a universal hash-function[17]
  • ISO/IEC 29192-6 Lightweight cryptography - Message authentication codes[18]

ISO/IEC 9797-1 and -2 define generic models and algorithms that can be used with any block cipher or hash function, and a variety of different parameters. These models and parameters allow more specific algorithms to be defined by nominating the parameters. For example, the FIPS PUB 113 algorithm is functionally equivalent to ISO/IEC 9797-1 MAC algorithm 1 with padding method 1 and a block cipher algorithm of DES.

An example of MAC use edit

 

[19] In this example, the sender of a message runs it through a MAC algorithm to produce a MAC data tag. The message and the MAC tag are then sent to the receiver. The receiver in turn runs the message portion of the transmission through the same MAC algorithm using the same key, producing a second MAC data tag. The receiver then compares the first MAC tag received in the transmission to the second generated MAC tag. If they are identical, the receiver can safely assume that the message was not altered or tampered with during transmission (data integrity).

However, to allow the receiver to be able to detect replay attacks, the message itself must contain data that assures that this same message can only be sent once (e.g. time stamp, sequence number or use of a one-time MAC). Otherwise an attacker could – without even understanding its content – record this message and play it back at a later time, producing the same result as the original sender.

See also edit

Notes edit

  1. ^ IEEE Standard for Information Technology - Telecommunications and Information Exchange Between Systems - Local and Metropolitan Area Networks - Specific Requirements - Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications (PDF). (2007 revision). IEEE-SA. 12 June 2007. doi:10.1109/IEEESTD.2007.373646. ISBN 978-0-7381-5656-9.
  2. ^ "CS 513 System Security -- Hashes and Message Digests". www.cs.cornell.edu. Retrieved 20 December 2023.
  3. ^ The strongest adversary is assumed to have access to the signing algorithm without knowing the key. However, her final forged message must be different from any message she chose to query the signing algorithm before. See Pass's discussions before def 134.2.
  4. ^ a b Theoretically, an efficient algorithm runs within probabilistic polynomial time.
  5. ^ Pass, def 134.1
  6. ^ Pass, def 134.2
  7. ^ "VMAC: Message Authentication Code using Universal Hashing". CFRG Working Group. Retrieved 16 March 2010.
  8. ^ Jean-Philippe Aumasson & Daniel J. Bernstein (18 September 2012). "SipHash: a fast short-input PRF" (PDF).
  9. ^ Simmons, Gustavus (1985). "Authentication theory/coding theory". Advances in Cryptology – Proceedings of CRYPTO 84. Berlin: Springer. pp. 411–431.
  10. ^ Nikolopoulos, Georgios M.; Fischlin, Marc (2020). "Information-Theoretically Secure Data Origin Authentication with Quantum and Classical Resources". Cryptography. 4 (4): 31. arXiv:2011.06849. doi:10.3390/cryptography4040031. S2CID 226956062.
  11. ^ . Archived from the original on 27 September 2011. Retrieved 10 October 2010.
  12. ^ . Archived from the original on 1 August 2010. Retrieved 10 October 2010.
  13. ^ "The Keyed-Hash Message Authentication Code (HMAC)" (PDF). Retrieved 20 December 2023.
  14. ^ SHA-3 Derived Functions nvlpubs.nist.gov
  15. ^ "ISO/IEC 9797-1:2011". ISO. Retrieved 20 December 2023.
  16. ^ "ISO/IEC 9797-2:2011". ISO. Retrieved 20 December 2023.
  17. ^ "ISO/IEC 9797-3:2011". ISO. Retrieved 20 December 2023.
  18. ^ "ISO/IEC 29192-6:2019". ISO. Retrieved 20 December 2023.
  19. ^ "Mac Security Overview", Mac® Security Bible, Wiley Publishing, Inc., 1 November 2011, pp. 1–26, doi:10.1002/9781118257739.ch1, ISBN 9781118257739

References edit

  • Goldreich, Oded (2001), Foundations of cryptography I: Basic Tools, Cambridge: Cambridge University Press, ISBN 978-0-511-54689-1
  • Goldreich, Oded (2004), Foundations of cryptography II: Basic Applications (1. publ. ed.), Cambridge [u.a.]: Cambridge Univ. Press, ISBN 978-0-521-83084-3
  • Pass, Rafael, A Course in Cryptography (PDF), retrieved 31 December 2015[1]

External links edit

  • Ron Rivest lecture on MACs
  1. ^ 11-12-20C8

April 13, 2024
message, authentication, code, cryptography, message, authentication, code, sometimes, known, authentication, short, piece, information, used, authenticating, integrity, checking, message, other, words, confirm, that, message, came, from, stated, sender, authe. In cryptography a message authentication code MAC sometimes known as an authentication tag is a short piece of information used for authenticating and integrity checking a message In other words to confirm that the message came from the stated sender its authenticity and has not been changed its integrity The MAC value allows verifiers who also possess a secret key to detect any changes to the message content Contents 1 Terminology 2 Definitions 3 Security 4 Implementation 4 1 One time MAC 5 Standards 6 An example of MAC use 7 See also 8 Notes 9 References 10 External linksTerminology editThe term message integrity code MIC is frequently substituted for the term MAC especially in communications 1 to distinguish it from the use of the latter as media access control address MAC address However some authors 2 use MIC to refer to a message digest which aims only to uniquely but opaquely identify a single message RFC 4949 recommends avoiding the term message integrity code MIC and instead using checksum error detection code hash keyed hash message authentication code or protected checksum Definitions editInformally a message authentication code system consists of three algorithms A key generation algorithm selects a key from the key space uniformly at random A signing algorithm efficiently returns a tag given the key and the message A verifying algorithm efficiently verifies the authenticity of the message given the same key and the tag That is return accepted when the message and tag are not tampered with or forged and otherwise return rejected A secure message authentication code must resist attempts by an adversary to forge tags for arbitrary select or all messages including under conditions of known or chosen message It should be computationally infeasible to compute a valid tag of the given message without knowledge of the key even if for the worst case we assume the adversary knows the tag of any message but the one in question 3 Formally a message authentication code MAC system is a triple of efficient 4 algorithms G S V satisfying G key generator gives the key k on input 1n where n is the security parameter S signing outputs a tag t on the key k and the input string x V verifying outputs accepted or rejected on inputs the key k the string x and the tag t S and V must satisfy the following Pr k G 1n V k x S k x accepted 1 5 A MAC is unforgeable if for every efficient adversary A Pr k G 1n x t AS k 1n x Query AS k 1n V k x t accepted lt negl n where AS k denotes that A has access to the oracle S k and Query AS k 1n denotes the set of the queries on S made by A which knows n Clearly we require that any adversary cannot directly query the string x on S since otherwise a valid tag can be easily obtained by that adversary 6 Security editWhile MAC functions are similar to cryptographic hash functions they possess different security requirements To be considered secure a MAC function must resist existential forgery under chosen message attacks This means that even if an attacker has access to an oracle which possesses the secret key and generates MACs for messages of the attacker s choosing the attacker cannot guess the MAC for other messages which were not used to query the oracle without performing infeasible amounts of computation MACs differ from digital signatures as MAC values are both generated and verified using the same secret key This implies that the sender and receiver of a message must agree on the same key before initiating communications as is the case with symmetric encryption For the same reason MACs do not provide the property of non repudiation offered by signatures specifically in the case of a network wide shared secret key any user who can verify a MAC is also capable of generating MACs for other messages In contrast a digital signature is generated using the private key of a key pair which is public key cryptography 4 Since this private key is only accessible to its holder a digital signature proves that a document was signed by none other than that holder Thus digital signatures do offer non repudiation However non repudiation can be provided by systems that securely bind key usage information to the MAC key the same key is in the possession of two people but one has a copy of the key that can be used for MAC generation while the other has a copy of the key in a hardware security module that only permits MAC verification This is commonly done in the finance industry citation needed Implementation editMAC algorithms can be constructed from other cryptographic primitives like cryptographic hash functions as in the case of HMAC or from block cipher algorithms OMAC CCM GCM and PMAC However many of the fastest MAC algorithms like UMAC VMAC and Poly1305 AES are constructed based on universal hashing 7 Intrinsically keyed hash algorithms such as SipHash are also by definition MACs they can be even faster than universal hashing based MACs 8 Additionally the MAC algorithm can deliberately combine two or more cryptographic primitives so as to maintain protection even if one of them is later found to be vulnerable For instance in Transport Layer Security TLS the input data is split in halves that are each processed with a different hashing primitive SHA 1 and SHA 2 then XORed together to output the MAC One time MAC edit Universal hashing and in particular pairwise independent hash functions provide a secure message authentication code as long as the key is used at most once This can be seen as the one time pad for authentication 9 The simplest such pairwise independent hash function is defined by the random key key a b and the MAC tag for a message m is computed as tag am b mod p where p is prime More generally k independent hashing functions provide a secure message authentication code as long as the key is used less than k times for k ways independent hashing functions Message authentication codes and data origin authentication have been also discussed in the framework of quantum cryptography By contrast to other cryptographic tasks such as key distribution for a rather broad class of quantum MACs it has been shown that quantum resources do not offer any advantage over unconditionally secure one time classical MACs 10 Standards editVarious standards exist that define MAC algorithms These include FIPS PUB 113 Computer Data Authentication 11 withdrawn in 2002 12 defines an algorithm based on DES FIPS PUB 198 1 The Keyed Hash Message Authentication Code HMAC 13 NIST SP800 185 SHA 3 Derived Functions cSHAKE KMAC TupleHash and ParallelHash 14 ISO IEC 9797 1 Mechanisms using a block cipher 15 ISO IEC 9797 2 Mechanisms using a dedicated hash function 16 ISO IEC 9797 3 Mechanisms using a universal hash function 17 ISO IEC 29192 6 Lightweight cryptography Message authentication codes 18 ISO IEC 9797 1 and 2 define generic models and algorithms that can be used with any block cipher or hash function and a variety of different parameters These models and parameters allow more specific algorithms to be defined by nominating the parameters For example the FIPS PUB 113 algorithm is functionally equivalent to ISO IEC 9797 1 MAC algorithm 1 with padding method 1 and a block cipher algorithm of DES An example of MAC use edit nbsp 19 In this example the sender of a message runs it through a MAC algorithm to produce a MAC data tag The message and the MAC tag are then sent to the receiver The receiver in turn runs the message portion of the transmission through the same MAC algorithm using the same key producing a second MAC data tag The receiver then compares the first MAC tag received in the transmission to the second generated MAC tag If they are identical the receiver can safely assume that the message was not altered or tampered with during transmission data integrity However to allow the receiver to be able to detect replay attacks the message itself must contain data that assures that this same message can only be sent once e g time stamp sequence number or use of a one time MAC Otherwise an attacker could without even understanding its content record this message and play it back at a later time producing the same result as the original sender See also editChecksum CMAC HMAC hash based message authentication code MAA MMH Badger MAC Poly1305 Authenticated encryption UMAC VMAC SipHash KMACNotes edit IEEE Standard for Information Technology Telecommunications and Information Exchange Between Systems Local and Metropolitan Area Networks Specific Requirements Part 11 Wireless LAN Medium Access Control MAC and Physical Layer PHY Specifications PDF 2007 revision IEEE SA 12 June 2007 doi 10 1109 IEEESTD 2007 373646 ISBN 978 0 7381 5656 9 CS 513 System Security Hashes and Message Digests www cs cornell edu Retrieved 20 December 2023 The strongest adversary is assumed to have access to the signing algorithm without knowing the key However her final forged message must be different from any message she chose to query the signing algorithm before See Pass s discussions before def 134 2 a b Theoretically an efficient algorithm runs within probabilistic polynomial time Pass def 134 1 Pass def 134 2 VMAC Message Authentication Code using Universal Hashing CFRG Working Group Retrieved 16 March 2010 Jean Philippe Aumasson amp Daniel J Bernstein 18 September 2012 SipHash a fast short input PRF PDF Simmons Gustavus 1985 Authentication theory coding theory Advances in Cryptology Proceedings of CRYPTO 84 Berlin Springer pp 411 431 Nikolopoulos Georgios M Fischlin Marc 2020 Information Theoretically Secure Data Origin Authentication with Quantum and Classical Resources Cryptography 4 4 31 arXiv 2011 06849 doi 10 3390 cryptography4040031 S2CID 226956062 FIPS PUB 113 Computer Data Authentication Archived from the original on 27 September 2011 Retrieved 10 October 2010 Federal Information Processing Standards Publications Withdrawn FIPS Listed by Number Archived from the original on 1 August 2010 Retrieved 10 October 2010 The Keyed Hash Message Authentication Code HMAC PDF Retrieved 20 December 2023 SHA 3 Derived Functions nvlpubs nist gov ISO IEC 9797 1 2011 ISO Retrieved 20 December 2023 ISO IEC 9797 2 2011 ISO Retrieved 20 December 2023 ISO IEC 9797 3 2011 ISO Retrieved 20 December 2023 ISO IEC 29192 6 2019 ISO Retrieved 20 December 2023 Mac Security Overview Mac Security Bible Wiley Publishing Inc 1 November 2011 pp 1 26 doi 10 1002 9781118257739 ch1 ISBN 9781118257739References editGoldreich Oded 2001 Foundations of cryptography I Basic Tools Cambridge Cambridge University Press ISBN 978 0 511 54689 1 Goldreich Oded 2004 Foundations of cryptography II Basic Applications 1 publ ed Cambridge u a Cambridge Univ Press ISBN 978 0 521 83084 3 Pass Rafael A Course in Cryptography PDF retrieved 31 December 2015 1 External links editRSA Laboratories entry on MACs Ron Rivest lecture on MACs 11 12 20C8 Retrieved from https en wikipedia org w index php title Message authentication code amp oldid 1215400433, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.