Dedicated Conventional Cryptographic Primitives - A Classical Introduction to Cryptography: Applications for Communications Security

Cryptography Reference

In-Depth Information

A plaintext m is processed together with a key K to be used with the block cipher,

a nonce N of 15

L bytes, and an additional authenticated data a which is not meant

to be encrypted. For instance, a can be a sequence number in a communication session,

or a packet header to be authenticated.

−

To compute the CBC-MAC tag T with an empty a , we first compute a 128-bit block

B 0 , we then split m into a block sequence B 1 ,...,

B n (if necessary, the last block B n is

padded with zero bytes to make a full 128-bit block), we compute the raw CBC-MAC

of B 0 ||

B n , and we take the M leftmost bytes T of the result. The initial block

B 0 is formatted by

B 1 || ... ||

B 0 =

||

flag

N

( m )

where N is the nonce (of 15

−

L bytes),

( m ) is the length (in bytes) of m (of L bytes),

and flag is a byte which is formatted by

flag

=

0

||

adata

||

M

||

L

where M and L are the encodings of the respective parameters on two 3-bit strings,

adata is a bit set to zero when the data a is of length zero. The leading bit 0 is reserved.

When the data a is of nonzero length, adata is set to one and a few blocks are inserted

between B 0 and B 1 . Those blocks consist of the encoding of the length of a followed

by a , then padded, if necessary, with zero bytes so that it can split into an integral

number of blocks. The encoding rule for the length of a depends on the size of a .

For instance, when a consists of at most 65,279 bytes, the length of a is encoded on

2 bytes.

Following a counter mode, we construct a sequence of counter blocks A 0 ,

A 1 ,

A 2 ,...

by formatting them by

A i =

flag

||

N

||

i

where N is the nonce (of 15

L bytes), i is the counter (encoded with L bytes), and

flag is a byte whose three rightmost bits encode L and all others are basically set to

zero.

−

To encrypt T , we XOR it to the first M bytes of C K ( A 0 ) where C is the block cipher.

To encrypt the message m , we XOR it to the first

( m ) bytes of C K ( A 1 )

||

C K ( A 2 )

||···

.

Processing m finally yields the concatenation of the two ciphertexts.

Decryption is quite straightforward from M , K , and N . Note that we can decrypt

on the fly. We can also compute the CBC-MAC on the fly and do the final check with

the decrypted T .

A Classical Introduction to Cryptography: Applications for Communications Security

Search WWH ::

Custom Search

Home