message authentication code algorithm
In cryptanalysis, a cipher block chaining message authentication code ( CBC-MAC ) is a technique for constructing a message authentication code from a forget cipher. The message is encrypted with some block zero algorithm in CBC mode to create a range of blocks such that each blocking depends on the proper encoding of the previous obstruct. This mutuality ensures that a change to any of the plaintext bits will cause the concluding code block to change in a way that can not be predicted or counteracted without knowing the key to the block code. To calculate the CBC-MAC of message megabyte, one code megabyte in CBC mode with zero low-level formatting vector and keeps the last block. The follow figure sketches the calculation of the CBC-MAC of a message comprising blocks m 1 ‖ m 2 ‖ ⋯ ‖ m x { \displaystyle m_ { 1 } \|m_ { 2 } \|\cdots \|m_ { x } } m_{1}\|m_{2}\|\cdots \|m_{x} using a unavowed key kilobyte and a barricade zero vitamin e : CBC-MAC structure (en).svg

security with sterilize and variable-length messages [edit ]

If the obstruct nothing used is procure ( meaning that it is a pseudorandom permutation ), then CBC-MAC is secure for fixed-length messages. [ 1 ] however, by itself, it is not secure for variable-length messages. therefore, any single winder must entirely be used for messages of a fix and know duration. This is because an attacker who knows the right message-tag ( i.e. CBC-MAC ) pairs for two messages ( megabyte, thymine ) { \displaystyle ( thousand, metric ton ) } {\displaystyle (m,t)} and ( molarity ′, t ′ ) { \displaystyle ( meter ‘, t ‘ ) } {\displaystyle (m',t')} can generate a third base message m ″ { \displaystyle meter ” } m'' whose CBC-MAC will besides be thyroxine ′ { \displaystyle deoxythymidine monophosphate ‘ } t'. This is merely done by XORing the first freeze of molarity ′ { \displaystyle meter ‘ } m' with thymine and then concatenating thousand with this modified meter ′ { \displaystyle thousand ‘ } ; i.e., by making megabyte ″ = m ‖ [ ( m 1 ′ ⊕ metric ton ) ‖ m 2 ′ ‖ … ‖ thousand x ′ ] { \displaystyle molarity ” =m\| [ ( m_ { 1 } ‘\oplus t ) \|m_ { 2 } ‘\|\dots \|m_ { ten } ‘ ] } m''=m\|[(m_{1}'\oplus t)\|m_{2}'\|\dots \|m_{x}']. When computing the MAC for the message megabyte ″ { \displaystyle meter ” }, it follows that we compute the MAC for molarity in the common manner as t, but when this measure is chained forwards to the phase computing E K MAC ( m 1 ′ ⊕ thyroxine ) { \displaystyle E_ { K_ { \text { MAC } } } ( m_ { 1 } ‘\oplus triiodothyronine ) } E_{K_{\text{MAC}}}(m_{1}'\oplus t) we will perform an exclusive OR operation with the value derived for the MAC of the beginning message. The presence of that tag in the newly message means it will cancel, leaving no contribution to the MAC from the blocks of complain text in the beginning message m : east K MAC ( m 1 ′ ⊕ thyroxine ⊕ t ) = E K MAC ( m 1 ′ ) { \displaystyle E_ { K_ { \text { MAC } } } ( m_ { 1 } ‘\oplus t\oplus thymine ) =E_ { K_ { \text { MAC } } } ( m_ { 1 } ‘ ) } E_{K_{\text{MAC}}}(m_{1}'\oplus t\oplus t)=E_{K_{\text{MAC}}}(m_{1}') and frankincense the tag for megabyte ″ { \displaystyle thousand ” } is thyroxine ′ { \displaystyle t ‘ }. This trouble can not be solved by adding a message-size engine block to the end. [ 2 ] There are three main ways of modifying CBC-MAC so that it is dependable for variable star length messages : 1 ) Input-length key separation ; 2 ) Length-prepending ; 3 ) Encrypt last block. [ 2 ] In such a case, it may besides be recommended to use a different modality of operation, for model, CMAC or HMAC to protect the integrity of variable-length messages .

Length prepending [edit ]

One solution is to include the length of the message in the beginning freeze ; [ 3 ] in fact CBC-MAC has been prove secure angstrom hanker as no two messages that are prefixes of each other are always used and prepending the length is a especial case of this. [ 4 ] This can be debatable if the message duration may not be known when process begins .
Encrypt-last-block CBC-MAC ( ECBC-MAC ) [ 5 ] is defined as CBC-MAC-ELB ( molarity, ( k1, k2 ) ) = E ( k2, CBC-MAC ( k1, megabyte ) ). [ 2 ] Compared to the early discourse methods of extending CBC-MAC to variable-length messages, encrypt-last-block has the advantage of not needing to know the distance of the message until the end of the calculation .
calculation of CBC-MAC Encrypt-last-block .

Attack methods [edit ]

As with many cryptanalytic schemes, naïve function of ciphers and other protocols may lead to attacks being potential, reducing the potency of the cryptanalytic protection ( or flush rendering it useless ). We present attacks which are possible ascribable to using the CBC-MAC falsely. [ 6 ]

Using the same key for encoding and authentication [edit ]

One coarse mistake is to reuse the lapp key thousand for CBC encoding and CBC-MAC. Although a recycle of a keystone for unlike purposes is a bad practice in general, in this finical sheath the err leads to a spectacular attack : Suppose Alice has sent to Bob the calculate text blocks C = C 1 ‖ C 2 ‖ … ‖ C north { \displaystyle C=C_ { 1 } \|C_ { 2 } \|\dots \|C_ { normality } } {\displaystyle C=C_{1}\|C_{2}\|\dots \|C_{n}}. During the infection action, Eve can tamper with any of the C 1, …, C n − 1 { \displaystyle C_ { 1 }, \dots, C_ { n-1 } } C_{1},\dots ,C_{n-1} cipher-text blocks and adjust any of the bits therein as she chooses, provided that the final block, C north { \displaystyle C_ { nitrogen } } C_{n}, remains the same. We assume, for the purposes of this case and without personnel casualty of generalization, that the low-level formatting vector used for the encoding process is a vector of zeroes. When Bob receives the message, he will first decrypt the message by reversing the encoding work which Alice applied, using the nothing textbook blocks C = C 1 ‖ C 2 ‖ ⋯ ‖ C nitrogen { \displaystyle C=C_ { 1 } \|C_ { 2 } \|\cdots \|C_ { newton } } {\displaystyle C=C_{1}\|C_{2}\|\cdots \|C_{n}}. The meddle message, delivered to Bob in replacement of Alice ‘s original, is C ′ = C 1 ′ ‖ … ‖ C n − 1 ′ ‖ C n { \displaystyle C’=C_ { 1 } ‘\|\dots \|C_ { n-1 } ‘\|C_ { nitrogen } } {\displaystyle C'=C_{1}'\|\dots \|C_{n-1}'\|C_{n}}. Bob inaugural decrypts the message received using the shared unavowed key K to obtain corresponding obviously text. note that all plain text produced will be different from that which Alice in the first place sent, because Eve has modified all but the last calculate text block. In particular, the final apparent text, P normality ′ { \displaystyle P_ { n } ‘ } P_{n}', differs from the original, P nitrogen { \displaystyle P_ { newton } } P_{n}, which Alice sent ; although C n { \displaystyle C_ { normality } } is the same, C n − 1 ′ ≠ C n − 1 { \displaystyle C_ { n-1 } ‘\not =C_ { n-1 } } C_{n-1}'\not =C_{n-1}, so a different plain text P nitrogen ′ { \displaystyle P_ { nitrogen } ‘ } is produced when chaining the former cipher textbook barricade into the exclusive-OR after decoding of C n { \displaystyle C_ { north } } : P n ′ = C n − 1 ′ ⊕ E K − 1 ( C n ) { \displaystyle P_ { newton } ‘=C_ { n-1 } ‘\oplus E_ { K } ^ { -1 } ( C_ { nitrogen } ) } P_{n}'=C_{n-1}'\oplus E_{K}^{-1}(C_{n}). It follows that Bob will now compute the authentication rag using CBC-MAC over all the values of plain text which he decoded. The tag for the newfangled message, deoxythymidine monophosphate ′ { \displaystyle deoxythymidine monophosphate ‘ }, is given by :

triiodothyronine ′ = E K ( P newton ′ ⊕ E K ( P nitrogen − 1 ′ ⊕ E K ( ⋯ ⊕ E K ( P 1 ′ ) ) ) ) { \displaystyle t’=E_ { K } ( P_ { nitrogen } ‘\oplus E_ { K } ( P_ { n-1 } ‘\oplus E_ { K } ( \dots \oplus E_ { K } ( P_ { 1 } ‘ ) ) ) ) }t'=E_{K}(P_{n}'\oplus E_{K}(P_{n-1}'\oplus E_{K}(\dots \oplus E_{K}(P_{1}'))))

Notice that this expression is equal to

thymine ′ = E K ( P n ′ ⊕ C n − 1 ′ ) { \displaystyle t’=E_ { K } ( P_ { newton } ‘\oplus C_ { n-1 } ‘ ) }t'=E_{K}(P_{n}'\oplus C_{n-1}')

which is precisely C n { \displaystyle C_ { normality } } :

thyroxine ′ = E K ( C north − 1 ′ ⊕ E K − 1 ( C n ) ⊕ C n − 1 ′ ) = E K ( E K − 1 ( C n ) ) = C newton { \displaystyle t’=E_ { K } ( C_ { n-1 } ‘\oplus E_ { K } ^ { -1 } ( C_ { north } ) \oplus C_ { n-1 } ‘ ) =E_ { K } ( E_ { K } ^ { -1 } ( C_ { nitrogen } ) ) =C_ { newton } }t'=E_{K}(C_{n-1}'\oplus E_{K}^{-1}(C_{n})\oplus C_{n-1}')=E_{K}(E_{K}^{-1}(C_{n}))=C_{n}

and it follows that deoxythymidine monophosphate ′ = C n = t { \displaystyle t’=C_ { normality } =t } t'=C_{n}=t.

consequently, Eve was able to modify the calculate textbook in transit ( without necessarily knowing what plain text it corresponds to ) such that an wholly different message, P ′ { \displaystyle P ‘ } P', was produced, but the tag for this message matched the tag of the original, and Bob was unaware that the contents had been modified in passage. By definition, a Message Authentication Code is broken if we can find a different message ( a sequence of plain-text pairs P ′ { \displaystyle P ‘ } ) which produces the same tag as the previous message, P, with P ≠ P ′ { \displaystyle P\not =P ‘ } P\not =P'. It follows that the message authentication protocol, in this custom scenario, has been broken, and Bob has been deceived into believing Alice sent him a message which she did not produce. If, alternatively, we use different keys for the encoding and authentication stages, say K 1 { \displaystyle K_ { 1 } } K_{1} and K 2 { \displaystyle K_ { 2 } } K_{2}, respectively, this attack is foiled. The decoding of the limited cipher-text blocks C i ′ { \displaystyle C_ { iodine } ‘ } C_{i}' obtains some plain text string P i ′ { \displaystyle P_ { one } ‘ } P_{i}'. however, due to the MAC ‘s usage of a different key K 2 { \displaystyle K_ { 2 } }, we can not “ unmake ” the decoding process in the forward step of the calculation of the message authentication code then as to produce the lapp tag ; each modified P one ′ { \displaystyle P_ { one } ‘ } will now be encrypted by K 2 { \displaystyle K_ { 2 } } in the CBC-MAC process to some value M A C one ≠ C one ′ { \displaystyle \mathrm { MAC } _ { one } \not =C_ { one } ‘ } {\displaystyle \mathrm {MAC} _{i}\not =C_{i}'}. This case besides shows that a CBC-MAC can not be used as a collision-resistant one-way function : given a winder it is fiddling to create a different message which “ hashes ” to the same tag .

Allowing the low-level formatting vector to vary in value [edit ]

When encrypting data using a block nothing in cipher block chain ( or another ) manner, it is common to introduce an low-level formatting vector to the first stagecoach of the encoding process. It is typically required that this vector be chosen randomly ( a time being ) and that it is not repeated for any given unavowed key under which the pulley cipher operates. This provides semantic security system, by means of ensuring the lapp homely text is not encrypted to the same nothing textbook, allowing an attacker to infer a relationship exists. When computing a message authentication code, such as by CBC-MAC, the use of an low-level formatting vector is a possible attack vector. In the operation of a ciphertext block chaining zero, the foremost engine block of obviously text is assorted with the low-level formatting vector using an single OR ( P 1 ⊕ I V { \displaystyle P_ { 1 } \oplus IV } P_{1}\oplus IV ). The solution of this operation is the input to the block code for encoding. however, when performing encoding and decoding, we are required to send the low-level formatting vector in knit text – typically as the block immediately preceding the first auction block of cipher textbook – such that the beginning block of plain textbook can be decrypted and recovered successfully. If computing a MAC, we will besides need to transmit the low-level formatting vector to the early party in plain text so that they can verify the tag on the message matches the measure they have computed. If we allow the low-level formatting vector to be selected randomly, it follows that the first block of plain text can potentially be modified ( transmitting a different message ) while producing the same message tag. Consider a message M 1 = P 1 | P 2 | … { \displaystyle M_ { 1 } =P_ { 1 } |P_ { 2 } |\dots } M_{1}=P_{1}|P_{2}|\dots . In particular, when computing the message tag for CBC-MAC, speculate we choose an low-level formatting vector I V 1 { \displaystyle IV_ { 1 } } IV_{1} such that calculation of the MAC begins with E K ( I V 1 ⊕ P 1 ) { \displaystyle E_ { K } ( IV_ { 1 } \oplus P_ { 1 } ) } E_{K}(IV_{1}\oplus P_{1}). This produces a ( message, tag ) pair ( M 1, T 1 ) { \displaystyle ( M_ { 1 }, T_ { 1 } ) } (M_{1},T_{1}). now produce the message M 2 = P 1 ′ | P 2 | … { \displaystyle M_ { 2 } =P_ { 1 } ‘|P_ { 2 } |\dots } M_{2}=P_{1}'|P_{2}|\dots . For each bite modified in P 1 ′ { \displaystyle P_ { 1 } ‘ } P_{1}', flip the corresponding bit in the low-level formatting vector to produce the low-level formatting vector I V 1 ′ { \displaystyle IV_ { 1 } ‘ } IV_{1}'. It follows that to compute the MAC for this message, we begin the calculation by E K ( P 1 ′ ⊕ I V 1 ′ ) { \displaystyle E_ { K } ( P_ { 1 } ‘\oplus IV_ { 1 } ‘ ) } E_{K}(P_{1}'\oplus IV_{1}'). As bits in both the plain text and low-level formatting vector have been flipped in the lapp places, the modification is cancelled in this first stage, meaning the input to the block cipher is identical to that for M 1 { \displaystyle M_ { 1 } } M_{1}. If no promote changes are made to the knit text, the lapp tag will be derived despite a different message being transmitted. If the freedom to select an low-level formatting vector is removed and all implementations of CBC-MAC fix themselves on a particular low-level formatting vector ( frequently the vector of zeroes, but in theory, it could be anything provided all implementations agree ), this attack can not proceed. To sum up, if the attacker is able to set the IV that will be used for MAC confirmation, he can perform arbitrary modification of the first datum stuff without invalidating the MAC .

Using predictable low-level formatting vector [edit ]

sometimes IV is used as a counterpunch to prevent message replay attacks. however, if the attacker can predict what IV will be used for MAC confirmation, he or she can replay previously observed message by modifying the first datum blockage to compensate for the variety in the IV that will be used for the confirmation. For exemplar, if the attacker has observed message M 1 = P 1 | P 2 | … { \displaystyle M_ { 1 } =P_ { 1 } |P_ { 2 } |\dots } with I V 1 { \displaystyle IV_ { 1 } } and knows I V 2 { \displaystyle IV_ { 2 } } {\displaystyle IV_{2}}, he can produce M 1 ′ = ( P 1 ⊕ I V 1 ⊕ I V 2 ) | P 2 | … { \displaystyle M_ { 1 } ‘= ( P_ { 1 } \oplus IV_ { 1 } \oplus IV_ { 2 } ) |P_ { 2 } |\dots } {\displaystyle M_{1}'=(P_{1}\oplus IV_{1}\oplus IV_{2})|P_{2}|\dots } that will pass MAC confirmation with I V 2 { \displaystyle IV_ { 2 } }. The simplest countermeasure is to encrypt the IV before using it ( i.e., prepending IV to the datum ). alternatively MAC in CFB mode can be used, because in CFB mode the IV is encrypted before it is XORed with the data. Another solution ( in case security against message play back attacks is not required ) is to always use a zero vector IV. [ 7 ] bill that the above recipe for M 1 ′ { \displaystyle M_ { 1 } ‘ } {\displaystyle M_{1}'} becomes M 1 ′ = ( P 1 ⊕ 0 ⊕ 0 ) | P 2 | ⋯ = P 1 | P 2 | ⋯ = M 1 { \displaystyle M_ { 1 } ‘= ( P_ { 1 } \oplus 0\oplus 0 ) |P_ { 2 } |\dots =P_ { 1 } |P_ { 2 } |\dots =M_ { 1 } } {\displaystyle M_{1}'=(P_{1}\oplus 0\oplus 0)|P_{2}|\dots =P_{1}|P_{2}|\dots =M_{1}}. so since M 1 { \displaystyle M_ { 1 } } and M 1 ′ { \displaystyle M_ { 1 } ‘ } are the lapp message, by definition they will have the same tag. This is not a forgery, rather the intended use of CBC-MAC .

Standards that define the algorithm [edit ]

FIPS PUB 113 Computer Data Authentication is a ( now obsolete ) U.S. politics criterion that specified the CBC-MAC algorithm using DES as the block cipher.

The CBC-MAC algorithm is equivalent to ISO/IEC 9797-1 MAC Algorithm 1 .

See besides [edit ]

  • CMAC – A block-cipher–based MAC algorithm which is secure for messages of different lengths (recommended by NIST).
  • OMAC and PMAC – Other methods to turn block ciphers into message authentication codes (MACs).
  • One-way compression function – Hash functions can be made from block ciphers. But note, there are significant differences in function and uses for security between MACs (such as CBC-MAC) and hashes.

References [edit ]

Leave a Reply

Your email address will not be published.