Message Authentication
Message authentication allows one party—the sender—to send a message to another party—the receiver—in such a way that if the message is modified en route, then the receiver will almost certainly detect this. Message authentication is also called data-origin authentication. Message authentication is said to protect the integrity of a message, ensuring that each message that it is received and deemed acceptable is arriving in the same condition that it was sent out—with no bits inserted, missing, or modified.
Message authentication provides two services. It provides a way to ensure message integrity and a way to verify who sent the message. To request authentication, the sending application must set the authentication level of the message to be authenticated. Authenticating for message integrity ensures that no one has tampered with the message or changed its content.
There are two methods for producing the message authentication code:
- Data encryption standard (DES)
- Cyclic Redundancy Check (CRC)
Message Authentication Code – It is also called as MAC. A message authentication code (MAC) is a cryptographic checksum on data that uses a session key to detect both accidental and intentional modifications of the data. It is a security code that is typed in by the user of a computer to access accounts or portals. This code is attached to the message or request sent by the user. Message authentication codes (MACs) attached to the message must be recognized by the receiving system in order to grant the user access. MACs are commonly used in electronic funds transfers (EFTs) to maintain information integrity.
The message authentication code technique involves the use of a secret key to generate a small block of data that is appended to the message. This technique assumes that two communicating parties, say A and B, share a common secret key KAB. When A has a message to send to B, it calculates the message authentication code as a function of the message and the key: MACM = F (KAB,M). The message plus code are transmitted to the intended recipient. The recipient performs the same calculation on the received message, using the same secret key, to generate a new message authentication code. The received code is compared to the calculated code. If we assume that only the receiver and the sender know the identity of the key, and if the received code matches the calculate code, then
- The receiver is assured that the message has not been altered.
- The receiver is assured that the message is from the alleged sender. Because no one else knows the secret key, no one else could prepare a message with a proper code.
- If the message includes a sequence number, then the receiver can be assured of the proper sequence, because an attacker cannot successfully alter the sequence number.
A number of algorithms could be used to generate the code. The national Bureau of Standards, in its publication DES Modes of Operation, recommends the use of Data Encryption Algorithm (DEA).
Hash Functions
A hash function takes a group of characters (called a key) and maps it to a value of a certain length (called a hash value or hash). The hash value is representative of the original string of characters, but is normally smaller than the original. Hashing is used in encryption and also done for indexing and locating items in databases.
A hash function maps keys to small integers (buckets). An ideal hash function maps the keys to the integers in a random-like manner, so that bucket values are evenly distributed even if there are regularities in the input data. This process can be divided into two steps as
- Map the key to an integer.
- Map the integer to a bucket.
Simple hash functions map a single integer key (k) to a small integer bucket value h(k). m is the size of the hash table (number of buckets). Few simple hash function are
- Division method (Cormen) Choose a prime that isn’t close to a power of 2. h(k) = k mod m. Works badly for many types of patterns in the input data.
- Knuth Variant on Division h(k) = k(k+3) mod m. Supposedly works much better than the raw division method.
Hash functions chop up the input data and make mess of it so that the original data would be difficult or impossible to deduce from the mangled remains. Value provides a way of checking whether the message has been manipulated or corrupted in transit or storage. It is a sort of “digital fingerprint”. Moreover, the message digest can be encrypted using either conventional or public-key cryptography to produce a digital signature, which is used to help the recipient feel confident that the received message is not forget. The hash function H must satisfy following conditions
- It should be one-way: For a given hash value v =H(x) it should be infeasible for an opponent to find a message x such that x= H-1(v).
- It should at least be weakly collision resistant: Given a hash value v =H(x) and the message x from which it was computed, it should be computationally infeasible for an opponent to find another message y different from x such that v =H(y).
- It might be strongly collision resistant: It is computationally infeasible for an opponent to find a pair of distinct messages x and y such that H(x)=H(y).