CBC-MAC weakness?

From: Will Dickson (wrd_at_glaurung.demon.co.uk)
Date: 06/24/03


Date: Tue, 24 Jun 2003 00:36:54 +0100

I'm looking at using CBC-MAC in an application; since it's using CBC
mode anyway, CBC-MAC is more-or-less free in the context. (Performance
is important; I don't want to use eg. HMAC because the hashing
overhead involved would be a significant issue.)

Applied Crypto says this about CBC-MAC:

"The potential security problem with this method is that [the attacker
can] generate messages with the same hash value as a given message by
decrypting in the reverse direction."

I can understand why this is an undesirable property on general
principles - clearly you don't want the attacker to be able to do
anything - but I can't see a situation where this would actually be a
threat. Could somebody give me / point me to an example?

TIA

Will.



Relevant Pages

  • Re: Encrypting control channel
    ... they were designed to work together, because an attacker may be able to ... CBC-MAC, which shows the math, one can arbitrarily modify all but the ... secret and the ciphertext to be public, ... be secret except for the last block. ...
    (sci.crypt)
  • Re: Encrypting control channel
    ... In the specific case of CBC-MAC and CBC encryption, ... be secret and the ciphertext to be public, ... ciphertext to be secret except for the last block. ...
    (sci.crypt)
  • Re: Encrypting control channel
    ... In the specific case of CBC-MAC and CBC encryption, ... CBC-MAC, which shows the math, one can arbitrarily modify all but the ... secret and the ciphertext to be public, ...
    (sci.crypt)
  • Re: Encrypting control channel
    ... In the specific case of CBC-MAC and CBC encryption, ... CBC-MAC, which shows the math, one can arbitrarily modify all but the ... secret and the ciphertext to be public, ...
    (sci.crypt)
  • Re: Cryptographic_key_types
    ... symmetric data encryption key." ... then it becomes easy to come up with forged ciphertexts that weren't ... during the CBC encryption. ... and its relationship to the value of the CBC-MAC? ...
    (sci.crypt)