This document discusses Message Authentication Codes (MACs). It describes MACs as secret key algorithms that generate a tag to authenticate messages. There are two main types of MACs - cipher-based MACs that use symmetric encryption algorithms like block ciphers, and hash-based MACs that apply hash functions. The document outlines the security properties MACs should provide, such as being difficult to forge tags or recover keys from known message-tag pairs. It also describes common attacks on MACs like key recovery attacks or forging valid message-tag pairs.

1. ****
Message Authentication Code
course
Bouchra ECHANDOURI
b.echandouri@gmail.com
January 31, 2018

2. Introduction
Security Properties/Goals
Cryptographic Primitive
Message
Authentication
Codes
Description
Construction
Cipher based
Message
Authentication
Codes
Symmetric Encryption
Construction
Hash based
Message
Authentication
Codes
Hash function
Construction
Security
Requirements
on a MAC
Key Recovery Attack
MAC Forgery Attack
Outline
1 Introduction
Security Properties/Goals
Cryptographic Primitive
2 Message Authentication Codes
Description
Construction
3 Cipher based Message Authentication Codes
Symmetric Encryption
Construction
4 Hash based Message Authentication Codes
Hash function
Construction
5 Security Requirements on a MAC
Key Recovery Attack
MAC Forgery Attack
Bouchra ECHANDOURI Message Authentication Code January 31, 2018 2/26

3. Introduction
Security Properties/Goals
Cryptographic Primitive
Message
Authentication
Codes
Description
Construction
Cipher based
Message
Authentication
Codes
Symmetric Encryption
Construction
Hash based
Message
Authentication
Codes
Hash function
Construction
Security
Requirements
on a MAC
Key Recovery Attack
MAC Forgery Attack
Introduction
• Private data transmission over arbitrary canal is
considered very risky.
• the need for designing robust cryptographic solutions
ensuring both data integrity and authentication is very
attempting.
• Message Authentication Code (MAC) is one of the most
provably secure algorithms that ensure authenticity.
• Using a shared secret key, the receiver checks if an
alteration have happened during transmission.
Bouchra ECHANDOURI Message Authentication Code January 31, 2018 3/26

4. Introduction
Security Properties/Goals
Cryptographic Primitive
Message
Authentication
Codes
Description
Construction
Cipher based
Message
Authentication
Codes
Symmetric Encryption
Construction
Hash based
Message
Authentication
Codes
Hash function
Construction
Security
Requirements
on a MAC
Key Recovery Attack
MAC Forgery Attack
Security Properties/Goals
Availability
⇒ Any authorized entity can get access to data at any time.
Confidentiality
⇒ Only authorized entities to acces to the data can
understand it (ensured using Secret and Public key
Encryption).
Integrity
⇒ Only authorized entities to acces to the data can modify
it(ensured using Hash function).
⇒ Authenticity:Only authorized entities to acces to the data
can modify it using a secret key (ensured using Message
Authentication Codes and Digital signature).
Bouchra ECHANDOURI Message Authentication Code January 31, 2018 4/26

5. Introduction
Security Properties/Goals
Cryptographic Primitive
Message
Authentication
Codes
Description
Construction
Cipher based
Message
Authentication
Codes
Symmetric Encryption
Construction
Hash based
Message
Authentication
Codes
Hash function
Construction
Security
Requirements
on a MAC
Key Recovery Attack
MAC Forgery Attack
Security Properties/Goals
Sometimes we are not worried so much about secrecy,
but our need is to be assured that we have received
exactly the data being sent from the right sender.
The cryptographic primitive that we use for this
is a Message Authentication Code (MAC)
Bouchra ECHANDOURI Message Authentication Code January 31, 2018 5/26

6. Introduction
Security Properties/Goals
Cryptographic Primitive
Message
Authentication
Codes
Description
Construction
Cipher based
Message
Authentication
Codes
Symmetric Encryption
Construction
Hash based
Message
Authentication
Codes
Hash function
Construction
Security
Requirements
on a MAC
Key Recovery Attack
MAC Forgery Attack
Cryptographic Primitive
Bouchra ECHANDOURI Message Authentication Code January 31, 2018 6/26

7. Introduction
Security Properties/Goals
Cryptographic Primitive
Message
Authentication
Codes
Description
Construction
Cipher based
Message
Authentication
Codes
Symmetric Encryption
Construction
Hash based
Message
Authentication
Codes
Hash function
Construction
Security
Requirements
on a MAC
Key Recovery Attack
MAC Forgery Attack
Message Authentication Codes
Description
Definition
A Message Authentication Code (MAC) is a secret key
algorithm that involves the use of a secret key k and two
algorithms namely a MAC generation algorithm MACGk
and a MAC verification algorithm MACVk .
Bouchra ECHANDOURI Message Authentication Code January 31, 2018 7/26

8. Introduction
Security Properties/Goals
Cryptographic Primitive
Message
Authentication
Codes
Description
Construction
Cipher based
Message
Authentication
Codes
Symmetric Encryption
Construction
Hash based
Message
Authentication
Codes
Hash function
Construction
Security
Requirements
on a MAC
Key Recovery Attack
MAC Forgery Attack
Message Authentication Codes
Description
The MACGk algorithm takes an arbitrary message M, a
secret key k and generates a unique fixed length termed
Tag or checksum, the generated tag is joined to the
message M to construct an authenticated message.
Tag = MACGk (M) (1)
Bouchra ECHANDOURI Message Authentication Code January 31, 2018 8/26

9. Introduction
Security Properties/Goals
Cryptographic Primitive
Message
Authentication
Codes
Description
Construction
Cipher based
Message
Authentication
Codes
Symmetric Encryption
Construction
Hash based
Message
Authentication
Codes
Hash function
Construction
Security
Requirements
on a MAC
Key Recovery Attack
MAC Forgery Attack
Message Authentication Codes
Description
TheMACVk algorithm uses the same key k and the
message M to reconstruct the valid Tag if no alteration
has affected the message, otherwise it is invalid and has
been altered.
MACVk (M, tag) = {valid, invalid} (2)
Bouchra ECHANDOURI Message Authentication Code January 31, 2018 9/26

10. Introduction
Security Properties/Goals
Cryptographic Primitive
Message
Authentication
Codes
Description
Construction
Cipher based
Message
Authentication
Codes
Symmetric Encryption
Construction
Hash based
Message
Authentication
Codes
Hash function
Construction
Security
Requirements
on a MAC
Key Recovery Attack
MAC Forgery Attack
Message Authentication Codes
Construction
To conceive a MAC there are many ways,
using on a keyed hash function
Using a symmetric encryption algorithm, namely
block cipher-based message authentication code
(CMAC) and Cipher Block Chaining message
authentication code (CBC-MAC).
Bouchra ECHANDOURI Message Authentication Code January 31, 2018 10/26

11. Introduction
Security Properties/Goals
Cryptographic Primitive
Message
Authentication
Codes
Description
Construction
Cipher based
Message
Authentication
Codes
Symmetric Encryption
Construction
Hash based
Message
Authentication
Codes
Hash function
Construction
Security
Requirements
on a MAC
Key Recovery Attack
MAC Forgery Attack
Cipher based Message Authentication Codes
Symmetric Encryption
The symmetric encryption scheme has:
Plaintext (Data): This is the original data that is aimed
to be unintelligible, inputted to the algorithm.
Encryption algorithm: This performs a number of
substitutions and permutations on the plaintext.
Secret Key: This is a conventional key also inputted to
the encryption algorithm. The substitutions and
permutations that is performed depend on the used
secret key.
Bouchra ECHANDOURI Message Authentication Code January 31, 2018 11/26

12. Introduction
Security Properties/Goals
Cryptographic Primitive
Message
Authentication
Codes
Description
Construction
Cipher based
Message
Authentication
Codes
Symmetric Encryption
Construction
Hash based
Message
Authentication
Codes
Hash function
Construction
Security
Requirements
on a MAC
Key Recovery Attack
MAC Forgery Attack
Cipher based Message Authentication Codes
Symmetric Encryption
Ciphertext: This is the encrypted data produced as
output, to make it unintelligible for authorized entities. It
depends on the plaintext and the key.
Decryption Algorithm: This algorithm is the encryption
algorithm run in reverse. It takes the ciphertext and the
secret key to produce the original plaintext.
Bouchra ECHANDOURI Message Authentication Code January 31, 2018 12/26

13. Introduction
Security Properties/Goals
Cryptographic Primitive
Message
Authentication
Codes
Description
Construction
Cipher based
Message
Authentication
Codes
Symmetric Encryption
Construction
Hash based
Message
Authentication
Codes
Hash function
Construction
Security
Requirements
on a MAC
Key Recovery Attack
MAC Forgery Attack
Cipher based Message Authentication Codes
Symmetric Encryption
Block cipher are Symmetric encryption schemes that
split the plaintext in blocks of fixed lenght L bits and
encrypt one block at one time.
Bouchra ECHANDOURI Message Authentication Code January 31, 2018 13/26

14. Introduction
Security Properties/Goals
Cryptographic Primitive
Message
Authentication
Codes
Description
Construction
Cipher based
Message
Authentication
Codes
Symmetric Encryption
Construction
Hash based
Message
Authentication
Codes
Hash function
Construction
Security
Requirements
on a MAC
Key Recovery Attack
MAC Forgery Attack
Cipher based Message Authentication Codes
Symmetric Encryption
in Block cipher there exist :
Cipher Block Chaining (CBC): In 1976, Ehrsam,
Meyer, Smith and Tuchman introduced the Cipher Block
Chaining (CBC) mode of operation. In this mode,an
initialization vector must be used in the first block. Then,
each block of plaintext is XORed with the previous
ciphertext block before being encrypted.
Bouchra ECHANDOURI Message Authentication Code January 31, 2018 14/26

15. Introduction
Security Properties/Goals
Cryptographic Primitive
Message
Authentication
Codes
Description
Construction
Cipher based
Message
Authentication
Codes
Symmetric Encryption
Construction
Hash based
Message
Authentication
Codes
Hash function
Construction
Security
Requirements
on a MAC
Key Recovery Attack
MAC Forgery Attack
Cipher based Message Authentication Codes
Symmetric Encryption
Stream cipher are Symmetric encryption schemes that
encrypt bits individually. This is achieved by adding a bit
from a key stream to a plaintext bit.
Bouchra ECHANDOURI Message Authentication Code January 31, 2018 15/26

16. Introduction
Security Properties/Goals
Cryptographic Primitive
Message
Authentication
Codes
Description
Construction
Cipher based
Message
Authentication
Codes
Symmetric Encryption
Construction
Hash based
Message
Authentication
Codes
Hash function
Construction
Security
Requirements
on a MAC
Key Recovery Attack
MAC Forgery Attack
Cipher based Message Authentication Codes
Construction
Bouchra ECHANDOURI Message Authentication Code January 31, 2018 16/26

17. Introduction
Security Properties/Goals
Cryptographic Primitive
Message
Authentication
Codes
Description
Construction
Cipher based
Message
Authentication
Codes
Symmetric Encryption
Construction
Hash based
Message
Authentication
Codes
Hash function
Construction
Security
Requirements
on a MAC
Key Recovery Attack
MAC Forgery Attack
Hash based Message Authentication Codes
Hash function
Definition
Hash function is one way transformation of any input,
with arbitrary length, to a fixed size length output, called
digest or checksum.
Bouchra ECHANDOURI Message Authentication Code January 31, 2018 17/26

18. Introduction
Security Properties/Goals
Cryptographic Primitive
Message
Authentication
Codes
Description
Construction
Cipher based
Message
Authentication
Codes
Symmetric Encryption
Construction
Hash based
Message
Authentication
Codes
Hash function
Construction
Security
Requirements
on a MAC
Key Recovery Attack
MAC Forgery Attack
Hash based Message Authentication Codes
Hash function
A Hash function with inputs m, m’ and outputs h, h’ ,
follows these properties:
Pre-image resistance: It is computationally unfeasible
to find any input m from any fixed output h.
2nd-preimage resistance: It is computationally
unfeasible to find any second input m’ that has the same
output h=h’ as any fixed m.
Collision resistance: It is computationally unfeasible to
find two distinct inputs m and m’ with the same output
h=h’.
Bouchra ECHANDOURI Message Authentication Code January 31, 2018 18/26

19. Introduction
Security Properties/Goals
Cryptographic Primitive
Message
Authentication
Codes
Description
Construction
Cipher based
Message
Authentication
Codes
Symmetric Encryption
Construction
Hash based
Message
Authentication
Codes
Hash function
Construction
Security
Requirements
on a MAC
Key Recovery Attack
MAC Forgery Attack
Hash based Message Authentication Codes
Construction
Bouchra ECHANDOURI Message Authentication Code January 31, 2018 19/26

20. Introduction
Security Properties/Goals
Cryptographic Primitive
Message
Authentication
Codes
Description
Construction
Cipher based
Message
Authentication
Codes
Symmetric Encryption
Construction
Hash based
Message
Authentication
Codes
Hash function
Construction
Security
Requirements
on a MAC
Key Recovery Attack
MAC Forgery Attack
Hash based Message Authentication Codes
HMAC
K is the key padded (with 0) to B bytes, the input block
size of the hash function
ipad = the byte 0x36 repeated B times
opad = the byte 0x5C repeated B times.
Bouchra ECHANDOURI Message Authentication Code January 31, 2018 20/26

21. Introduction
Security Properties/Goals
Cryptographic Primitive
Message
Authentication
Codes
Description
Construction
Cipher based
Message
Authentication
Codes
Symmetric Encryption
Construction
Hash based
Message
Authentication
Codes
Hash function
Construction
Security
Requirements
on a MAC
Key Recovery Attack
MAC Forgery Attack
Security Requirements on a MAC
A Secure Message Authentication Codes, termed
MAC(.,.), that maps a key k and a message m is secure if
it fulfills these required properties.
Given k and m, it is easy to generate MAC(k, m);
Given k and MAC( k,m), it is computationally unfeasible
to find m;
Given k it is computationally unfeasible to find two
different values m and m’ such that MAC(k,m)
=MAC(k,m’);
Given (possibly many) pairs of m and MAC( k, m), it is
computationally unfeasible to compute k;
Without a prior knowledge of k, it is computationally
unfeasible to compute MAC(k, m) for any m.
Bouchra ECHANDOURI Message Authentication Code January 31, 2018 21/26

22. Introduction
Security Properties/Goals
Cryptographic Primitive
Message
Authentication
Codes
Description
Construction
Cipher based
Message
Authentication
Codes
Symmetric Encryption
Construction
Hash based
Message
Authentication
Codes
Hash function
Construction
Security
Requirements
on a MAC
Key Recovery Attack
MAC Forgery Attack
Security Requirements on a MAC
Robustness to Key Recovery Attack
MAC algorithm can be attacked given knowledge of one
known (Data/Tag) pair (assuming that the length of data
is upper than the key length). The attacker simply
recomputes the Tag on the Data with every possible key,
until the key is found giving the correct MAC.
⇒ This attack has complexity 2k
(k is the key length), which is
feasible if k is sufficiently small.
Bouchra ECHANDOURI Message Authentication Code January 31, 2018 22/26

23. Introduction
Security Properties/Goals
Cryptographic Primitive
Message
Authentication
Codes
Description
Construction
Cipher based
Message
Authentication
Codes
Symmetric Encryption
Construction
Hash based
Message
Authentication
Codes
Hash function
Construction
Security
Requirements
on a MAC
Key Recovery Attack
MAC Forgery Attack
Security Requirements on a MAC
Robustness to Key Recovery Attack
Examples of key recovery attack :
Brute force on the key space.
Exhaustive key research
Bouchra ECHANDOURI Message Authentication Code January 31, 2018 23/26

24. Introduction
Security Properties/Goals
Cryptographic Primitive
Message
Authentication
Codes
Description
Construction
Cipher based
Message
Authentication
Codes
Symmetric Encryption
Construction
Hash based
Message
Authentication
Codes
Hash function
Construction
Security
Requirements
on a MAC
Key Recovery Attack
MAC Forgery Attack
Security Requirements on a MAC
Robustness to MAC Forgery Attack
Forgery attack is the most known attack on MACs
function, where the malicious entity can provide at least
a valid (Data/Tag) pair without holding the secret key
Existential Forgery Attack: compute a valid Tag for a
random Data
Universal Forgery Attack: compute a valid Tag for any
given Data
Bouchra ECHANDOURI Message Authentication Code January 31, 2018 24/26

25. Introduction
Security Properties/Goals
Cryptographic Primitive
Message
Authentication
Codes
Description
Construction
Cipher based
Message
Authentication
Codes
Symmetric Encryption
Construction
Hash based
Message
Authentication
Codes
Hash function
Construction
Security
Requirements
on a MAC
Key Recovery Attack
MAC Forgery Attack
Security Requirements on a MAC
Robustness to MAC Forgery Attack
Example of MAC Forgery Attack :
Birthday attack : based on the frequency of collisions.It is
a type of forgery attack on MACs that proves the maximum
limit on their security, especially to those based on iterative
hash functions. This attack requires using about
2n/2
Data/Tag known pairs (i.e. n as the Tag length)
Bouchra ECHANDOURI Message Authentication Code January 31, 2018 25/26

26. Thank You