3

I understand the basic operational theory behind MAC, but I'm getting tripped up on some of the finer details. Also the differences between MAC, HMAC and MIC are getting lost on me, including the different utilizations between them, the benefits of using one over the other in a given situation, etc. As such, I'm hoping I can get an overview on MACs, covering a few specific points.

Firstly, I get how a MAC verifies that the message is unaltered, but I don't get how that translates to verifying the message originator. Just because the message is unaltered doesn't mean it came from a specific host. To me that sounds like there is an assumption that the session key has not been compromised. So this would protect against message tampering but not eavesdropping?

Secondly, is the MAC based on the plain-text or the cipher-text? Also, how is the key selected? Is it unique to the MAC or is it related to the session key?

As far as I understand MAC vs HMAC vs MIC, HMACs are keyed hash functions which use the message and a key to produce a digest used in the verification process, MACs do the same but can be based on universal hashes or even algorithms which are not hashes, and MICs can be based on any algorithm that can be used as a MAC, but do not utilize keys, and so can only be used to provide message integrity, and not authentication. If I'm mistaken on any of that, I'd appreciate some clarification.

As with my previous post, I know this is probably an extremely basic question to be asking in this forum, so I'll apologise if this is irksome to anybody. But I'm only just getting my feet wet in cryptology. I'm not even sure that my understanding on this topic is incorrect, I'm just not 100% sure that it is correct.

Brandon
  • 31
  • 2

1 Answers1

4

First, terms: A MAC is a generic term for a class of cryptographic primitives. It's in the same category as "hash" or "PRNG." HMAC is a particular construction that, combined with a suitable cryptographic hash, gives a secure MAC function (it can also be used to generically refer to any HMAC algorithm, since HMAC is secure with pretty much any standard hash, even MD5). A similar term in symmetric encryption is "CBC mode;" it's a way to take a certain kind of primitive (hashes for HMAC, block ciphers for CBC) that does one thing and get it to do something else. MIC is a term used rarely, but basically means is a synonym for MAC; MIC is what some standards (like WPA) call their MAC, because the term "MAC" already has a meaning in those contexts (in WPA's case, this is MAC addresses). "Integrity" implies "authentication" in security-land; MICs need keys as well.

To your first question: MACs verify that the message did come from a specific source (someone with the MAC key). What they don't verify is that it hasn't been intercepted and passively eavesdropped. They're meant to protect integrity, not confidentiality; you use encryption to protect confidentiality. In general, you have to keep your MACs confidential; a MAC can leak information about what was MACed. Privacy-protecting MACs don't themselves leak info about what was MACed, but you still need to encrypt the plaintext.

To your second: It's complicated. Encrypt-then-MAC is generally considered the best (the MAC then can't leak info about the plaintext, and protects against tampering of the ciphertext; all an attacker can do is mess with the ciphertext, they can't touch the plaintext directly); however, Encrypt-and-MAC (MAC the plaintext and do not encrypt the MAC when you encrypt the message) and MAC-then-Encrypt (MAC the plaintext, then encrypt everything) can work.

You also have to think about how the MAC algorithm works with the encryption algorithm, and here be dragons. The best practices are to use a different key for your MAC and your encryption (which normally rules out negative interactions between them), or to use a known-secure construction like GCM to provide both. If you're combining a MAC and an encryption scheme, it's common to use a key-based key derivation function to create the MAC and the encryption keys from a single session key; HMAC is also a pretty good KBKDF (it has a lot of nice properties that aren't really needed for a MAC role).

Community
  • 1
cpast
  • 3,587
  • 1
  • 15
  • 27
  • MIC has the exact same meaning as MAC; MIC is used when we're in an area (such as wireless) where the acronym MAC already has been given a message (Media Access Code) – poncho Apr 07 '15 at 05:22
  • IMHO MAC has two meanings. It can mean a generic construction that includes both algorithms based on hashes and symmetric ciphers, or it can mean an algorithm based on a symmetric cipher, not on a hash function. Which one is being meant is usually pretty clear from context. – Maarten Bodewes Apr 07 '15 at 18:19
  • Integrity and authenticity is often implied if the other property is achieved. I would however keep a strict distinction between the two properties as they do mean different things. – Maarten Bodewes Apr 07 '15 at 18:34
  • 1
    @MaartenBodewes: MAC does have two meanings, however not in the way you're thinking of. It can mean a cryptographical algorithm that meets certain properties (e.g. hard for someone without the key to generate a new message/tag pair), independent of how the MAC functions internally. Alternatively, it is sometimes used to indicate the tag generated by a Message Authentication Code. – poncho Apr 07 '15 at 20:21
  • @poncho Maybe officially that's the case, but I often see the use of just MAC for MAC algorithms based on a block cipher (CBC-MAC or CMAC) - possibly because there doesn't seem to be a good alternative. HMAC is also a description of a specific algorithm on the other hand - oh well, it's language, not exact science. – Maarten Bodewes Apr 07 '15 at 21:07