Message Authentication

Authentication and Integrity

I We have seen that a private key encryption scheme provides

security against an eavesdropping adversary (passive
adversary).

I In other words, a private key encryption scheme ensures the

privacy of communication in the sense that even if an
adversary eavesdrops the communication, all it will get is the
gibberish.

I What will happen if the adversary is capable of manipulating

the communication channel (active adversary)?
I Consider a scenario: Alice receives a message m from Bob and
she want to convince herself that the message m is not
modified enroute. (message integrity)

I Often the message integrity is equally or even more important

than message privacy and private key encryption schemes fail
to provide message integrity.

I Although we need both the privacy and integrity of message,

in this section, we only focus on the message integrity.

I Similar to an private key encryption, message integrity

schemes also require a secret key to be shared between sender
and receiver, and systems for ensuring integrity are called
Message Authentication Codes or MACs in short.
Message Authentication Code (MAC)
(M, K, T, Gen, Mac, Vrfy)
M: Set of all possible message (Message Space) {0, 1}? .
K: Key Space {0, 1}n .
T: Tag Space {0, 1}s .
Gen: A PPT algorithm, on input n, generate a key k uniformly at
random form {0, 1}n .
Mac: A PPT algorithm, on input a key k and a message
m ∈ {0, 1}? , generate a tag t.
Vrfy: A deterministic poly-time algorithm on input (m, t) and key k
outputs 1 or 0.

Correctness

Vrfyk (m, Mack (m)) = 1 ∀ n, ∀ k ∈ K, ∀ m ∈ M

Most commonly used MAC are deterministic!

Threat Model and Security Goal

I Chosen Message Attack (CMA): Attacker can somehow

manage to induce the sender to authenticate messages of its
choice. (Oracle access to MAC).

I Existential Unforgeability: The attacker should not be able

to produce a new message (other than the ones queried) and
a valid tag for it.
Consider a MAC Π and a PPT algorithm A (Attacker).
Randomised Exp. ForgeA,Π (n):
I k ← Gen(n).
I A asks Mack oracle for the tags of the messages
m1 , m2 , . . . , mi etc.
I A outputs (m, t).
I A succeeds if m ∈/ {m1 , m2 , . . .} and t is a valid tag for it and
A evaluates to 1.
Π is secure if,


Pr ForgeA,Π (n) = 1 ≤ (n)

for all PPT algorithm A, where (n) is a negligible function.

Question: What about Replay Attacks?

Construction of MACs
CBC-MAC
m1 m2 m3 m4 m5
iv

Ek Ek Ek Ek Ek

I iv is usually set to all zero i.e., CBC-MAC is deterministic.

I What if we chose random iv ? What will happen to the
security?
I How is it different to CBC mode of encryption?
I For any fixed length `, CBC-MAC is secure MAC for messages
of length ` · n.
I How to construct a MAC for variable length messages?
Exercises:
1. Show that the CBC-MAC described above, when applied to
the variable length messages, is not a secure MAC.
2. Suggest a quick fix to the above problem.
3. In the construction of above MAC, initialisation vector is set
to 0. Comment on the security of the above MAC if a random
initialisation vector is used.
Cryptographic Hash Function–an informal overview

I It is a compression function H : {0, 1}∗ → {0, 1}n where n is a

fixed value.

I Given m, it is easy to compute H(m). (Efficient)

I It should have the following additional properties:

1. Preimage Resistant: Given H(m), it is (computationally) hard

to find message m.

2. Second-Preimage Resistant: Given m, it is (computationally)

difficult to find m0 such that H(m) = H(m0 ).

3. Collision Resistant: It is (computationally) hard to find m and

m0 , such that H(m) = H(m0 ).
Cryptographic Hash Function–an informal overview

I It is a compression function H : {0, 1}∗ → {0, 1}n where n is a

fixed value.

I Given m, it is easy to compute H(m). (Efficient)

I It should have the following additional properties:

1. Preimage Resistant: Given H(m), it is (computationally) hard

to find message m.

2. Second-Preimage Resistant: Given m, it is (computationally)

difficult to find m0 such that H(m) = H(m0 ).

3. Collision Resistant: It is (computationally) hard to find m and

m0 , such that H(m) = H(m0 ).
MAC based on Hash Function

Hash and MAC

k k

t = Mack (H(m))

I If Mack is secure and H is collision-resistant, then it is a

secure MAC.
MAC based on Hash Function

Hash and MAC

M
public channel

k k

secure channel
t
t = Mack (H(m))

I If Mack is secure and H is collision-resistant, then it is a

secure MAC.
HMAC

I This is a message authentication code, different form “Hash

and MAC”, which is also based on Cryptographic Hash
Functions.

I HMAC is designed by Bellare, Canetti, and Krawczyk in 1996.

I Used for authentication in SSL, IPSEC etc.

I I will skip the details of it. Interested ones may refer to books
or may consult with me offline.
Authenticated Encryption
I Ideally, we require secrecy and message authentication both in
an encryption scheme.

Encrypt and Authenticate

c, t
k1 , k2 k1 , k2
public channel

c = Enck1 (m) m = Deck1 (c)

t = Mack2 (m) ?
1 = Vrfyk2 (m, t)

I Is there any problem with this scheme?

I Tag may leak some information about the message.(Think of
Deterministic MAC?)
Authenticated Encryption..

Encrypt then Authenticate

c, t
k1 , k2 k1 , k2
public channel

c = Enck1 (m) ?
1 = Vrfyk2 (c, t)
t = Mack2 (c) m = Deck1 (c)

I If the encryption scheme is CPA-secure and MAC is secure

this combination provides CCA secure encryption scheme.
I What happen, if k1 = k2 ? Is the encryption scheme still
secure?