I have heard that Message Authentication Codes give source authentication.
But I am a little confused. Message authentication makes a hash code by hashing data or message and when the packet arrives at the destination, it checks the MAC code with the hash code it got from hashing packet message.
At this point, many websites say that by doing this, it can give the source authentication because of a secret key.
But hashing doesn't need a secret key.
So how does it work?
Asked
Active
Viewed 394 times
0
1 Answers
1
The client would take a piece of data, typically the body of your message itself and use a hashing algorithm that takes two inputs - your input and a long random secret pre-shared key, normally the key would be concatenated to the message before hashing to make it harder to determine the key from a block of cipher text.
This creates a HMAC - hashed message authentication code, it can be created with many hashing algorithms such as md5 or the SHA family. The HMAC offers a guarantee of data integrity as the hash would would not match if any part of the message has been modified.
The client performs an operation in the form MAC = Hash(key, data) and sends this with the message.
On receipt, the server which knows the key is able to perform the same operation and verify it came from the claimed source. To be more accurate, it only proves it came from a source that knows the secret key.
The HMAC security is dependant on the algorithm chosen and key length, common attacks are brute force attempts on the key.
Further info
