Message Authentication in Computationally

Constrained Environments
Benjamin Arazi, Senior Member, IEEE
Abstract—RFID and Wireless Sensor Networks exemplify computationally constrained environments, where the compact nature of
the components cannot support complex computations or high communication overhead. On the other hand, such components should
support security applications such as message integrity, authentication, and time stamping. The latter are efficiently implemented by
Hash Message Authentication Codes (HMAC). As clearly stated in the literature, current approved implementations of HMAC require
resources that cannot be supported in constrained components. An approach to implement a compact HMAC by the use of stream
ciphering is presented in this paper.
Index Terms—Secured communications, HMAC, constrained environments, challenge response, stream ciphers.
Ç
1I
NTRODUCTION

M
1.1 MAC and Challenge-Response Interrogation
The Challenge Response CR, generated in the inter-
rogated component (top of the figure), is the MAC of three
integrity and authenticity, and replay preven-
E SS AG E
values: 1) the component’s secret key K, 2) a random
tion, are essential in security-related communications.
challenge C received from the interrogator, and 3) the
Here, a receiver is expected to be able to verify that a received
message M whose authenticity is to be proved.
message, originally transmitted by a valid source, was not
Subsequently, the interrogated component transmits:
changed. Also, the receiver has toverify that the message was
1) the component’s public key PK, which is an encrypted
not transmitted by a cloned source, and is not a retransmis-
version of K issued by the system manager and stored in
sion of an originally genuine message transmitted in the past
by a valid source. Technically, verifying message integrity
the component, 2) M, and 3) CR.
Upon receiving the above three values, the interrogator
and authenticity is based on the receiver’s ability to prove to
itself that the transmitter stores a valid secret key that was
performs the operations shown at the bottom of the figure.
used when the message was transmitted.
The interrogator first retrieves K out of the received PK,
Surely, symmetric and asymmetric cryptographic
using a system decryption key. In practice, the system
schemes can also be used in satisfying the above. In this
decryption key is not necessarily stored at the interrogator’s
paper, we treat the case where the facility at the data source
facility. Here, the interrogation operations can be performed
in an external secure place. Under another version, the key
has limited resources. In such environments, message
integrity and authenticity is usually verified using Message
K of the interrogated component is retrieved from a
secured network, rather than being recovered by decrypting
Authentication Code (MAC).
MACðM;KÞ is a one-way transformation of the message
a value PK submitted by the component.
M and a secret key K shared with the verifier. The values
The interrogating receiver then has the same three values
M and MACðM;KÞ are both sent to the verifier. Upon
that generated the MAC at the interrogated component. The
receiving these values, the verifier generates himself a value
same MAC is now calculated at the interrogating receiver,
MAC
ðM;KÞ based on the received M and the value of K
and the output is compared to the received CR. If the two
0
known to him. If MAC
ðM;KÞ = MACðM;KÞ, the verifier
0
values match, the integrity and authenticity of the received
decides that the message is authentic and equals its original
message is confirmed.
value. If an attacker has access to an oracle which possesses
The interrogated component’s response CR is unique, as
K and generates MACs for messages M chosen by the
it depends on the private secret key K which differs for
attacker, it should be infeasible to guess the MAC value for
different components. The procedure prevents replay
any new message not interrogated before. To prevent illegal
attacks, since the response sent by the interrogated
replaying, there is also a need for a time-dependent proof.
component depends on the real-time random challenge C
This is achieved by a challenge-response interrogation
sent by the interrogator.
procedure, as depicted in Fig. 1.
The same mechanism can also be used in access control,
preventing illegal writings of a message M into the
component, by still executing a MAC operation in the
. The author is with the Department of Electrical and Computer
component. Here, the component challenges the external
Engineering, Ben Gurion University, Beer Sheva 84105, Israel.
E-mail: arazi@ee.bgu.ac.il.
party, asking it to prove that it knows the component’s
secret key. In this scenario, the direction of flow of C and M
Manuscript received 23 Mar. 2008; revised 20 Nov. 2008; accepted 10 Feb.
2009; published online 11 Feb. 2009.
in Fig. 1 is reversed. It is the component which generates C.
For information on obtaining reprints of this article, please send e-mail to:
The comparison of the MAC values is done in the
tmc@computer.org, and reference IEEECS Log Number TMC-2008-03-0104.
component. Upon success, M is allowed to be written.
Digital Object Identifier no. 10.1109/TMC.2009.40.
1 536 -1 233 /0 9/ $25 .0 0 ß 2 009 IE E E P ub lis h ed by t he IE E E C S, CA S S , Co m S oc , IE S , & S P S