1

Assume both Alice and Bob have a symmetrical key, let's call it $k$.
They agree on a cryptographic hash function, let's call it $\mathsf{HASH}$.

Now Alice wants to send an authenticated message.
She sends $\left(\mathsf{msg}\parallel\mathsf{HASH}_\mathsf{k}(\mathsf{msg})\right)$ to Bob. Bob calculates the hash from $\mathsf{msg}$ and checks whether it's equal to the hash he received from Alice.

My question is:

When Alice sends $\left(\mathsf{msg}\parallel\mathsf{HASH}_\mathsf{k}(\mathsf{msg})\right)$, Eve, an eavesdropper in the network, sees this packet in cleartext, which break the confidentiality?

How to protect the confidentiality?

My guess is: the whole MAC authentication $\left(\mathsf{msg}\parallel\mathsf{HASH}_\mathsf{k}(\mathsf{msg})\right)$ is wrapped in some kind of cryptographic function?

Community
  • 1
Victor Loke Chapelle Hansen
  • 11
  • 1

3 Answers3

8

A MAC is used to ensure two properties, really: the message has not been altered and the message has been indeed be sent by Alice and not Eve. If the MAC is secure, then Eve cannot change the message and compute a valid MAC for the modified message. Eve can read the message, but in this scenario we only protect the messages against modification and we want to know it comes from Alice (as Bob believes only Alice has the key for the MAC, so is the only one, besides himself, to be able to generate and check the MAC). Such MAC-only networks could occur, if speed (avoid encryption overhead) and authenticity are your main concerns, e.g. in alarm systems, where you don't want the alarm messages to be modified by an attacker, but you don't care about it being private.

It is possible to combine it with another cryptographic primitive if privacy is desired. It's most common to encrypt the data and then compute a MAC over the ciphertext and send both (EncryptThenMAC), also possible, but possibly less secure: encrypt the plaintext and its MAC and send the resulting ciphertext (MacThenEncrypt), or compute a ciphertext over the plaintext, and send the ciphertext together with the MAC of the plaintext. (EncryptAndMac) This leaks some info, possibly. But all three have been done. Or use an authenticated-encryption mode of a block cipher like GCM or OCB mode. These modes mostly follow the EncryptThanMac paradigm, as that has the better security proofs.

Henno Brandsma
  • 3,862
  • 17
  • 20
5

A MAC only authenticates a message rather than hides it. So it does not matter if the message is sent in plaintext, as long as it cannot be modified without detection. The adversary can observe the message, but cannot modify it and then compute a valid MAC (suppose the given MAC is secure) because it does not know the secret key.

========================

Update: Just so you know, it's not trivial to construct a secure MAC with a hash function. See this, this, and this.

Shan Chen
  • 2,755
  • 1
  • 13
  • 19
1

It seems your question is how to hide the message $m$ in addition to authentication.
You need encryption, in addition to MAC.

Because encryption provides confidentiality (not necessarily integrity), and MAC/signatures provides integrity (not confidentiality)

A short answer for your scenario is to use authenticated encryption, AES-GCM.

Weikeng Chen
  • 564
  • 3
  • 13