Great lecture, after a lot of searching this was finally the explanation I needed. The fact that professor had to beg the students for attention is so sad.

I love when he says "surprise surprise"..

At the beginning of the lecture, I had a doubt that this teacher could give me answers about my long-term questions about MAC (authentication and non-repudiation) and I must say that he gave me straight and simple anwers twenty minutes later: Thank you for this M Paar ! I enjoy the way you provide an example on the most important stuff.

Thank you very much for publishing all this material. It is incredibly helpful!

Love your lectures/videos. Thanks for posting.

Great lecture. After watching several videos this finally made things clear. Thanks.

Finally a good explanation that uses real-world examples, thank you

What a great lecture. I cannot help to be upset at the people chatting in the background. How come they do not realize how interesting, informative, and useful this is, explained so easily and straightforward. Thank you for posting your videos!

25:40 MACs from Hash Functions 59:25 HMAC construction

This man is an Amerian hero

Thanks for your great lecture, I have a question about MAC secret prefix MACs, if we have the message length information in the key K , would it still need to use HMAC for security concern ?

Great lecture!!!!!!!!!!!!!!!!

thank you sooo much sir

in 43:00, shouldn't we check m prime with m of Oscar not plain m ??

Great class

Thankuu !!!!

Where have you been this whole time!

Any programming explanation of these lessons. Or any resources to learn programming for these lecture. Any helps

Professor Paar, MAC is a wonderful concept incorporating the integrity and authenticity features of the security services. One thing I am struggling to understand is that if both encryption and MAC were used all these work well when both parties use the same algorithm for encryption and decryption. For example how does Alice know that Bob used MAC on sha1 with AES128 encryption so that she can decrypt using the same alogirthms at her end to verify the messages? The only thing Alice would see on the channel is the plain text and the MAC. Thanks, Satya

10.54 why do we transmit the clear text ( x ) over a public line?

1:03:26 - But.. that's what I am doing right now :o

I think I've come across a fallacy. When explaining 2.2 secret suffix MACs, professor Paar compares the brute force attack on key (128 bits) versus collision search (160 bits), he says the complexity should be 2^80 instead of 2^160 due to Birthday Paradox resulting 2^(n+1)/2 complexity. In the case of Birthday Paradox (Collision attack), we need Oscar to be able to freely choose X1 and X2 which is not the case here. Here, X1 is fixed and Oscar needs to find X2 that satisfies h(X2) = h(X1). In this case (2nd preimage attack), the complexity is computed as 2^n = 2^160. Is this correct or did I miss something?

At 26:50 you write down the basic idea of the hashed MAC. I'm not understanding this at all. From MACk(x) we get m but h(k,x) is what we want or what we're going to get...or is x=m or...? I am hoping the subsequent lecture clears things up but as a suggestion, could you rephrase your "basic idea"? That statement doesn't shout out to me "this is generally what we're after" (and it's supposed to be "basic"). Seems like we'd want h(k,m) at some level, and not h(k,x) (because we already have m) but again, I need to continue watching. Thanks for these! Without a doubt an amazing body of work!

At 33:10 the block size of SHA-1 is mentioned as 512 bits, that should be SHA-2.

Thank you for your lectures. Just one thing: Please never use red chalk on a green blackboard.

The instructor says that SHA-1 has a 512 bit output, as far as I know SHA-1 has a maximum output size of 160 bits, not 512. I'm still learning cryptography, so if I'm mistaken feel free to correct me :) just don't want people learning wrong information.