Re: Block cypher mode of operation for MAC

From: David Wagner (daw_at_taverner.cs.berkeley.edu)
Date: 05/23/05

• Next message: spam_at_hut-six.co.uk: "Re: Shotgun Hillclimbing"
• Previous message: David Wagner: "Re: Public disclosure of discovered vulnerabilities"
• In reply to: giorgio.tani: "Re: Block cypher mode of operation for MAC"
• Next in thread: Paul Rubin: "Re: Block cypher mode of operation for MAC"
• Reply: Paul Rubin: "Re: Block cypher mode of operation for MAC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Mon, 23 May 2005 08:02:42 +0000 (UTC)

giorgio.tani wrote:
>Do those problems you are spotting out occour to CBC-MAC only if
>message's size isn't a multiple of the block size or I misunderstood?

No. Problems can occur even then.

If you use CBC-MAC on messages that are always a multiple of the
block length, but otherwise can vary arbitrarily -- you are insecure.
CBC-MAC is secure if all messages you feed to it have a fixed length
(the length must be constant for any one given key), or more generally
if the message space is prefix-free. See the classic papers on CBC-MAC,
e.g., those by Bellare and Rogaway and others.

Padding is not sufficient, unless you choose a padding scheme that somehow
renders the message space prefix-free. For instance, you could prepend a
64-bit field that contains the message length (in bits), followed by the
message itself, followed by padding out to a multiple of the block length.
That would ensure the message space is prefix-free, and would be secure
(if I remember correctly), though it would prevent you from computing
the CBC-MAC in a streaming, on-the-fly fashion.

But I really encourage you not to deal with this. Just use OMAC.
It does everything you want, and you don't have to think about these
issues or ask questions or read the papers on CBC-MAC.

---

• Next message: spam_at_hut-six.co.uk: "Re: Shotgun Hillclimbing"
• Previous message: David Wagner: "Re: Public disclosure of discovered vulnerabilities"
• In reply to: giorgio.tani: "Re: Block cypher mode of operation for MAC"
• Next in thread: Paul Rubin: "Re: Block cypher mode of operation for MAC"
• Reply: Paul Rubin: "Re: Block cypher mode of operation for MAC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Block cypher mode of operation for MAC ... Do those problems you are spotting out occour to CBC-MAC only if ... message's size isn't a multiple of the block size or I misunderstood? ... secret MAC key and cryptographically strong prng, ... (sci.crypt) Re: Questions on CCM authenticated encryption mode ... CBC-MAC is secure for fixed or prefix-free messages I would take the latter one. ... The header resembles the associated data in my protocol making the valid message space prefix-free for the CBC-MAC input. ... an explicit packet length field is part of the associated data variable-length header making valid messages prefix-free, associated data length is implicit by the header length, MAC length defined on a per-session basis. ... (sci.crypt)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > sci.crypt  > 2005-05