CBC-MAC

From Wikipedia, the free encyclopedia

Jump to: navigation, search

In cryptography, a cipher block chaining message authentication code (CBC-MAC), is a technique for constructing a message authentication code from a block cipher. The message is encrypted with some block cipher algorithm in CBC mode to create a chain of blocks such that each block depends on the proper encryption of the previous block. This interdependence ensures that a change to any of the plaintext bits will cause the final encrypted block to change in a way that cannot be predicted or counteracted without knowing the key to the block cipher.

To calculate the CBC-MAC of message $m$ one encrypts $m$ in CBC mode with zero initialization vector. The following figure sketches the computation of the CBC-MAC of a message comprising blocks $m_1\|m_2\|\cdots\|m_x$ using a secret key $k$ and a block cipher $E$ :

[edit] Variable-length messages

Given a secure block cipher, CBC-MAC is secure for fixed-length messages. However, by itself, it is not secure for variable-length messages. An attacker who knows the correct message-tag (i.e. CBC-MAC) pairs $(m,$ $t)$ and $(m',$ $t')$ can generate a third message $m''$ whose CBC-MAC will also be $t'$ . This is simply done by XORing the first block of $m'$ with $t$ and then concatenating $m$ with this modified $m'$ ; i.e., by making $m'' = m \| [(m_1' \oplus t) \| m_2' \| \dots \| m_x']$ .

This problem cannot be solved by adding a message-size block (e.g., with Merkle-Damgård strengthening) and thus it is recommended to use a different mode of operation, for example, CMAC to protect integrity of variable-length messages.

[edit] Using the same key for encryption and authentication

One common mistake is to reuse the same key $k$ for CBC encryption and CBC-MAC. Although a reuse of a key for different purposes is a bad practice in general, in this particular case the mistake leads to a spectacular attack. Suppose that one encrypts a message $m_0 \| m_1 \| \cdots \| m_{x-1}$ in the CBC mode using an $IV_{c-1}$ and gets the following ciphertext: $c_0 \| c_1 \| \cdots \| c_{x-1}$ , where $c_i = E_k(m_i \oplus c_{i-1})$ . He also generates the CBC-MAC tag for the IV and the message: $t=M(m_{-1} \| \cdots \| m_{x-1}).$ Now an attacker can change every bit before the last block $c_{x-1}$ and the MAC tag will still be valid. The reason is that $t = E_k(m_{x-1} \oplus c_{x-2}) = c_{x-1}$ (this is actually the reason why people make this mistake so often—it allows to increase the performance by a factor of two). Hence as far as the last block is not changed the equivalence $t = c_{x-1}$ holds and thus the CBC-MAC tag is correct.

This example also shows that a CBC-MAC cannot be used as a collision resistant one-way function: given a key it is trivial to create a different message which “hashes” to the same tag.

[edit] Standards that define the algorithm

FIPS PUB 113 Computer Data Authentication is a (now obsolete) U.S. government standard that specified the CBC-MAC algorithm using DES as the block cipher.

The CBC-MAC algorithm is equivalent to ISO/IEC 9797-1 MAC Algorithm 1.

[edit] See also

CMAC — A block-cipher–based MAC algorithm which is secure for messages of different lengths (recommended by NIST).
OMAC and PMAC — Other methods to turn block ciphers into message authentication codes (MACs).
One-way compression function - Hash functions can be made from block ciphers. But note, there are significant differences in function and uses for security between MACs (such as CBC-MAC) and hashes.

[edit] References

The security of the cipher block chaining message authentication code.

CBC-MAC

Contents

[edit] Variable-length messages

[edit] Using the same key for encryption and authentication

[edit] Standards that define the algorithm

[edit] See also

[edit] References

Personal tools

Namespaces

Variants

Views

Actions

Search

Navigation

Interaction

Toolbox

Print/export

Languages