Saturday, October 23, 2021

Hash Function in Action: Message Authentication Codes

In Introduction to Cryptographic Hash Functions for the Working Developer, I presented a straight to the point, overview of some essential things a developer should know about cryptographic hash functions. 

This post continues in the theme around hash functions, by taking a look at another cryptographic construction hash functions make possible, that is: Message Authentication Codes (MACs).

It is worth quoting Bruce schneier again:

Much more than encryption algorithms, one-way hash functions are the workhouses of modern cryptography

Because Message Authentication Code based on hash functions is a perfect demonstration of how crucial hash functions are.

This post contains the following sections:

  • Why Hash Functions alone are not enough
  • What is Message Authentication Code
  • What is a Hash Based Authentication Code (HMAC)
  • What is a Keccak Based Authentication Code (KMAC)
  • Some real world applications of Message Authentication Code

Hash Functions alone are not enough

Hash functions produce random fixed length finger print of input data. As it turns out, this construction alone by itself, is hardly ever enough for any real life use. This is because just hash functions alone are not enough to guarantee things like integrity and authentication. Things hash functions would be used for.

To illustrate this, take browser cookies for example. There is the need to check the integrity of cookies. To ascertain that cookies placed with a browser by a server, is the same returned by the browser on consequent requests. A naive way to check this, is to just use hash functions: hash the contents of the cookie and place it on the browser alongside the data.

This has a loop hole, in the sense that an attacker can intercept the request back to the server, modify the cookie data, generate another hash and send both back to the server. The server won't be able to detect there has been a modification.

This shows, how in most use cases, just a hash function is never enough. In the scenario described, the loop hole is due to the fact that hash functions are public and hence anyone can use them. Therefore we need a way to include something not public, something secret into the mechanism that can be used as a way to authenticate the output of the hash function. Message authentication code (MAC) are constructs that can be used for this. 

It turns out that hash functions can be used to generate these MACs when used together with secrets.

Understanding what this construction is all about is the goal of this post and we start with first looking at Message Authentication Code.    

What is Message Authentication Code

A message authentication code, is extra data or information that is used to confirm that a piece of data came from the stated sender (confirming authenticity) and has not been changed (providing integrity). This piece of extra data/information is often referred to as the authentication tag. 

In general authentication tag can be broadly classified into 4 categories: unconditionally secure, hash function-based, stream cipher-based and block cipher-based. In this post, I would only be touching on two of the hash function-based: HMAC (Keyed-hash message authentication code) and KMAC (KECCAK Message Authentication Code).

In summary, the hash function based MACs can be seen as a mix of a hash function and a secret. Let's look first at HMACs.

What is HMAC

HMAC is a MAC created from using a cryptographic hash function and a secret cryptographic key. 

The cryptographic hash function can be any secure hash function, such as SHA-2 or SHA-3. This is reflected in the name of the given HMAC. For example, HMAC-SHA256 and HMAC-SHA3-512 is created using a secret key with SHA-2 (256) and SHA-3 (512) respectively.

As noted in Introduction to Cryptographic Hash Functions for the Working Developer naively using SHA-2 to hash concatenated secrets with a message is insecure due to the weakness of SHA-2 to the length extension attack. This is why HMAC is needed when the requirement is to use SHA-2 with a key in other to create an authenticated tag. 

Although it is beyond the scope of this post to dig into how HMAC works, it is worth pointing out that HMAC construction is not a naive concatenation of secret keys and data. HMAC uses a nested construction which avoids the length extension attack pitfall, Hence it is a special one that takes care of combining secret keys and data together in such a way to avoid being susceptible to the length extension attack.

SHA-3 on the other hand is not susceptible to the length extension attack and it is relatively safe to create an authentication tag manually using SHA-3-512(πΎπΈπ‘Œ‖π‘šπ‘’π‘ π‘ π‘Žπ‘”π‘’), but since the HMAC construction is available, it is also possible to use the construction with SHA-3 instead, hence HMAC-SHA3-512.

Using HMAC-SHA3-512 is not advised though, as it is not efficient. As stated in NIST SP 800-185

KMAC is a keyed hash function or pseudo-random function (PRF) that can be used, e.g., to compute a message authentication code (MAC) or to derive a session key from a master key. It is more efficient than HMAC by removing the need for HMAC's nested construction 

Hence when there is the need to use SHA-3 hash functions to create authentication tag, it is preferable to do so using KMAC, which we look at next.

What is KMAC

The KECCAK Message Authentication Code (KMAC) algorithm is also a keyed hash function but based on KECCAK. 

It provides variable-length output, and unlike SHAKE and cSHAKE, altering the requested output length also generates a new, unrelated output. 

KMAC has two variants, KMAC128 and KMAC256, built from cSHAKE128 and cSHAKE256, respectively. 

Some real world applications of Message Authentication Code

JSON Web Token

The JSON Web Token: JWT is an open, industry standard for representing claims securely between two parties. It guarantees integrity and also authenticity. For example JWT can be used to solve the problem of servers being able to verify the integrity and authenticity of the cookies they receive browser clients. 

JWT provides the option of  specifying HMAC construction as a signing algorithm. 

See here and here for more information on JWT.

HMAC-based one-time password

A One Time Password (OTP) is a dynamic password that is valid for only one login session or transaction, or a short period of time. Certain implementations of OTP makes use of HMAC. These are called HOTP: HMAC-based one-time password. A popular example of such an HOTP is the Google Authenticator

Signing HTTP Requests

HTTP links used for sensitive operations like password resets or payment links can be accompanied with MACs. This helps in ensuring the integrity and authenticity of such links.  

No comments: