Message Authentication Code (MAC)

MAC algorithm is a symmetric key cryptographic technique to provide message authentication. For
establishing MAC process, the sender and receiver share a symmetric key K.

Essentially, a MAC is an encrypted checksum generated on the underlying message that is sent along
with a message to ensure message authentication.

The process of using MAC for authentication is depicted in the following illustration −

Let us now try to understand the entire process in detail –

• The sender uses some publicly known MAC algorithm, inputs the message and the secret key
K and produces a MAC value.

• Similar to hash, MAC function also compresses an arbitrary long input into a fixed length
output. The major difference between hash and MAC is that MAC uses secret key during the
compression.

• The sender forwards the message along with the MAC. Here, we assume that the message is
sent in the clear, as we are concerned of providing message origin authentication, not
confidentiality. If confidentiality is required then the message needs encryption.

• On receipt of the message and the MAC, the receiver feeds the received message and the
shared secret key K into the MAC algorithm and re-computes the MAC value.

• The receiver now checks equality of freshly computed MAC with the MAC received from the
sender. If they match, then the receiver accepts the message and assures himself that the
message has been sent by the intended sender.

• If the computed MAC does not match the MAC sent by the sender, the receiver cannot
determine whether it is the message that has been altered or it is the origin that has been
falsified. As a bottom-line, a receiver safely assumes that the message is not the genuine.

Limitations of MAC

• Establishment of Shared Secret.

o It can provide message authentication among pre-decided legitimate users who have
shared key.
 o This requires establishment of shared secret prior to use of MAC.

• Inability to Provide Non-Repudiation

o Non-repudiation is the assurance that a message originator cannot deny any

previously sent messages and commitments or actions.

o MAC technique does not provide a non-repudiation service. If the sender and
receiver get involved in a dispute over message origination, MACs cannot provide a
proof that a message was indeed sent by the sender.

o Though no third party can compute the MAC, still sender could deny having sent the
message and claim that the receiver forged it, as it is impossible to determine which
of the two parties computed the MAC.

CMAC
Overview

Cipher-based Message Authentication Code (CMAC) is a cryptographic technique used to ensure the
integrity and authenticity of a message. It leverages a symmetric key block cipher, such as AES
(Advanced Encryption Standard), to generate a fixed-length authentication tag for a given message.
This tag verifies that the message has not been altered and originates from a legitimate source.

How CMAC Works

CMAC operates by processing a message through a block cipher in a manner that produces a unique
tag. The process involves the following steps:

1. Key Setup: A secret symmetric key is used with the block cipher (e.g., AES with a 128, 192, or
256-bit key).

2. Message Padding: If the message length is not a multiple of the block size, it is padded
(typically with a '1' bit followed by '0' bits) to align with the block size.

3. Subkey Generation: Two subkeys, K1 and K2, are derived from the secret key by encrypting a
zero block and applying specific transformations (left shifts and conditional XOR with a
constant).

4. Message Processing:

o The message is divided into blocks.

o Each block is processed using the block cipher in a chained manner, similar to the
Cipher Block Chaining (CBC) mode.

o For the final block:

▪ If it is a full block, it is XORed with K1.

▪ If it is a partial block (after padding), it is XORed with K2.

o The final block is encrypted to produce the CMAC tag.

5. Output: The resulting tag (typically the size of the block, e.g., 128 bits for AES) is truncated if
a shorter tag is required.
Key Properties

• Integrity: Ensures the message has not been tampered with, as any alteration changes the
tag.

• Authenticity: Verifies the message source, as only parties with the secret key can generate a
valid tag.

• Fixed Length: Produces a tag of consistent size, regardless of message length.

• Deterministic: For a given key and message, the same tag is always produced.

Advantages

• Security: CMAC is secure against forgery attacks, provided the underlying block cipher is
robust (e.g., AES).

• Efficiency: It is computationally efficient, requiring only block cipher operations.

• Standardized: CMAC is widely adopted in standards like NIST SP 800-38B and is used in
protocols such as TLS and IPsec.

Limitations

• Key Management: Requires secure storage and distribution of the symmetric key.

• Block Cipher Dependency: Security relies on the strength of the underlying cipher.

• No Confidentiality: CMAC only provides authentication, not encryption; it must be paired

with encryption for confidentiality.

Applications

• Secure Messaging: Used in protocols like TLS to authenticate messages.

• Data Storage: Ensures integrity of stored data in systems like encrypted file systems.

• Network Security: Employed in IPsec for authenticating packets.

• IoT Devices: Provides lightweight authentication for resource-constrained devices.

Example

Suppose a message "Hello" is authenticated using AES-CMAC with a 128-bit key:

1. The message is padded to fit the 128-bit block size.

2. Subkeys K1 and K2 are derived from the key.

3. The padded message is processed with AES in CBC-like mode, with the final block XORed
with K1 or K2.

4. The output is a 128-bit tag, which can be verified by the recipient using the same key.

Comparison with HMAC

• CMAC uses a block cipher (e.g., AES), while HMAC uses a hash function (e.g., SHA-256).
 • CMAC is preferred in systems where block ciphers are already implemented, reducing the
need for additional cryptographic primitives.

• HMAC may be faster on platforms optimized for hash functions.

Hash Based message Authentication Code

The fundamental idea behind HMAC is to reuse the existing message digest algorithm, such as MD or
SHA-1. Thus, it treats the message digest as a black box.

Let us start with various variables that will be used in our HMAC discussion

• MD= The message Digest (MD5, SHA-1)

• M= The input message

• L= The number of blocks in message M

• b= The number of bits in each block

• K= The shared symmetric key to be used in HMAC

• ipad= A string 00110110 repeated b/8 times.

• opad= A string 01001010 repeated b/8 times.

Step 1:

Make the length of message M equal to key

The length of the message M must be equal to the length of the key.

Step 2: XOR k with ipad

The secrete key is XOR ‘ed with ipad to

produce OS1

Where, ipad= A string 00110110 repeated b/8

times, OS1=output of step 1

Step 3: Append the message M to OS1

Step 4: Message Digest Algorithm

Any message Digest (MD /SHA1) is applied on

the output of step 3. This will produce the
output hash.

Step 5: XOR K with opad to produce OS2

XOR the secrete key K with opad to produce

output variable called OS2.

Step 6: Append M to OS2

Add Hash H with OS2 and appended with output of step 5

Step 7: Message Digest Algorithm

Message Digest algorithm is applied on output of step 6 to generate final output called HMAC.

Final Diagram