Message authentication code

In cryptography, a message authentication code (MAC), sometimes known as an authentication tag, is a short piece of information used for authenticating a message. In other words, to confirm that the message came from the stated sender (its authenticity) and has not been changed. The MAC value protects a message's data integrity, as well as its authenticity, by allowing verifiers (who also possess the secret key) to detect any changes to the message content. Terminology The term message integrity code (MIC) is frequently substituted for the term MAC, especially in communications to distinguish it from the use of the latter as media access control address (MAC address). However, some authors use MIC to refer to a message digest, which aims only to uniquely but opaquely identify a single message. RFC 4949 recommends avoiding the term message integrity code (MIC), and instead using checksum, error detection code, hash, keyed hash, message authentication code, or protected checks

About this result

This page is automatically generated and may contain information that is not correct, complete, up-to-date, or relevant to your search query. The same applies to every other page on this website. Please make sure to verify the information with EPFL's official sources.

Related publications

Related people

Related units

Related concepts

Related courses

Related lectures

Summary

Official source

About this result

Related publications (21)

Related publications

Related people (2)

Related people

Related units (2)

Related units

Related concepts (29)

Related concepts

Related courses (8)

Related courses

Related lectures (25)

Related lectures

Cryptography

Cryptography, or cryptology (from κρυπτός "hidden, secret"; and γράφειν graphein, "to write", or -λογία -logia, "study", respectively), is the practice and study of techniques for secure communicatio

Block cipher

In cryptography, a block cipher is a deterministic algorithm that operates on fixed-length groups of bits, called blocks. Block ciphers are the elementary building blocks of many cryptographic protoc

Cryptographic hash function

A cryptographic hash function (CHF) is a hash algorithm (a map of an arbitrary binary string to a binary string with a fixed size of n bits) that has special properties desirable for a

Power Yoga: Variable-Stretch Security of CCM for Energy-Efficient Lightweight IoT

Emiljano Gjiriti, Reza Reyhanitabar, Damian Vizár

The currently ongoing NIST LWC project aims at identifying new standardization targets for lightweight authenticated encryption with associated data (AEAD) and (optionally) lightweight cryptographic hashing. NIST has deemed it important for performance and cost to be optimized on relevant platforms, especially for short messages. Reyhanitabar, Vaudenay and Vizar (Asiacrypt 2016) gave a formal treatment for security of nonce-based AEAD with variable stretch, i.e., when the length of the authentication tag is changed between encryptions without changing the key. They argued that AEAD supporting variable stretch is of practical interest for constrained applications, especially low-power devices operated by battery, due to the ability to flexibly trade communication overhead and level of integrity. In this work, we investigate this hypothesis with affirmative results. We present vCCM, a variable-stretch variant of the standard CCM and prove it is secure when used with variable stretch. We then experimentally measure the energy consumption of a real-world wireless sensor node when encrypting and sending messages with vCCM and CCM, respectively. Our projections show that the flexible trade of integrity level and ciphertext expansion can lead up to 21% overall energy consumption reduction in certain scenarios. As vCCM is obtained from the widely-used CCM by a black-box transformation, allowing any existing CCM implementations to be reused as-is, our results can be immediately put to use in practice. vCCM is all the more relevant because neither the NIST LWC project, nor any of the candidates give a consideration for the support of variable stretch and the related integrity-overhead trade-off.

RUHR-UNIV BOCHUM, HORST GORTZ INST IT-SICHERHEIT2021

Thwarting selfish and malicious behavior in wireless networks

Mario Cagalj

Security is at the core of any communication system and, in particular, of wireless (radio) networks. In this thesis, we focus on three important security aspects in the framework of wireless networks: selfish (noncooperative) behavior at the Medium Access Control (MAC) layer, "radio channel jamming"-based Denial-of-Service (DoS) attacks against sensor networks and secure key agreement in peer-to-peer wireless networks. In the context of selfish behavior at the MAC layer, we focus on single collision domain Carrier-Sense Multiple-Access with Collision Avoidance (CSMA/CA) networks. We use both cooperative and non-cooperative game theory to model and analyze the co-existence of multiple CSMA/CA selfish users. Using insights from the game theoretic analysis, we propose a simple channel access protocol that discourages selfish behavior and results in the optimal and fair allocation of the available bandwidth. We perform an extensive evaluation of the proposed protocol. We then consider two types of malicious behavior. The first type deals with an adversary who tries to obstruct the operation of a wireless network by jamming the used radio channel. The second type is concerned with an adversary who interferes with a key agreement protocol executed between parties that use a radio link, in an attempt to learn their private information or to fool them into accepting fake messages as genuine. Concerning the first kind of malicious behavior, we focus on wireless sensor networks, perhaps the most vulnerable category of wireless networks to this kind of threat. An adversary can mask the events that the sensor network should detect by stealthily jamming an appropriate subset of the nodes; in this way, he prevents them from reporting what they sense to the network operator. Therefore, in spite of the fact that an event is sensed by one or several nodes (and the sensor network is fully connected), the network operator cannot be informed on time – we call this the coverage paradox. To mitigate this problem, we propose a reactive defense mechanism based on wormholes, which were so far considered to be a security threat. In our solution, thanks to channel diversity, the nodes under the jamming attack are able to create (probabilistically) a communication route that is resistant to jamming; thus, appropriate information can be conveyed out of the jammed region. We develop appropriate mathematical models to study the proposed mechanisms. Concerning the second kind of malicious behavior, we focus on the problem of a user-friendly key agreement (and message authentication) in settings where the users do not share any authenticated secret or certified public key in advance. We base our approach on the Diffie-Hellman key agreement protocol, which is known to be vulnerable to the "man-in-the-middle" attack if the users involved in the protocol do not share any authenticated information about each other (e.g., public keys, certificates, passwords, shared keys, etc.) prior to the protocol execution. We solve the problem by leveraging on the natural ability of users to authenticate each other by visual and verbal contact. We propose three techniques: the first is based on the visual comparison of short strings, the second on distance bounding, and the third on a novel concept called integrity codes (I-codes). In each case, the users do not need to enter any password or other data, nor do they need physical or infrared connectivity between their devices. We analyze our protocols using a well-established methodology that leads us to a rigorous modularization and a thorough robustness proof of our proposal. We also provide an implementation of I-codes.

EPFL2006

SAS-Based Group Authentication and Key Agreement Protocols

Sylvain Pasini

New trends in consumer electronics have created a strong demand for fast, reliable and user-friendly key agreement protocols. However, many key agreement protocols are secure only against passive attacks. Therefore, message authentication is often unavoidable in order to achieve security against active adversaries. Pasini and Vaudenay were the ﬁrst to propose a new compelling methodology for message authentication. Namely, their two-party protocol uses short authenticated strings (SAS) instead of pre-shared secrets or public-key infrastructure that are classical tools to achieve authenticity. In this article, we generalise this methodology for multi-party settings. We give a new group message authentication protocol that utilises only limited authenticated communication and show how to combine this protocol with classical key agreement procedures. More precisely, we describe how to transform any group key agreement protocol that is secure against passive attacks into a new protocol that is secure against active attacks.

Springer2008

COM-401: Cryptography and security

This course introduces the basics of cryptography. We review several types of cryptographic primitives, when it is safe to use them and how to select the appropriate security parameters. We detail how they work and sketch how they can be implemented.

COM-301: Computer security

This is an introductory course to computer security and privacy. Its goal is to provide students with means to reason about security and privacy problems, and provide them with tools to confront them.

CS-438: Decentralized systems engineering

A decentralized system is one that works when no single party is in charge or fully trusted. This course teaches decentralized systems principles while guiding students through the development and testing of their own decentralized system incorporating messaging, encryption, and blockchain concepts.