Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [mac]

(or message authentication code), a short piece of information used to authenticate a message, and the algorithm to create and check such information, using a secret key.

605 questions
429
votes
13 answers

Should we MAC-then-encrypt or encrypt-then-MAC?

Most of the time, when some data must be encrypted, it must also be protected with a MAC, because encryption protects only against passive attackers. There are some nifty encryption modes which include a MAC (EAX, GCM...) but let's assume that we…
Thomas Pornin
  • 88,324
  • 16
  • 246
  • 315
251
votes
2 answers

What are the differences between a digital signature, a MAC and a hash?

A message may be accompanied with a digital signature, a MAC or a message hash, as a proof of some kind. Which assurances does each primitive provide to the recipient? What kind of keys are needed?
Flimm
  • 2,818
  • 4
  • 16
  • 17
63
votes
2 answers

Why is $H(k\mathbin\Vert x)$ not a secure MAC construction?

If $H(m)$ is a secure hash function, can't we implement a MAC using $H(k\mathbin\Vert m)$? However, it seems the more widely used MACs, such as NMAC and HMAC (both originally defined in Keying hash functions for message authentication) use a much…
Anne Nonimus
  • 733
  • 1
  • 5
  • 4
60
votes
2 answers

What is the difference between MAC and HMAC?

In reference to this question, what are the "stronger security properties" that HMAC provides over MAC. I got that MAC requires an IV whereas HMAC doesn't. I also understood that MAC may reveal information about plaintext in contrast to HMAC. Is my…
TheRookierLearner
  • 1,011
  • 1
  • 11
  • 15
50
votes
2 answers

AES-GCM recommended IV size: Why 12 bytes?

When using AES-GCM, a 96-bit IV is generally recommended. Most implementations I've seen also use 96-bit. However, I'm unsure on where this recommendation or convention comes from. Let's assume a shorter IV is bad. Assuming all other constraints for…
Hendrikvh
  • 603
  • 1
  • 5
  • 8
44
votes
1 answer

Ciphertext and tag size and IV transmission with AES in GCM mode

I am completely new to using AES in GCM mode of operation, and I have not a very large background in cryptography as well. I have been playing with OpenSSL trying to encrypt and decrypt some messages. From my simple experiments rise the following…
Matteo Monti
  • 1,477
  • 2
  • 14
  • 19
42
votes
4 answers

Purpose of outer key in HMAC

From what I know, the HMAC constructions has two strength: It's resistant to length extensions Since the key is consumed before the message, the attacker does not know the initial state, preventing simple collision attacks. But the simple…
CodesInChaos
  • 25,121
  • 2
  • 90
  • 129
37
votes
4 answers

Why is plain-hash-then-encrypt not a secure MAC?

It seems that even in MAC-then-encrypt systems like SSL, something like HMAC is used rather than a plain hash. Why? Suppose we use some stream cipher; then why can't we use $Encrypt(m | H(m))$ as the MAC-then-encrypted version of the message?…
ithisa
  • 1,111
  • 1
  • 10
  • 23
29
votes
2 answers

HMAC vs MAC functions

I've read definitions of MAC and HMAC, but can't say I've completely grasped the differences. What are principle differences? When to use one and when the other?(Typical Use Cases)
Matteo
  • 1,171
  • 2
  • 12
  • 23
27
votes
1 answer

Use cases for CMAC vs. HMAC?

Both can be used to verify the integrity of a message. Assuming you have the needed primitives available to you (i.e. the code space of needing both a cipher and a hash function isn't prohibitive), is there any reason to prefer one over an other? In…
Alex Gaynor
  • 356
  • 1
  • 4
  • 11
26
votes
4 answers

Attacks of the MAC construction $\mathcal{H}(m\mathbin\|k)$ for common hashes $\mathcal{H}$?

Consider a common practically-collision-resistant hash function $\mathcal{H}$ (e.g. SHA-1, SHA-256, SHA-512, RIPEMD-160), perhaps based on the Merkle–Damgård construction as are the first three. We define a Message Authentication Code…
fgrieu
  • 149,326
  • 13
  • 324
  • 622
26
votes
2 answers

Is HMAC needed for a SHA-3 based MAC?

HMAC does nested hashing in order to prevent Length Extension Attacks. Given that you use the SHA-3 hash (which is resistant against length extension attacks), would you still need to go through that procedure in order to produce a secure…
hl3mukkel
  • 509
  • 5
  • 10
25
votes
1 answer

Why is SHA-3 robust against Length-Extension Attacks?

If a length extension attack can occur because of $H(\text{K}\mathbin\|\text{Message})$, what changed in SHA-3 from SHA-2 that prevents this from occurring?
elberman
  • 351
  • 3
  • 3
25
votes
2 answers

Definition of "pepper" in hash functions

I am confused about the notion of "pepper" in the context of storing hashes of users' passwords. Definition 1: A pepper is a secret key Looking around the Internet, for example here or here, a pepper is frequently defined to be a fixed and randomly…
Malte Skoruppa
  • 545
  • 9
  • 13
25
votes
2 answers

Is H(k||length||x) a secure MAC construction?

If $H$ is a typical secure hash function, then $(k,x) \mapsto H(k \mathbin\| x)$ is not a secure MAC construction, because given a known plaintext $x_1$ and its MAC $m_1$, an attacker can extend $k \mathbin\| x_1$ to a longer message with the same…
Gilles 'SO- stop being evil'
  • 20,442
  • 4
  • 54
  • 97
1
2 3
40 41