Cryptography Reference
In-Depth Information
Adversary
Message
X
c
X
,
c
X
X
X
c
MAC
MAC
Compare
c
Key
K
CONFIDENTIAL
AUTHENTICATED
K
Generator
Figure 3.11.
Authentication channel.
guarantees the authenticity. As it is done for encryption, we can separate the usage of
this channel from the transmission of the document by using it to transmit a secret key
and no message dependent value. Once the key is set up, the transmission of the hashed
value is replaced by the transmission of the MAC through the insecure channel. We can
thus use an expensive authentication channel in order to provide authentication over an
insecure channel (see Fig. 3.11).
Note that message authentication implicitly includes message integrity and is thus
a little stronger. It is a common mistake to mix up both and to speak about message
integrity when we want to speak about message authentication. One reason may be
that we want to reserve the noun “authentication” for peer authentication rather than
message authentication.
The MAC is thus computed (from the message and the secret key) by a function
which is improperly called MAC. It usually works like a cryptographic hash function
with a key.
3.4.2 Threat Model
We want to protect ourselves against an adversary who has already seen several pairs
(
M
c
)withanew
M
(which is not authentic) and a valid MAC (which would pass the authenticity check).
Like for encryption, the pairs can be obtained by known or chosen message attacks
(see Fig. 3.12).
,
c
) where
c
is the MAC for
M
, and who wants to create a pair (
M
,
Note that we concentrate on the authentication of single messages but we do not
address integrity of a communication session: as long as messages are authenticated, we
Search WWH ::
Custom Search