Lecture 9: Message Authentication Code

In this lecture, we will study message authentication. This lecture is organized as follows. • First we will review the cryptographic algorithms that we have learned so far, and discuss their limitations in protecting data integrity and supporting message authentication. • Then we will examine the concept and the design of Message Authentication Code (MAC). I. REVIEW In the previous lectures, we have learned symmetric encryption algorithms and asymmetric encryption algorithms. Now let's review what security goals these algorithms can achieve. Here we are interested in the following security properties: confidentiality, message authentication, and non-repudiation. In particular, message authentication involves two aspects: • Source authentication, which verifies the identity of the source, prevents the acceptance of messages from a fraudulent source. • Data integrity, which protects the data from modification. Let's start with symmetric encryption. As shown in Fig. 1 (a), A sends B a message M encrypted by their shared secret key K. Because a third party is unable to recover the plaintext of the message without the knowledge of K, confidentiality is provided. Now let's examine how encryption mechanism can provide message authentication. Generally, B is assured that the message is from A, because A is the only person (other than B) who is able to generate the ciphertext that can be decrypted using K. Further, if M is fully recovered, B knows none of the bits of M have been altered. However, to achieve this goal B needs to be able to identify the " correct plaintext " from the ones that is decrypted from an altered ciphertext, or the ciphertext generated with a different key. And there are several scenarios: • If M is in ordinary English, then B can recognize the message by reading off it. But this " plaintext " is difficult to be recognized automatically. • If M is in binary code, and can be any arbitrary bit pattern, then there is no way to determine automatically, whether the recovered message is legitimate or not. Lacking of an automatic way to verify the recovered message limits the usage of symmetric encryption as a mechanism for message authentication. Moreover, if a block cipher (such as DES, AES) is used,