Exchanging Sensitive Information Using Message Authentication Code
When exchanging sensitive information, the receiver must have the assurance that the message has come intact from the intended sender. Protecting the validity and accuracy of data or message exchanged ensures confidence in making key informed decisions.
Nowadays in messaging apps like Telegram, the messages can be edited by the user. Hence the receiver should not completely rely on it. Let’s see the following example to understand it better.
Say Bob and Sasha are having a conversation in Telegram and agree on a certain action. What if Sasha took the action and later Bob changes(or edits) the content of the original message. Now he denies such a condition was agreed between them.
So how do we ensure that the messages exchanged between Bob and Sasha are intact and unaltered between updates?
One of the ways to achieve this is to use the MAC algorithm. MAC is based on symmetric key cryptographic techniques to provide message authentication. Message Authentication Code (MAC) is the process to check the authentication of a message. In other words, to confirm that the message came from the expected sender and the contents of the message have not been changed.
Let’s understand how exchanging sensitive information can be done using MAC:
Generate MAC value and Send to the recipient.
Re-compute MAC value
Compare results
Try out the MAC generator algorithm yourself here: https://www.freeformatter.com/hmac-generator.html
Limitations of Message Authentication Code:
There are two major limitations of MAC, both due to its symmetric nature of the operation:
- Establishment of a shared secret:
The users are at the risk of using insecure communication channels to establish or share the secret key.
- Inability to provide non-repudiation:
Non-repudiation is the assurance that a message originator cannot deny any previously sent messages and commitments or actions. The common knowledge of secret key makes it impossible to determine which of the involved parties originally computed the MAC. Therefore, MACs cannot provide proof that a message was indeed sent by the sender.
Lets’s say Sasha receives a box from Bob which has a combination lock. The key code to unlocking the box is only known to Bob and Sasha. Once Sasha receives the box, She uses the key to unlock the box and sees the content inside the box.
Since the box opened with the key, therefore Sasha assumes that box came for Bob. However, Sasha can’t prove to the third party that the box came from Bob. Bob can deny the claim of sending the box. Therefore this arrangement is not non-reputable.
Digital signatures overcome these limitations. Discussed in our post- ‘Digital Signatures and Use in Blockchain‘.