Is it necessary to recover the secret key in order to attack a mac algorithm?

Message Authenticate Code

A Message Authentication Code (MAC) is a hash function that uses a key. A common MAC implementation is Cipher Block Chaining Message Authentication Code (CBC-MAC), which uses the CBC mode of a symmetric block cipher such as DES to create a MAC. Message Authentication Codes provide integrity and authenticity (proof that the sender possesses the shared key).

3.3.4.2.1 Managing MAC PIB

The MAC layer, similar to the PHY layer, has its own constants and attributes. The MAC attributes are stored in the MAC PAN Information Base (MAC-PIB) and are accessible to the NWK layer.

The NWK layer not only can request the MLME to obtain the value of an attribute from the MAC-PIB, it can also request the value of an attribute from the PHY-PIB. In the latter case, the MLME simply passes down the request to the PLME and notifies the NWK layer upon receiving the results from the PLME.

The NWK layer can request the MLME via the MLME-SAP to set a MAC-PIB or a PHY-PIB attribute to a given value. The NWK layer cannot change the read-only attributes in the MAC or PHY PIBs. The NWK request to change an attribute in the PHY-PIB is passed down by the MLME to the PLME via the PLME-SAP.

MAC Tag Data

The MAC tag produced by both implementations is not checked internally. The typical usage would involve transmitting the MAC tag with the ciphertext, and the recipient would compare it against the one he generated while decrypting the message.

In theory at least, you can truncate the MAC tag to short lengths such as 80 or 96 bits. However, some evidence points to the contrary with GCM, and in reality the savings are trivial. As the research evolves, it would be best to read up on the latest analysis papers of GCM and CCM to see if short tags are still in fact secure.

In practice, you can save more space if you aggregate packets over a stable channel. For example, instead of sending 128-byte packets, send 196- or 256-byte packets. You will send fewer nonces (and protocol data), and the difference can allow you to use a longer MAC tag. Clearly, this does not work in low latency switching cases (e.g., VoIP), so it is not a bulletproof suggestion.

Hash Message Authentication Code

Keyed Hash Message Authentication Code (HMAC) is a type of encryption that uses an algorithm in conjunction with a key. The algorithm is only as strong as the complexity of the key and the size of the output. For HMAC either 128 or 160 bits are used.

This type of Message Authentication Code (MAC) can be defeated. One way is by using the birthday attack. To ensure that your data is not deciphered, choose a strong key; use upper- and lowercase letters, numbers, and special characters. Also use 160 bits when possible.

Dynamic Host Configuration Protocol

Remember that unlike MAC addresses, IP addresses cannot be assigned in the factory, because they are dynamic and must reflect a device's current location within the Internet. A MAC module uses DHCP to acquire an IP address for itself to reflect the device's current location with respect to the Internet topology.

DHCP makes the request: “Please configure my MAC module with an IP address.” When one of a device's MAC layer modules connects to a new medium, it invokes DHCP to make this request. The associated DHCP module generates such a request that conveys the MAC address of the MAC module, which the MAC layer module broadcasts to the other devices attached to the same physical medium segment. A DHCP server responds with a unicast DHCP response binding an IP address to the MAC address. When it receives the response, the requesting DHCP module passes the assigned IP address to the network layer to configure in its address translation table.

In addition to binding an IP address to the MAC module used by DHCP, the response also contains a number of network configuration parameters, including the address of one or more routers, to enable reaching arbitrary destinations, the maximum datagram size supported, and the addresses of other servers, such as DNS servers, that translate human-readable names into IP addresses.

HMAC

A Hashed Message Authentication Code (HMAC) combines symmetric encryption with hashing. The approach is similar to a digital signature, except that it uses symmetric encryption instead of asymmetric. HMACs are used by IPsec (see below).

Two parties must preshare a secret key (such as a DES key). Once shared, the sender may generate a HMAC by hashing the message with an algorithm such as MD5 or SHA-1, and then encrypting the hash with the preshared key via symmetric cipher such as DES.

The receiver hashes the plaintext locally and also decrypts the HMAC with his/her copy of the private key, recovering the sender's hash. If the two hashes match, the sender is authenticated, and the message's integrity is assured.

Purpose of A MAC Function

The goal of a MAC is to ensure that two (or more) parties, who share a secret key, can communicate with the ability (in all likelihood) to detect modifications to the message in transit. This prevents an attacker from modifying the message to obtain undesirable outcomes as discussed previously.

MAC algorithms accomplish this by accepting as input the message and secret key and producing a fixed size MAC tag. The message and tag are transmitted to the other party, who can then re-compute the tag and compare it against the tag that was transmitted. If they match, the message is almost certainly correct. Otherwise, the message is incorrect and should be ignored, or drop the connection, as it is likely being tampered with, depending on the circumstances.

For an attacker to forge a message, he would be required to break the MAC function. This is obviously not an easy thing to do. Really, you want it be just as hard as breaking the cipher that protects the secrecy of the message.

Usually for reasons of efficiency, protocols will divide long messages into smaller pieces that are independently authenticated. This raises all sorts of problems such as replay attacks. Near the end of this chapter, we will discuss protocol design criteria when using MAC algorithms. Simply put, it is not sufficient to merely throw a properly keyed MAC algorithm to authenticate a stream of messages. The protocol is just as important.

A Symmetric Key Mutual Authentication Method

Our old friend the message authentication code can be used with a static, long-lived key to create a simple and robust mutual authentication scheme. Earlier we stressed that the properties of message authentication are incompatible with the use of a static key to provide forgery detection of session-oriented messages. The incompatibility is due to the use of sequence numbers for replay detection. We will replace sequence numbers with unpredictable quantities in order to resocialize static keys. The cost of this resocialization effort will be a requirement to exchange extra messages.

Suppose parties A and B want to mutually authenticate. We will assume that IDA is B’s name for the key it shares with A, whereas IDB is A’s name for the same key B. We will also assume that A and B share a long-lived message authentication key K and that K is known only to A and B. We will assume that A initiates the authentication. A and B can mutually authenticate using a three-message exchange, as follows: For message 1, A generates a random number RA and sends a message containing its identity IDA and random number to B:

(7.1)A→B:IDA,RA

The notation A→B: m means that A sends message m to B. Here the message being passed is specified as IDA, RA, meaning it conveys A’s identity IDA (or, more precisely, the name of the key K) and A’s random number RA. This message asserts B’s name for A, to tell B which is the right long-lived key it should use in this instance of the authentication protocol. The random number RA plays the role of the sequence number in the session-oriented case. It is random in order to provide an unpredictable challenge. If B responds correctly, then this proves that the response is live and was not pre-recorded. RA also acts as a transaction identifier for the response to A’s message 1 (it allows A to recognize which response goes with which message 1). This is important in itself, because without the ability to interleave different instances of the protocol A would have to wait forever for any lost message in order to obtain a correct theory.

If B is willing to have a conversation with A at this time, it fetches the correct message authentication key K, generates its own random number RB, and computes a message authentication code tag T over the message IDB, IDA, RA, RB, that is, over the message consisting of both names and both random numbers. B appends the tag to the message, which it then sends to A in response to message 1:

(7.2)B→A:IDB,IDA,RA,RB,T

B includes A’s name in the message to tell A which key to use to authenticate the message. It includes A’s random number RA in the message to signal the protocol instance to which this message responds.

The magic begins when A validates the message authentication code tag T. Since independently generated random numbers are unpredictable, A knows that the second message could not have been produced before A sent the first, because it returns RA to A. Since the authentication code tag T was computed over the two identities IDB and IDA and the two random numbers RA and RB using the key K known only to A and B, and since A did not create the second message itself, A knows that B must have created message 2. Hence, message 2 is a response from B to A’s message 1 for this instance of the protocol. If the message were to contain some other random number than RA, A would know the message is not a response to its message 1.

If A verifies message 2, it responds by computing a message authentication code tag T’ computed over IDA and B’s random number RB, which it includes in message 3:

(7.3)A→B:IDA,RB,T′

Reasoning as before, B knows A produced message 3 in response to its message 2, because message 3 could not have been produced prior to message 2 and only A could have produced the correct tag T’. Thus, after message 3 is delivered, A and B both have been assured of each other’s identity, and they also agree on the session instance, which is identified by the pair of random numbers RA and RB.

A deeper analysis of the protocol reveals that message 2 must convey both identities and both random numbers protected from forgery by the tag T. This construction binds A’s view of the session with B’s, and this is providing A with B’s view of what they know in common. This binding prevents interleaving or man-in-the-middle attacks. As an example, without this binding, a third party, C, could masquerade as B to A and as A to B. Similarly, message 3 confirms the common knowledge: A knows that B knows that A knows IDA, IDB, RA, and RB if B verifies the third message; similarly, if B verifies message 3, B knows that A knows that B knows the same parameters.

It is worth noting that message 1 is not protected from either forgery or replay. This lack of any protection is an intrinsic part of the problem statement. During the protocol, A and B must transition from a state where they are unsure about the other’s identity and have no communication instance instantiating the long-term relationship signified by the encryption key K to a state where they fully agree on each other’s identities and a common instance of communication expressing their long-lived relationship. A makes the transition upon verifying message 2, and there are no known ways to reassure it about B until this point of the protocol. B makes the state transition once it has completed verification of message 3. The point of the protocol is to transition from a mutually suspicious state to a mutually trusted state.

Does MAC require a secret key?

What type of attacks are addressed by MAC?

Does MAC require an encryption algorithm?

How is the security of MAC expressed in cryptography?