Have you sent a message to your friend or family? Have you ever wondered how that message is authenticated on the other end?
This article focuses on a critical topic in Cryptography, i.e., MAC or Message Authentication Code. We will study two types of Message Authentication Codes or MACs, NMAC or Nested Message Authentication Codes and HMAC or Hash-Based Message Authentication Codes, in detail. We will try to understand the working of NMAC and HMAC as well.
NMAC or Nested MAC in Cryptography
NMAC stands for Nested Message Authentication Code.
The CBC MAC algorithm and the NMAC method are pretty similar. It makes use of the pseudorandom function F, which is slightly different. The integer returned by the function F represents the actual value of a secret key (thus, not the values of data blocks).
Working of NMAC or Nested MAC
Now, let's try understanding the working of NMAC or Nested Message Authentication Code.
In NMAC or Nested Authentication Code, as soon as the final data block is encrypted, the output is again encrypted using the second secret encryption key, as we do in the CBC MAC algorithm.
Because the previous result of the last data block's encryption has the same number of bits as the secret key, the system adds a set of bits to ensure that the result is the same size as the data blocks. This additional set is referred to as a fix pad. NMAC, or Nested Message Authentication Code, is typically used in systems where the size of secret keys is substantially more significant than the length of data blocks.
One final encryption is carried out in the same way that CBC MAC protects the calculated code. The approach is known as a 'Cascade' since it does not require the final NMAC step when encrypting the subsequent blocks.
An attacker can intercept the message and add any number of blocks to the message with the correctly calculated authentication code if the final algorithmic step isn't there (i.e. if encryption wasn't performed using the second key). Then he may modify the message and generate a new authentication code to include with it. The attacker would enter the initial input for function F, which was just added, using the message's initial authentication code.
It would be best to change the secret key to maintain NMAC security periodically. You can easily understand that a secret key is no longer secure after being sent a certain amount of messages, typically equal to the square of all secret key values.
The CBC MAC algorithm and the NMAC algorithm use identical techniques for the addition of padding bits to the end of the final unfinished message block.
HMAC or Hash-Based MAC in Cryptography
HMAC stands for Hash-Based Message Authentication Code. Hash-Based Message Authentication Code, or HMAC, is a type of MAC or message authentication code. It is created by applying a cryptographic hash function to the data (that has to be authenticated) and a private shared key. You can use it for data integrity and authentication like any other MAC. The parties participating in communication must verify the accuracy of the data. SFTP, HTTPS, FTPS, and many other transfer protocols use HMAC or Hash-Based Message Authentication Code.
The cryptographic hash function can be MD-5, SHA-1, or SHA-256. HMACs and digital signatures use a common key and a hash function, making them almost identical. The keys used by HMACs and Signatures are different. HMACs generally use symmetric keys (exact copy), while Signatures use asymmetric keys (two different keys).
Working of HMAC or Hash-Based MAC
Now, let's try understanding the working of HMAC or Hash Based Message Authentication Code.
HMACs give a shared private key to the client and the server only known to them. For each request, the client creates a unique hash (HMAC).
When the client forwards or sends a request to the server, it hashes the data with a private key and includes it in the request. The system is secure because the message, as well as the key, is hashed separately.
When the request is received, the server creates its HMAC. The system will compare both HMACS. In case they are equal, only then is the client assumed valid.
There are three different kinds of authentication functions. They consist of hashing operations, message encryption, and message authentication codes.
The main difference between MAC and hash MAC is the dependence on the key. In HMAC, the hash function and a key must be applied to the plain text. The plain text message will be subject to the hash algorithm. But first, we must compute S bits, append them to plain text, and then apply the hash function. We use a key that the sender and recipient share to generate those S bits.
By padding O's on key K's left side with bits until its length equals b bits, key K (0 < K < b) can be used to generate key K+. Because of the change (increase) in key length, it is not padded on the right. Here, the size of plain text blocks is 'b' bits.
'ipad' and 'opad' are two predefined padding bits. The plain text message is processed before the hash function is applied.
Advantages of HMAC
HMACs are perfect for high-performance systems like routers because they use hash functions, which can be calculated and validated quickly in contrast to public key systems.
HMACs offer comparable greater security than digital signatures but are bulkier.
HMACs are generally used in administrations that forbid public key systems.
Disadvantages of HMAC
HMACs make use of a shared key, which could result in non-repudiation. Attackers will easily be able to create unauthorized messages if the key of either the sender or the receiver is compromised.
Frequently Asked Questions
How long can a message authentication code be?
The most recommended size is a 128-bit (16-bytes) tag.
Does the message authentication code use the public key?
A message recipient can use private keys provided by MACs to confirm that a message hasn't been tampered with during transmission.
What is authenticated code?
Message Authentication Code is an approved security function-based keyed cryptographic checksum.
What are the four principles of cryptography?
The key pillars of contemporary cryptography are Data Confidentiality, Data Integrity, Authentication, and Non-repudiation.
What are the two main types of cryptographic algorithms?
There are two main types of cryptography, asymmetric key encryption, and symmetric key encryption.
Conclusion
In this article, we have studied a critical topic in Cryptography, i.e., MAC or Message Authentication Code. We have studied two types of Message Authentication Codes or MACs, NMAC or Nested Message Authentication Codes and HMAC or Hash-Based Message Authentication Codes, in detail. We have understood the working of NMAC and HMAC as well.