@@ -412,46 +412,63 @@ format that has been standardized by NIST. DSS signatures may use any
412412one of three public-key ciphers, one based on RSA, another on ElGamal,
413413and a third called the *Elliptic Curve Digital Signature Algorithm *.
414414
415- Another kind of authenticator is similar, but instead of encrypting a
416- hash it uses a hash-like function that takes a secret value (known
417- only to the sender and the receiver) as a parameter, as illustrated in
418- :numref: `Figure %s <fig-macAndHmac >`. Such a function outputs an
419- authenticator called a *message authentication code * (MAC). The sender
420- appends the MAC to her plaintext message. The receiver recomputes the
421- MAC using the plaintext and the secret value and compares that
422- recomputed MAC to the received MAC.
423-
424- .. _fig-macAndHmac :
425- .. figure :: figures/f08-05-9780123850591.png
426- :width: 600px
427- :align: center
428-
429- Computing a MAC (a) versus computing an HMAC (b).
430-
431- A common variation on MACs is to apply a cryptographic hash (such as
432- MD5 or SHA-1) to the concatenation of the plaintext message and the
433- secret value, as illustrated in :numref: `Figure %s
434- <fig-macAndHmac>`. The resulting digest is called a *hashed message
435- authentication code * (HMAC) since it is essentially a MAC. The HMAC,
436- but not the secret value, is appended to the plaintext. Only a receiver
437- who knows the secret value can compute the correct HMAC to compare
438- with the received HMAC. If it weren’t for the one-way property of the
439- hash, an adversary might be able to find the input that generated the
440- HMAC and compare it to the plaintext message to determine the secret
441- value.
415+ An widely used alternative approach to encrypting a hash is to use a
416+ hash function that takes a secret value (a key known only to the
417+ sender and the receiver) as an input parameter in addition to the
418+ message text. Such a function outputs a message authentication code
419+ that is a function of both the secret key and the message
420+ contents. The sender appends the calculated message authentication
421+ code to the plaintext message. The receiver recomputes the
422+ authentication code using the plaintext and the secret value and
423+ compares that recomputed code to the code received in the message. The
424+ most common approaches to generating these codes are called HMACs or
425+ keyed-hash message authentication codes.
426+
427+ HMACs can use any hash function of the sort described above, but they
428+ also include the key as part of the material to be hashed, so that a
429+ HMAC is a function of both the key and the input text. An approach to
430+ calculating HMACs has been standardized by NIST and takes the
431+ following form:
432+
433+ HMAC = H((K⊕opad) || H((K⊕ipad) || text))
434+
435+ H is the hash function, K is the key, and opad (output pad) and ipad
436+ (input pad) are well-known strings that are XORed (⊕) with the key. ||
437+ represents concatenation.
438+
439+ A deep explanation of this HMAC function is beyond the scope of this
440+ book. However, this approach has been proved to be secure as long as
441+ the underlying hash function H has the appropriate
442+ collision-resistance properties outlined above. Note that the HMAC
443+ takes a hash function *H * that is not keyed, and turns it into a keyed
444+ hash by using the key (XORed with another string, *ipad *) as the first
445+ block to be fed into the hash function. The output of
446+ the keyed hash is then itself subjected to another keyed hash (again
447+ by XORing the key with a string and using that as the first block fed
448+ to the hash). The two passes of the keyed-hash function are important
449+ to the proof of security for this HMAC construction.
442450
443451Up to this point, we have been assuming that the message wasn’t
444- confidential, so the original message could be transmitted as plaintext.
445- To add confidentiality to a message with an authenticator, it suffices
446- to encrypt the concatenation of the entire message including its
447- authenticator—the MAC, HMAC, or encrypted digest. Remember that, in
448- practice, confidentiality is implemented using secret-key ciphers
449- because they are so much faster than public-key ciphers. Furthermore, it
450- costs little to include the authenticator in the encryption, and it
451- increases security. A common simplification is to encrypt the message
452- with its (raw) digest, such that the digest is only encrypted once; in
453- this case, the entire ciphertext message is considered to be an
454- authenticator.
452+ confidential, so the original message could be transmitted as
453+ plaintext. To add confidentiality to a message with an authentication
454+ code, it suffices to encrypt the concatenation of the entire message
455+ including its authentication code. Remember that, in practice,
456+ confidentiality is implemented using secret-key ciphers because they
457+ are so much faster than public-key ciphers. Furthermore, it costs
458+ little to include the authenticator in the encryption, and it
459+ increases security.
460+
461+ In recent years, the idea of using a single algorithm to support both
462+ authentication and encryption has gained support for reasons of
463+ performance and simplicity of implementation. This is referred to as
464+ *authenticated encryption * or *authenticated encryption with
465+ associated data *. The latter term allows for some data fields (e.g.,
466+ packet headers) to be transmitted as plaintext—these are the
467+ associated data—while the rest of the message is encrypted, and the
468+ whole thing, headers included, is authenticated. We won't go into
469+ details here, but there is now a set of integrated algorithms that
470+ produce both ciphertext and authentication codes using a combination
471+ of ciphers and hash functions.
455472
456473Although authenticators may seem to solve the authentication problem, we
457474will see in a later section that they are only the foundation of a
0 commit comments