Cryptography Reference
In-Depth Information
That means, from Alice's perspective, Bob must have generated the MAC. In terms
of security services, message authentication is provided.
In practice, a messages
x
is often much larger than the corresponding MAC.
Hence, similar to hash functions, the output of a MAC computation is a fixed-length
authentication tag which is independent of the length of the input.
Together with earlier discussed characteristics of MACs, we can summarize all
their important properties:
Properties of Message Authentication Codes
1.
Cryptographic checksum
A MAC generates a cryptographically secure
authentication tag for a given message.
2.
Symmetric
MACs are based on secret symmetric keys. The signing and
verifying parties must share a secret key.
3.
Arbitrary message size
MACs accept messages of arbitrary length.
4.
Fixed output length
MACs generate fixed-size authentication tags.
5.
Message integrity
MACs provide message integrity: Any manipulations
of a message during transit will be detected by the receiver.
6.
Message authentication
The receiving party is assured of the origin of
the message.
7.
No nonrepudiation
Since MACs are based on symmetric principles,
they do not provide nonrepudiation.
The last point is important to keep in mind: MACs do not provide nonrepudia-
tion. Since the two communicating parties share the same key, there is no possibility
to prove towards a neutral third party, e.g., a judge, whether a message and its MAC
originated from Alice or Bob. Thus, MACs offer no protection in scenarios where
either Alice or Bob is dishonest, like the car-buying example we described in Sec-
tion 10.1.1. A symmetric secret key is not tied to a certain person but rather to two
parties, and hence a judge cannot distinguish between Alice and Bob in case of a
dispute.
In practice, message authentication codes are constructed in essentially two dif-
ferent ways from block ciphers or from hash functions. In the subsequent sections
of this chapter we will introduce both options for realizing MACs.
12.2 MACs from Hash Functions: HMAC
An option for realizing MACs is to use cryptographic hash functions such as SHA-
1 as a building block. One possible construction, named HMAC, has become very
popular in practice over the last decade. For instance, it is used in both the Transport
Layer Security (TLS) protocol (indicated by the little lock symbol in your Web
browser) as well as in the IPsec protocol suite. One reason for the widespread use of