Cryptography Reference
In-Depth Information
A MAC is superficially similar to a hash function with regard to the properties
that it should have. However, there are several crucial differences that arise because
of the involvement of a symmetric key. This is why MACs are able to provide data
origin authentication and hash functions are not. As a comparison, we now review
the properties we require of a hash function and discuss to what extent these are
provided by a MAC:
Compression . A MAC does condense arbitrary long inputs into a fixed length
output since it produces a fixed length digest of a message, regardless of how
long the input message is.
Easy to compute . In hash functions this applies to anyone , however, this
property is highly restricted for MACs. A MAC must be easy to compute
for anyone who knows the symmetric MAC key , which is normally only
the legitimate sender and receiver of a MAC. However, it must be hard to
compute the correct MAC on a message for anyone who does not know the
MAC key.
Preimage/second preimage/collision resistance . These properties are important
for the security of hash functions since, without them, it might be possible
for an attacker to manipulate the 'commitment' properties of a hash function.
But MACs are not used for the wide range of applications that hash functions
are used for. MACs are only used to provide data origin authentication of
messages. We now consider separately the case of attackers, who do not know
the MAC key, and legitimate MAC key holders:
1. A MAC is normally sent alongside a message, so an attacker is not really
interested in the equivalent of preimage resistance (trying to work out the
message from the MAC). Thus the only real goal of an attacker who does not
know the MAC key is to try to come up with a MAC that is valid for a message
that has not been legitimately sent. This attack is often referred to as a MAC
forgery . Hence the security property that we really want for MACs is MAC
forgery resistance , namely, that it is hard to find a valid message/MAC pair
without knowledge of the MAC key.
Note that in the context of providing data origin authentication, MAC forgery
resistance is a general security property that covers all the types of attack that
the hash function security properties were designed to stop. For example,
suppose that an attacker views a legitimate message M and its MAC computed
using key K , whichwe denote MAC K ( M ). The attacker could use this information
(somehow) to try to find an alternative (fraudulent) message M that has the
same MAC when computed with key K . Since
MAC K ( M )
the attacker can now present the message M along with the observed MAC
and will deceive the receiver into accepting it. This type of attack is precisely
what second preimage resistance is designed to prevent in a hash function.
MAC K ( M )
=
 
Search WWH ::




Custom Search