CBC-MAC

From Wikipedia, the free encyclopedia

CBC-MAC stands for Cipher Block Chaining Message Authentication Code. This utilizes block ciphers in CBC mode to create a message authentication code. By encrypting a given plaintext with some block cipher algorithm in CBC mode, we can create a chain of blocks, such that each block is dependent on the proper encryption of the block before it. Since there is this interdependence, we can use this to ensure that none of the plaintext bits that were input into the encryption have been changed, thus creating the message authentication code.

To calculate the CBC-MAC of message m one should encrypt m in CBC mode with zero initialization vector. The following figure sketches the computation of the CBC-MAC of a message comprising blocks m_1\|m_2\|\cdots\|m_x using a secret key k and a block cipher E:

Image:cbcmac.png

Contents

Given a secure block cipher, CBC-MAC is secure for fixed-length messages. However, by itself, it is not secure for variable-length messages. This problem cannot be solved by adding a message-size block (e.g., with MD strengthening) and thus it is recommended to use a different mode of operation, for example, CMAC to protect integrity of variable-length messages.

Let us show a possible attack. An attacker does not know the key k, but she can ask to calculate the CBC-MAC tag of any message; her goal is to produce a MAC for some new message. The simplest attack is to use two message-tag pairs (m,t) and (m',t'), where the single-block message m and m' can be random, and to produce (m \| (t\oplus m'), t'). This is a correct message-tag pair because the CBC-MAC of m \| (t\oplus m') is E(E(m)\oplus (t\oplus m')), whereas E(m) = t and E(m') = t', and thus t' = E(m') = E(t\oplus t\oplus m') = E(E(m)\oplus t\oplus m').

One common mistake is to reuse the same key k for CBC encryption and CBC-MAC. Although a reuse of a key for different purposes is a bad practice in general, in this particular case the mistake leads to a spectacular attack. Suppose that one encrypts a message m_0 \| m_1 \| \cdots \| m_{x-1} in the CBC mode using an IV c − 1 and gets the following ciphertext: c_0 \| c_1 \| \cdots \| c_{x-1}, where c_i = E_k(m_i \oplus c_{i-1}). He also generates the CBC-MAC tag for the IV and the message: t=M(m_{-1} \| \cdots \| m_{x-1}). Now an attacker can change every bit before the last block cx − 1 and the MAC tag still be valid. The reason is that t = E_k(m_{x-1} \oplus c_{x-2}) = c_{x-1} (this is actually the reason why people do this mistake so often—it allows to increase the performance by a factor of two). Hence as far as the last block is not changed the equivalence t = cx − 1 holds and thus the CBC-MAC tag is correct.

This example also shows that a CBC-MAC cannot be used as a collision resistant one-way function: Given a key it is trivial to create a different message which “hashes” to the same tag.

  1. ISO/IEC 9797-2:2002
  2. The security of the cipher block chaining message authentication code.


Hash algorithms: Gost-Hash | HAS-160 | HAS-V | HAVAL | MDC-2 | MD2 | MD4 | MD5 | N-Hash | RadioGatún | RIPEMD | SHA family | Snefru | Tiger | VEST | WHIRLPOOL | crypt(3) DES
MAC algorithms: DAA | CBC-MAC | HMAC | OMAC/CMAC | PMAC | UMAC | Poly1305-AES | VEST
Authenticated encryption modes: CCM | EAX | GCM | OCB | VEST   Attacks: Birthday attack | Collision attack | Preimage attack | Rainbow table | Brute force attack
Standardization: CRYPTREC | NESSIE   Misc: Avalanche effect | Hash collision | Hash functions based on block ciphers
Cryptography
v  d  e
History of cryptography | Cryptanalysis | Cryptography portal | Topics in cryptography
Symmetric-key algorithm | Block cipher | Stream cipher | Public-key cryptography | Cryptographic hash function | Message authentication code | Random numbers
Retrieved from "http://en.wikipedia.org../../../c/b/c/CBC-MAC_3922.html"
Advanced Search
Included Web Search Engines


Safe Search

close

Top Matching Results

Occasionally Search.com will highlight specialized results that are based on the context of your query. Examples of specialized results include specific links to news, images, or video.

Top Matching Results may highlight information from other Search.com pages, content from the CNET Network of sites, or third party content. The listings are based purely on relevance. Search.com does not receive payment for listings in this section but our partners that provide this data may get paid for listing these products.

Sponsored Links

This section contains paid listings which have been purchased by companies that want to have their sites appear for specific search terms and related content. These listings are administered, sorted and maintained by a third party and are not endorsed by Search.com.

Search Results

Search.com sends your search query to several search engines at one time and integrates the results into one list which has been sorted by relevance using Search.com's proprietary algorithm. You can customize the list of search engines included in your metasearch from the preferences.

The search engines that are used in your metasearch may allow companies to pay to have their Web sites included within the results. To view the Paid Inclusion policy for a specific search engine, please visit their Web site. Search.com does not accept payment or share revenue with any search engine partner for listings in this section.