NoteVerse

AES and Message Authentication Codes (MAC)

Comprehensive study notes, diagrams, and exam preparation for AES and Message Authentication Codes (MAC).

AES and Message Authentication Codes (MAC)

Definition

AES is a symmetric-key block cipher that encrypts and decrypts data in fixed-size blocks of 128 bits using secret keys of 128, 192, or 256 bits.

A MAC (Message Authentication Code) is a short cryptographic tag generated from a message and a secret key, used to verify that the message came from the expected sender and was not modified in transit.

Main Content

1. AES (Advanced Encryption Standard)

Core purpose and nature

  • AES is designed to provide confidentiality. It transforms readable plaintext into unreadable ciphertext using the same secret key for both encryption and decryption.
  • It is a symmetric-key algorithm, meaning the sender and receiver must share the same key securely before communication begins.
  • AES processes data in 128-bit blocks, regardless of the key size.

Key sizes, structure, and importance

  • AES supports three key lengths:
    • 128-bit key → 10 rounds
    • 192-bit key → 12 rounds
    • 256-bit key → 14 rounds
  • The larger the key size, the stronger the resistance to brute-force attacks, although performance is slightly slower.
  • AES is based on a substitution-permutation network, which repeatedly mixes, substitutes, and scrambles data through multiple rounds.

Example

  • If the plaintext is HELLO1234567890 and a secret AES key is applied, AES produces ciphertext such as A7F3... that appears random.
  • Without the key, an attacker cannot practically recover the original message.

2. MAC (Message Authentication Code)

Core purpose and security properties

  • A MAC ensures integrity and authenticity.
  • Integrity means the message has not been changed.
  • Authenticity means the message was created by someone who knows the shared secret key.
  • A MAC does not provide confidentiality; the message content may still be readable if not encrypted.

How a MAC works

  • A sender computes a tag from the message and a secret key.
  • The receiver recomputes the tag using the same key and compares it with the received tag.
  • If both tags match, the message is accepted as genuine.
  • If even one bit of the message changes, the MAC value usually changes completely.

Examples of MAC algorithms

  • HMAC: Hash-based MAC, built from hash functions like SHA-256.
  • CMAC: Cipher-based MAC, built from block ciphers such as AES.
  • GMAC: A MAC derived from Galois/Counter Mode, often used with AES.

Example

  • Suppose a banking message says: Transfer $500 to Account X
  • A MAC tag is attached to it using a secret key.
  • If an attacker changes $500 to $900, the MAC verification fails because the tag no longer matches.

3. Relationship Between AES and MAC

Different roles in security

  • AES protects the content of data by keeping it secret.
  • MAC protects the trustworthiness of data by ensuring it is unchanged and from the right source.
  • They solve different problems and are often both needed in secure systems.

Why both are important

  • Encryption without authentication can be dangerous because attackers may alter ciphertext and cause meaningful changes after decryption.
  • Authentication without encryption protects integrity but not privacy.
  • A secure design usually includes both confidentiality and integrity.

Combination approaches

  • Encrypt-then-MAC: Encrypt the message first, then generate a MAC on the ciphertext. This is widely considered a strong and safe design.
  • MAC-then-encrypt: Generate a MAC on plaintext, then encrypt both. This approach has been used historically but can be more error-prone.
  • Authenticated encryption: Modern methods such as AES-GCM and AES-CCM combine encryption and authentication in one scheme.

Example

  • In secure messaging:
    • AES encrypts the text so outsiders cannot read it.
    • A MAC checks that the message was not altered in transit.
  • If either protection is missing, the communication is weaker.

Working / Process

1. Key generation and sharing

  • A secret key is generated and securely shared between sender and receiver.
  • For AES, the key may be 128, 192, or 256 bits long.
  • For MAC, the same secret key or a related key is used to create and verify the authentication tag.
  • Key secrecy is critical; if an attacker learns the key, both confidentiality and authentication can be broken.

2. Encryption and tag generation

  • The sender uses AES to encrypt the plaintext into ciphertext.
  • The sender then computes a MAC tag either on the plaintext or, preferably, on the ciphertext depending on the protocol design.
  • The message transmitted over the network includes the ciphertext and the MAC tag.

  • Example flow:

    Plaintext + Key | v AES Encrypt | v Ciphertext -----> MAC Generation -----> Ciphertext + Tag

3. Verification and decryption

  • The receiver first checks the MAC tag using the shared secret key.
  • If the tag is valid, the receiver proceeds to decrypt the ciphertext using AES.
  • If the tag is invalid, the message is rejected immediately because it may have been tampered with.

  • Example flow:

    Ciphertext + Tag + Key | v MAC Verification / \ Valid Invalid | | v v AES Decrypt Reject Message | v Plaintext

Advantages / Applications

Strong confidentiality with AES

  • AES is fast, efficient, and highly secure when properly implemented.
  • It is widely trusted in government, finance, and enterprise systems.
  • It works well in software and hardware, making it suitable for many devices.

Integrity and authenticity with MAC

  • MACs detect accidental corruption and malicious tampering.
  • They help ensure that messages are from a legitimate sender.
  • They are essential in secure APIs, banking systems, and network protocols.

Real-world security applications

  • Secure communication: TLS, VPNs, and messaging apps use AES with authentication mechanisms.
  • Data storage protection: Encrypted disks and backups use AES to protect files.
  • Network security: MACs validate packets and prevent forgery in many protocols.
  • Digital transactions: Payment systems use MACs to verify transaction messages.
  • Embedded and IoT systems: AES and MACs help secure limited-resource devices.

Summary

  • AES hides information by encryption.
  • MAC proves that a message is unchanged and from a trusted source.
  • Together, they provide stronger security for modern digital communication.
  • Important terms to remember: AES, symmetric key, block cipher, ciphertext, plaintext, MAC, integrity, authenticity, authentication tag
← Prev: DES
Next: Information-theoretic Secure MAC →