From: Will Dickson (wrd_at_glaurung.demon.co.uk)
Date: Tue, 24 Jun 2003 00:36:54 +0100
I'm looking at using CBC-MAC in an application; since it's using CBC
mode anyway, CBC-MAC is more-or-less free in the context. (Performance
is important; I don't want to use eg. HMAC because the hashing
overhead involved would be a significant issue.)
Applied Crypto says this about CBC-MAC:
"The potential security problem with this method is that [the attacker
can] generate messages with the same hash value as a given message by
decrypting in the reverse direction."
I can understand why this is an undesirable property on general
principles - clearly you don't want the attacker to be able to do
anything - but I can't see a situation where this would actually be a
threat. Could somebody give me / point me to an example?