Re: Block cypher mode of operation for MAC
From: David Wagner (daw_at_taverner.cs.berkeley.edu)
Date: Mon, 23 May 2005 08:02:42 +0000 (UTC)
>Do those problems you are spotting out occour to CBC-MAC only if
>message's size isn't a multiple of the block size or I misunderstood?
No. Problems can occur even then.
If you use CBC-MAC on messages that are always a multiple of the
block length, but otherwise can vary arbitrarily -- you are insecure.
CBC-MAC is secure if all messages you feed to it have a fixed length
(the length must be constant for any one given key), or more generally
if the message space is prefix-free. See the classic papers on CBC-MAC,
e.g., those by Bellare and Rogaway and others.
Padding is not sufficient, unless you choose a padding scheme that somehow
renders the message space prefix-free. For instance, you could prepend a
64-bit field that contains the message length (in bits), followed by the
message itself, followed by padding out to a multiple of the block length.
That would ensure the message space is prefix-free, and would be secure
(if I remember correctly), though it would prevent you from computing
the CBC-MAC in a streaming, on-the-fly fashion.
But I really encourage you not to deal with this. Just use OMAC.
It does everything you want, and you don't have to think about these
issues or ask questions or read the papers on CBC-MAC.