So let's have a little look at message authentication codes
Which are slightly more interesting than they sound so people shouldn't which off yet on the internet when we send messages
We often send them encrypted the idea being that we don't want people to read them that makes a lot of sense
the issue is that
Not being able to read the message doesn't mean you can't interfere with the message. You can't start changing the message
Trying to I've erect the communication or alter surreptitiously the communication to say something that you want
This is where message authentication codes become a really big deal
Max as we call them are attached to most of the messages that get sent on the internet however
They're built into the cypher or they are appended to every message that gets sent even if it's encrypted
And they basically guarantee that the message haven't been changed
So let's have a little bit of a look at that
But first let's have a quick look at an example of what you can do if you start officially changing ciphertext
usually when we're encrypting data
online we are view the block cipher or use a stream cipher like they each have pros and cons and a
Detailed look at each of those is for a different time, but a stream cipher. They're quite common
You know when you do things like streaming video because they let you often seek straight to the middle of somewhere
And it also very very quick right so mobile communications
You stream cyphers quite a lot instead of encrypting a message
Of a key it will actually just use the key to generate a long
Pseudo-Random key stream for as long as it's required and then we use xor to actually perform the encryption so basically we start
Flipping bits of a plaintext to get to the ciphertext now the difficulty with this is that we can bend as a sort of malicious
Third party just flip the bits back all right so we can flip the bits in the ciphertext
And they will cause a direct change in the input all right
So I'm going to show a quick example just to show you the kind of problem
We're dealing with so I've got here a an xor calculated
I found so I'm going to put in a message, please send my 100 pounds
This is just a calculator who doesn't actually perform Keystream generations
I've got a key stream that I've I'm going to paste it in here. So this is my key stream
Which is just in hex? Well, that's your stream
Come from is not just oh, I will actually generated it by just putting random nonsense into another stream cipher
You could generate this any way you like it has to appear Random if it's not random
Enuine Rules have all the straight incisor for the sake of this small example. Which is just random enough
So you know so if I calculate the xor on this we get a message in let's say
Hexadecimal which is completely nonsense right? This is our encrypted message if you
View this as Ascii
It won't say this and it won't say anything useful at all the problem is if I start changing the bits here
And we reverse this process for decryption. We can actually change the amount I get sent like which unfortunately
This is a purely hypothetical example. I don't actually get any money
So in a block cipher because the whole block is encrypted as one
Usually any kind of bit change in this ciphertext will completely wreck the output when you try and decrypt it
That is not true of a stream cipher a stream cipher is one bit at a time
which means that if I change a bit in my
Ciphertext I can flip bits in my
Plaintext so let's try this if I put my encoded in hex in
my input the key stays the same and we can't play it the xor you can see that we've
Decrypted two, please send micro hundred pounds, but if I flip, so these each of these bytes here
Corresponds to a bite of this ascii if I change this to a 31, and then I can't play the xor on it
I'm suddenly being sent 900 pounds
That's a huge profit if we weren't doing something else which of course is what I'm about to get to
extreme size will be completely useless practically because
you could just change the message even if you didn't know what it is things like bank transactions and
Logins and things like this are always sent in the same format
It doesn't make sense for a bank to change the format
They use all the time so although they're going to be more complicated than please send Mike person
Please send Mike which is computer although very more complicated than this they're not a lot more complicated and so the same bit will often
Correspond to the same
part of the transaction
Account numbers the values this kind of thing so we can't allow people halfway
Middlemen to start flipping bits because it's Gonna cause a real problem
So people have luckily spotted this problem and dealt with it already right, so I'm going to explain how it's done
Well, you can imagine we might do is a bit like a checksum, right?
So we've got a message here right that we want to try and verify
That haven't been tampered with so I'm sending you a message. This is my message
So what I do is I hash this message, or I can't paid chips
I'm on it or something like that
And I append that hash to the end of the message
so think back to our video on Char one the hash is just a
usually shorter fixed length
String that is essentially a summary or fingerprint of this message and the idea usually is that we can't
Find another hash for a different message, but it's the same so the problem here. Can you finish what it is?
Surely you can just still change yeah
It's totally useless like I've don't do this if you're watching this please don't quit the video now and go brilliant
We've got the solution and the problem is if I'm a third party I intercept this message. I stop the transmission
I then changed this message to be whatever. I want and then I
Recompute the hash and attach it and then the person
Verifying this message on the other end hashes it goes all the hashes match. This is the kind of naive approach
Which is isn't going to work long term?
All right
This works on like your disk for making sure that a file hasn't got like checksum errors and things like this
Beyond that if a security not going to work what we need to have is some kind of shared secret like wall of these things
So let's imagine that you and I have shared a key okay?
Right so we have this secret key that only you and I know
What we can do is we can take our message, and we can instead
produce a hash of
K appended to the message like this right again. Don't quit the video yet. We're not I'm going to hit ourselves
This is better right it's not complete solution
But it's better the nice thing about this is that because I knew you and I know the key
Right which is it kind of the assumption of encryption?
Then no one else can change the message they alter the message
They aren't going to be able to recompute this hash because they don't have the key that's the idea
So this is called a message authentication code now. That works. Okay. The problem is the hash functions. We use like Sha-1 and
Sha-256 are based around this merkle-damgard construction
Which essentially changes their internal state and the problem is you can kind of resume that state and basically?
append to the message
We can maybe talk about laser extension attacks another time exactly how they work
But the idea is that I could append to this message and be able to calculate a new hash
Reasonably well right, and it's not that difficult to do as long as I can guess the length of the ed Key
Right which is not that hard compared to getting the actual key so this isn't going to work for current hash function Ja three isn't?
susceptible for this, but Shafi doesn't see as much as ShA-256 at Moment, so
This brings us on to our kind of true say our actual
Usable technique called the h Mac which is the h ma see the Keyed hash?
Message authentication code
It's actually pretty similar to a standard message of indication code except with two hashes involved and it's completely immune to length extension attacks
So what we do is we take our key and we use it to derive two
Sub Keith's like k 1 and k 2 so this is k 2 this is k 1 and then we calculate our hash of
K 1 with our message and then we append that to k 2
And we hash it again
Okay, so q nice animation
But the idea is you can't perform the same length extension attack on?
This message because essentially we would have to know what the internal state of our hash function was after this middle point
Which we wouldn't know like we were as we do know it here
I mean, I think only personally I will be happy to derive
Is that Ia there's no massive got a very good question okay?
So be it either derived by basically taking two constants and xor in them with the key separately okay?
So we have one constant then we just compare what they are on person idling. Yeah, what's the I pad?
RB inner Pad is 36 and the outer Pad is 5C. Okay, this inner Pad here is the iPad?
Which is oh what concerns the other half of the I'll pass along on a minute I?
think
the age mat construction was first constructed in
1996 so we this one did like actually this doesn't stand for I in terms of information, or you know?
Internet or anything webby?
This is it's this hyper internal, so the iPad is our x 36 in hex the outer Pad 53 those were chosen
Sort of arbitrarily. It's not very important what they are actually these are kind of like nothing up my sleeve numbers
but they have it they have a
For people who watch David Wells's video. They have a large hamming distance between the two
But the point is that they have they have that many bits in common, and they're not exactly the same which is crucial
Look more and more random as we go and at the same time
We're bringing in bits from this message to further increase the appearance of randomness
But also to make sure that this char function is calculating a digest on this specific message rather than just a general one
That's the same every time for this
