CS 161
Computer Security
Spring 2010
Paxson/Wagner
Notes 3/5
Message Authentication Codes and Digital Signatures
In the last two lectures, we looked at symmetric- and asymmetric-key encryption. Encryption is used to
protect the
confidentiality
of communications over an insecure channel. This lecture, we’ll look at crypto-
graphic schemes that provide
integrity
and
authentication
. In particular, the threat we’re concerned about
is adversaries who send spoofed messages (pretending to be from a legitimate participant) or who mod-
ify the contents of a message from a legitimate participant.
To address these threats, we will introduce
cryptographic schemes that enable the recipient to detect spoofing and tampering.
We’ll look at schemes in both the symmetric-key and asymmetric-key models. If Alice and Bob share a
secret key
K
, they can use a
Message Authentication Code
(also called a MAC, for short) to detect tampering
with their messages. If they don’t have a shared key, but Bob knows Alice’s public key, Alice can sign her
messages with her private key, using a
digital signature
scheme (also known as a public-key signature
scheme). In tabular form, the big four types of cryptographic primitives are:
Symmetric-key
Asymmetric-key
Confidentiality
Symmetric-key encryption
(e.g., AES-CBC)
Public-key encryption
(e.g., El Gamal)
Integrity and
authentication
MACs (e.g., AES-CBC-MAC)
Digital signatures (e.g., RSA)
1
Message Authentication Codes (MACs)
Suppose Alice and Bob share a secret key
K
, and Alice wants to send a message to Bob over an insecure
channel. The message isn’t secret, but she wants to prevent attackers from modifying the contents of the
message. The idea of a Message Authentication Code (MAC) is to send a keyed checksum of the message
along with the message, chosen so that any change to the message will render the checksum invalid.
The MAC on a message
M
is a value
F
(
K
,
M
)
computed from
K
and
M
; the value
F
(
K
,
M
)
is called the
tag for
M
. Typically, we might use a 128-bit key
K
and 128-bit tags. Alice will send the pair of values
M
,
T
to Bob, where she computed the tag
T
=
F
(
K
,
M
)
using the MAC. When Bob receives
M
,
T
, Bob will
compute
F
(
K
,
M
)
and check that it matches the provided tag
T
. If it matches, Bob will accept the message
M
as valid, authentic, and untampered; if
F
(
K
,
M
)
6
=
T
, Bob will ignore the message
M
and presume that
some tampering or message corruption has occurred.
The algorithm
F
is chosen so that if the attacker replaces
M
by some other message
M
0
, then the tag will
almost certainly
1
no longer be valid: in particular,
F
(
K
,
M
)
6
=
F
(
K
,
M
0
)
. More generally, there will be no
1
Strictly speaking, there is a very small chance that the tag for
M
will also be a valid tag for
M
0
. However, if we choose tags to
CS 161, Spring 2010, Notes 3/5
1