{"id":690,"date":"2008-10-06T09:39:14","date_gmt":"2008-10-06T09:39:14","guid":{"rendered":"http:\/\/scientopia.org\/blogs\/goodmath\/2008\/10\/06\/cryptographic-integrity-using-message-authentication-codes\/"},"modified":"2008-10-06T09:39:14","modified_gmt":"2008-10-06T09:39:14","slug":"cryptographic-integrity-using-message-authentication-codes","status":"publish","type":"post","link":"http:\/\/www.goodmath.org\/blog\/2008\/10\/06\/cryptographic-integrity-using-message-authentication-codes\/","title":{"rendered":"Cryptographic Integrity using Message Authentication Codes"},"content":{"rendered":"<p> I don&#8217;t have a lot of time to write; I&#8217;m having my fifth (I think) upper endoscopy done tomorrow, which means that the day&#8217;s going to be a wash; and Yom Kippur is thursday, and I need to cook, so between the personal crap and work, I&#8217;m not going to have much time for blogging. So I&#8217;m trying to make use of the time I have to write one short but (hopefully) interesting post.<\/p>\n<p> One thing that I&#8217;ve mentioned in passing is the distinction between message <em>confidentiality<\/em>, and message <em>integrity<\/em>.<\/p>\n<p> Confidentiality is most of what we&#8217;ve been talking about<br \/>\nso far. Confidentially provides a guarantee that when you send an encrypted message, no one but your intended recipient is able<br \/>\nto read the plaintext.<\/p>\n<p> Integrity is something very different. Integrity guarantees<br \/>\nthat if you send an encrypted message, there&#8217;s no way that the encrypted message could have been tampered with after you encrypted it, without the recipient knowing it.<\/p>\n<p><!--more--><\/p>\n<p> Suppose you&#8217;re using CBC mode for a message in DES, and you&#8217;ve<br \/>\ngot an attacker who wants to screw up your message. What happens if the attacker flips a couple of bits in one block? First, the plaintext for that block will be corrupted. Second, the<br \/>\nciphertext for that block is used for decrypting the next block &#8211; so the plaintext for the next block will also be corrupted.<\/p>\n<p> Can you tell that there was a corruption in the message? If the plaintext was something like human language, you can see that it makes no sense. But that&#8217;s relying on our meta-knowledge about<br \/>\nthe structure\/nature of the plaintext. In fact, just looking at<br \/>\nthe encrypted message, there is <em>no possible way<\/em> for us to detect tampering!<\/p>\n<p> In CBC mode &#8211; and in fact in all of the modes we&#8217;ve looked at, an attacker can change bits of the ciphertext, corrupting the message, and <em>we can&#8217;t tell<\/em>. That&#8217;s why we say that<br \/>\nthese modes of operation can&#8217;t provide any guarantees of message<br \/>\nintegrity.<\/p>\n<p> How can we get around that? The easiest thing is to add something called a <em>message authentication code<\/em> (MAC).<br \/>\nA MAC is basically a hash-code: a short string appended to the<br \/>\nmessage which in some way summarizes the message, so that if any<br \/>\npart of the message was changed, the MAC will not match the message, and so we&#8217;ll know that the message was corrupted. <\/p>\n<p> It&#8217;s easiest to understand the MAC using a bit of notation:<br \/>\nMac = M(T, K), where &#8220;M&#8221; is the MAC function, T is the plaintext of the message, and K is an encryption key. So you take your plaintext and your key, feed it to M, and get back a short string which is the MAC for your  message.<\/p>\n<p> MAC functions need to have some basic properties to be<br \/>\nsuccessful in protecting integrity:<\/p>\n<ol>\n<li> Changing a single bit of the input message must produce<br \/>\na significant change in the MAC.<\/li>\n<li> Given a MAC value V, a MAC function M, and a key K, it must be difficult to compute a plaintext T where M(T,K)=V.<\/li>\n<li> Given an oracle O(T) which computes M(T,K), and the<br \/>\nability to compute O(T) for an arbitrary set of chosen<br \/>\nplaintexts, it must be difficult to guess the MAC for a<br \/>\nparticular message without submitting it to O. (That is, even<br \/>\nin the scenario of a ideal chosen plaintext attack,<br \/>\nwhere you can choose any set of messages you want, and<br \/>\nget the MAC for those messages, that won&#8217;t help you to guess<br \/>\nthe MAC of any message outside of that set.)<\/li>\n<li> Given a message T, it must be difficult to find a message<br \/>\nU such that M(T,K)=M(U,K).<\/li>\n<\/ol>\n<p> If you&#8217;re familiar with digital signatures, some of this<br \/>\nshould be ringing bells. The idea of a digital signature is very<br \/>\nclose to this. The main difference is that a digital signature<br \/>\nis asymmetric: the sender and the receiver have <em>different<\/em> keys. The sender has a private key, and signs the message;<br \/>\neveryone else has a public key, and can verify that the sender<br \/>\nsigned the message. With MACs, both the sender and the receiver have <em>the same key<\/em>. MACs provide no guarantee of who originated the message; they just guarantee that the message<br \/>\nwasn&#8217;t changed between the time it was encrypted by the sender<br \/>\nand decrypted by the reciever.<\/p>\n<p> Next post, I&#8217;ll go through one or two MAC algorithms, and then talk about modes of operation that incorporate MAC-like integrity<br \/>\nguarantees.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I don&#8217;t have a lot of time to write; I&#8217;m having my fifth (I think) upper endoscopy done tomorrow, which means that the day&#8217;s going to be a wash; and Yom Kippur is thursday, and I need to cook, so between the personal crap and work, I&#8217;m not going to have much time for blogging. [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[82],"tags":[],"class_list":["post-690","post","type-post","status-publish","format-standard","hentry","category-cryptography"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p4lzZS-b8","jetpack_sharing_enabled":true,"jetpack_likes_enabled":true,"_links":{"self":[{"href":"http:\/\/www.goodmath.org\/blog\/wp-json\/wp\/v2\/posts\/690","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.goodmath.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.goodmath.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.goodmath.org\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.goodmath.org\/blog\/wp-json\/wp\/v2\/comments?post=690"}],"version-history":[{"count":0,"href":"http:\/\/www.goodmath.org\/blog\/wp-json\/wp\/v2\/posts\/690\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.goodmath.org\/blog\/wp-json\/wp\/v2\/media?parent=690"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.goodmath.org\/blog\/wp-json\/wp\/v2\/categories?post=690"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.goodmath.org\/blog\/wp-json\/wp\/v2\/tags?post=690"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}