 We can use message authentication codes to perform the service of authentication and data integrity And we went through a few examples Basic idea is that we take our message and we calculate the Mac of the message Using some secret key shared only between the the source and the destination and the Mac We sometimes the output we call a tag or even just a code or a message authentication code the Mac is Attached to the message and sent and what the receiver does is checks Verifies the received message by comparing the Mac of the received message with the received Mac Okay, that is we receive a message plus the tag and And the receiver verifies by calculating the tag for the received message Comparing it to the received tag and they should be the same Because the nature of the Mac algorithm should be such that Two different input messages with the same key will produce different outputs different tags So if the message is the same as the original then we'll get the original tag back So the verification takes place there the other two diagrams here are just combining the Mac with encryption the first case The data is not encrypted so someone can see the data It's just authenticated the second two cases are the data is both encrypted and authenticated And the difference between them is the order in which the Mac and the encryption is applied in the the middle diagram Calculate the Mac and then encrypt in the bottom diagram encrypt and then Mac and If you see how for example secure shell works And if you capture some secure shell packets some of you have done that in a lab Then you'll see that a common form of a message authentication use is the bottom one of encrypt and then Mac Okay, that is you encrypt the the data first and then calculate the Mac on the ciphertext But the difference between those two is is not significant in encrypt and Mac or Mac been encrypt There are subtle differences, so there are some recommended approaches, but we will not go through them Both are considered secure in general cases, but there may be some specific cases where one is better than the other Commonly encrypt then Mac is used and we got to where Let's look at the security of Mac's just briefly talk about How someone can try to attack a message authentication Code algorithm We had some examples where the idea was from the attacker. I think we have one here The malicious user Tries to modify the message So and this was the case where the malicious user intercepted the message and the tag that was sent They changed the message But not the tag They send it on to be hoping be will think this is the real message but because of the Message authentication code was used be calculates using the key shared between itself and a on the receive message Using the Mac function and gets a calculated tag compares it to the receive tag and They will be different And in that way be detects something's gone wrong and doesn't trust the message and We covered a few other cases the other possible cases and we see that assuming that the algorithm Will produce produce two different messages with Well two different messages will produce two different tags or Using two different keys will produce two different tags assuming those rules hold Then the attack will be unsuccessful What about brute force attack? What can the attacker do and I'll bring up one of the other cases that we considered I think we have it here This one This didn't work for our attacker. What could they try to do in a brute force attack? How can the attacker make a change such that the receiver be doesn't detect the change and In a brute force attack, how could they do that? What do they need to do? What was the problem in this case? What could the attacker not do? They didn't know the key Okay, so here they changed the message. They modify the message. They want to Recalculate the tag of that modified message but They don't have the key that B is going to use to check B is going to use the key shared between itself and a Their attacker doesn't know that so must use some other key Well a brute force attack try and guess the key That's the basic idea here if you try and if you could find the key Then you can be successful in attacking because if if the malicious user did know KAB They could use it here and send the message and B would not know the message was modified so one approach from a brute force perspective is Try all possible keys And we'll do a little bit of analysis and see that approach so The security of a MAC algorithm with respect to brute force one thing it depends upon is the length of the key To stop a brute force attack on a key make the key long That's our general rule. So the key must be of a reasonable length more than a hundred bits most likely But there is another way that the attacker can try and attack and that's to try and guess a tag Even without the key Let's see if they can find a message that produces this They if they can find two different messages That produce the same tag They can be successful in an attack as well because we said that The success of the authentication depends upon the fact that two different messages produce two different tags That's what we depend upon but we've also said in theory Because there are more possible messages than tags Some messages will map to the same tag So the challenge of the attacker is to find Two messages that produce the same tag. Let's See the the concepts and then go through an example So in terms of the an attack we assume that the MAC function is known They they know what the algorithm is. They don't know the key And I think there's a typo here instead of four should be fine They want to find a valid MAC code for a given message X They not for find valid MAC find a tag for a given message without knowing the key If they can do that then they can defeat the authentication schemes So it should be hard for an attacker to find the tag without knowing the key and One way to state that is computation resistance that is if the attacker knows multiple one or more pairs of some message X here and The tag of that message so the MAC of some key of that same message if the attacker knows the tag and the message And multiple pairs It still should be hard for the attacker to be able to find that The tag for some other message That is if the attacker has some message X It should be hard for the attacker to find the corresponding tag That states the requirement here so given the message you can't find the tag unless you have the key of course But the assumption is we don't have the key Even if we've seen other tags and messages used with the same key We will not go through a proof for the details of the the security, but just quickly state the approximate strengths of message authentication codes. There are two brute force attacks Try and guess the key or Try and find the tag or the MAC value without knowing the key and there is some So for example brute force attack on the key the attacker knows for example some message X1 and the corresponding tag Where that tag T1 was calculated using a key on that message the attacker doesn't know the key a brute force attack try all possible keys So the attacker knows the MAC function they know X1 they take The first possible key calculate the MAC Get a tag if it produces T1 Then potentially they've found the correct key if not try another key, so they try all possible keys In this function here key one with X1 Look at the output if it matches the known T1 Then that's a possible key if not ignore that key and Try all possible keys the number of attempts if we have a key of k bits is 2 to the power of k so if our key is a 100 bits long they need 2 to the power of a hundred attempts to try all possible keys There's for this attack to be successful Usually the attacker may need to try with multiple pairs, but that's not so hard. That is that may be that Multiple keys will produce the correct tag in which case the attacker needs to try with a different pair of message and tag and The pairs that produce the use the correct key the same key will give us the answer The main point is that a brute force attack on the key depends upon the key length and Approximately the amount of effort is 2 to the power of k worst case that is if I need to try all keys and the keys k bits long I need to take 2 to the power of k attempts and A Mac function is usually in terms of computation on your computer is in the order of the same time to do an encryption function So 2 to the power of 100 attempts we've seen in brute force on symmetric key encryption 2 to the power of 128 is going to take billions of years 2 to the power of 64 may be possible So usually anything above 80 90 or 100 bits is is going to be secure So make the key long enough to avoid a brute force attack on the key Let's let's kind of see this consider a simple example. I Don't have a real Mac function, but I have a fake one that we can use with small values Let me see what we can do. I have a fake Mac function that will use and The parameters of that are that in the first instance We have a key of The key is three bits the Mac function takes the key is input and a message and produces a tag where the tag is in The first example I'll show is four bits and the message In my simple Mac function, I will show you is limited to eight bits So this is not a realistic Mac function. It's just a simple one to demonstrate the numbers in a brute force attack so Every message as input is fixed at eight bits and when we take the Mac of a message using a three-bit key We get a four-bit tag. How many possible messages? Which is two to the power of eight is 256 possible messages different messages with eight bits and How many possible tags? 16 possible tags. Do we have collisions? What's a collision two or more messages mapped to the same tag So they're 256 possible messages If we use the same key We can get 16 possible tags as output This is the input which implies that Some messages must map to the same tag There's no way that Applying the Mac function on two different messages will always produce two different tags because we don't have enough tags for each of the messages And that's just that's the same in the general case with a Mac function that the number of tags is Much smaller than the number of possible messages. So when I say collisions, I mean two different inputs produce the same tag as output in Theory possible and definitely in this case quite easy On average how many Messages map to the same tag. I know you've all done the statistics lesson on Moodle You go you I know you've all studied statistics. So you're experts on statistics and probabilities, especially On average how many messages produce the same tag 256 divided by 16 on average if we have random mappings So 16 Messages mapped to the one tag on average if it's random and a Mac function should be random That is it takes an input and produces a random output. So for a first example, I'll Say we have The attacker knows a tag the tag equals in my example shows They know a tag and they know the corresponding message So for example in the past a user has taken that message those eight bits Use the secret key K and obtain the tag one one one zero the attacker has intercepted them The attacker now wants to find the key What do they do? How do they find K in a brute-force attack? What are you going to do? Try all possible keys in the Mac function that is with that message M Try the first possible key. Let's say zero zero zero and To calculate the Mac if it gets the tag one one one zero Then we're on track if it doesn't try another key Now the example I'll show is again not a real Mac function. It's just one to to give some example numbers as output Let me find it So we've got a tag just remember one one one zero and a message What I just wrote and I've got a Mac function that that takes the message and a secret key I'm not going to tell you the secret key. It's secret and it produces a tag So I've got something that will try all keys on that message Basically what this function does is tries key zero zero zero Using this message and calculates the tag and we'll see the output then it tries key zero zero one on that message Gets the tag and does it for all keys. How many keys? Two to the power of three eight keys in our case There are eight possible keys just to keep it simple You tries all the keys it gets the tags. What's the key? Do you think? There was my brute force attack. I'm the attacker. What's the key? What I what this code did was took this message tried Key zero zero zero and it produced the tag one zero one one. I Know if that message uses the secret key it should produce this tag So this is not the right key So I try zero zero one. It doesn't produce the expected tag. We keep going and what do we get? 101 Okay, so in this case we've found the key is 101 Because that key with the same message as what we know produces the expected tag So that's the brute force attack on keys Now in some cases it may be that Two different keys produce the same tag If that happened then we'd need to try it on another known pair So in this attack the attacker knows the pair of tag and message just one pair If two keys produce the same tag we'd need to try those two keys on a second pair Which wouldn't be hard? How many attempts? Dot slash means run the program which is in this directory Dot means this directory slashes a directories separator. I'm not going to go through the Mac function I'm just trying to illustrate the number of attempts it takes Try all keys is just my own function that tries a Mac function on all possible keys On average or worst case. How many keys do we need to try it? In this case we took six, I think Worst case how many keys with this algorithm eight So in the best case I find it up front in the worst case it takes all eight on average It would take four so worst case is eight in this case In general two to the power of K K is the key length in this case. It's three So that's one attack from the attackers perspective in this case It made sense to attack the key the key was three bits it That was the weakest part of the algorithm but another example Same algorithm, but slightly different parameters Let's say in a second case. We have an algorithm that takes The key is five bits The tag it produces is four bits still and the message is also eight bits brute force attack on the key How many attempts worst case? 32 to the power of five okay five bit key. We need to try 32 so we could do that But let's look at it Excuse me a different attack. Let's say we know The attacker knows some tag Or they want to generate some tag and it's zero one zero one that is In this attack the attacker wants to find a message That the other two users when they use their shared secret key the attacker doesn't know the key They want to find a message that produces this tag That is with some key Which is secret? We don't know that we want to find the message that will produce that tag So that we could defeat the authentication schemes because if we can find a message that produces the same tag of another message we can Make changes without the receiver notifying are being Being aware This attack is slightly more complicated or it relies on some different assumptions And the assumption is that the attacker can somehow ask the user to Apply the Mac using their secret key on different messages So let's say the attacker knows user a and Somehow they can get user a to say oh here's a message. Please calculate the Mac for me So the attacker sends a message to user a and and says calculate them the Mac user a does it using their secret they don't tell the attacker the secret and The attacker learns the tag So there's some sort of way that there's some sort of service that allows the attacker to Find the Mac of a message without knowing the secret So what the attacker can do is try some message some random message Ask the user to calculate for that message using their secret key the Mac when we get the tag If it matches the tag that we want Then the attacker has found the The message Let's try that and see how that helps the attacker So again, this has a key of five bits the key is secret. We're not trying to find the key We're trying to find some message That when we use with that key will produce the tag zero one zero one my attacker again The tag zero one zero one What the attacker does is Contry random messages What the attacker does is chooses a random message some message Sends it to the user and the user will calculate the tag of that message and The attacker learns the tag if it matches zero one zero one Then the attacker is successful because I've found a message without knowing the key that maps to the tag that they want so this program all it does is Calculates for random messages the tag with the secret key and prints them out and the way that it works is that it stops once it finds that tag so in this instance what it did was given this random message and the key that we don't know but We got the user to calculate the Mac with their key and we found out the tag is one zero zero one That's not of use to us. We want zero one zero one so we try another message and We get zero one one one. No, we keep trying until We get zero one zero one now the attacker has found some message that produces their desired tag and They can take advantage of that by for example Sending a message to be Zero one zero one one one One one with the tag zero one zero one if they send that to be B will verify it to be correct because B has the key that produces that mapping So that's how the attacker can take advantage of this the point is How many attempts do we need to make until we get the matching tag in this case? because it's random messages that took I don't know you can count them there better than me, but Maybe 20 something met attempts there. I'll try it again because it's random We're different this time a little bit longer. I'll keep trying. Oh that one took five attempts Maybe a screen full which is about 15 to 20 attempts and keep trying. Oh, this one's maybe 10 attempts If we keep trying because it's random what will vary on average How many attempts do we need to take until we get the right tag? Average or worst case worst case to be simple. What's the worst case? No Or the average of these values that we just did What do you think it is So we had one which is five one with 12 one looked like 20 25 if we kept doing and took the average What do you think will take? What does it depend upon? It doesn't depend upon the key length. It depends upon the tag length How many possible tags are there? 16 possible tags. So basically the MAC function takes some random input and produces one of those 16 values so after 16 attempts We should Possibly get one of the the value that we're looking for because ours is one of the 16 values But unfortunately in some cases an attempt produces the the same tag But on average if if it's a random mapping and we're looking for a random tag It would take 16 attempts to find our tag. It depends upon the tag length Basically the idea is Apply some function on a random input that produces one of those random 16 outputs On average you need 16 attempts to get that output So the attacker in this case will be successful the success depends upon the length of the tag How do we make it harder for the attacker then? longer tag Okay, so the longer the tag the less chance that they'll find it So there are two different approaches from the attacker and we'll go back to the lecture notes Actually, just to summarize here in the first case. We said if we try all keys it depends upon the key length three bits Take eight attempts if we try to find a tag by trying random messages. It depends upon the tag length four bits in this case so In general a brute force attack on the key takes approximately two to the power of K attempts a brute force attack on the tag on the Mac value Depends upon the length of that tag For an n-bit Mac value an n-bit tag takes two to the power of n attempts So from an attacker's perspective, they would choose the easiest of the two To defeat the Mac scheme choose the one which is easier So the the effort to defeat the Mac in a brute force attack is the minimum of two to the power of the number of bits in the key and two to the power of the number of bits in the tag if We had a Mac scheme a Mac function that had a key of 80 bits and a tag of 60 bits What would you as the attacker try to do a? brute force attack on the key or a brute force attack on the tag on The tag the one which is easier Okay, so that's why we say that the strength of the Mac depends upon the minimum length of the key and the tag So basically we need to make sure the tag and the key are both long enough to make a brute force attack Not possible. So as long as they take the key and the tag along Macs are considered secure against brute force Can we try it for 60 bits? You'll try it at home and leave your computer running and see see how much power you use over a week With 60 bits you can do it, but I think it will still take a long time on a single computer. So a A brute force attack I think we said on desk which was 64 bits or actually 56 bits Is possible today and I the numbers that it takes On powerful computers or a group of computers probably minutes to defeat but on a single computer that that extends Maybe if you took control of the network lab, you'll get it quite quickly use all 36 computers Right brute force is not practical if we make the values long enough and that's easy Okay, so most Mac algorithms used or all Mac algorithms are used we we use values which are long enough But the main point is that we need both the key and the tag to be long enough It's not just the key anymore So that's brute force attacks the other attacks to take advantage of weaknesses in the algorithms There are many different algorithms. So there are some theoretical attacks on some of the popular algorithms But generally Mac algorithms the ones which are in use today are considered secure So just make sure that the lengths are large enough and the max are considered secure We mentioned in the previous lecture that there are many different algorithms. We're not going to go through any specific one The next topic is about hash functions, which we'll go through and then we'll mention that there's a hash functions and Mac functions are used for similar things and the There is a Mac function called H Mac Which really takes an existing hash function and turns it into a Mac function So that's commonly used in network communications if you saw in Secure shell and we capture packets you'll see that H Mac is used in that case