Cryptography Reference
In-Depth Information
A plaintext
m
is processed together with a key
K
to be used with the block cipher,
a nonce
N
of 15
L
bytes, and an additional authenticated data
a
which is not meant
to be encrypted. For instance,
a
can be a sequence number in a communication session,
or a packet header to be authenticated.
−
To compute the CBC-MAC tag
T
with an empty
a
, we first compute a 128-bit block
B
0
, we then split
m
into a block sequence
B
1
,...,
B
n
(if necessary, the last block
B
n
is
padded with zero bytes to make a full 128-bit block), we compute the raw CBC-MAC
of
B
0
||
B
n
, and we take the
M
leftmost bytes
T
of the result. The initial block
B
0
is formatted by
B
1
||
...
||
B
0
=
||
||
flag
N
(
m
)
where
N
is the nonce (of 15
−
L
bytes),
(
m
) is the length (in bytes) of
m
(of
L
bytes),
and flag is a byte which is formatted by
flag
=
0
||
adata
||
M
||
L
where
M
and
L
are the encodings of the respective parameters on two 3-bit strings,
adata is a bit set to zero when the data
a
is of length zero. The leading bit 0 is reserved.
When the data
a
is of nonzero length, adata is set to one and a few blocks are inserted
between
B
0
and
B
1
. Those blocks consist of the encoding of the length of
a
followed
by
a
, then padded, if necessary, with zero bytes so that it can split into an integral
number of blocks. The encoding rule for the length of
a
depends on the size of
a
.
For instance, when
a
consists of at most 65,279 bytes, the length of
a
is encoded on
2 bytes.
Following a counter mode, we construct a sequence of counter blocks
A
0
,
A
1
,
A
2
,...
by formatting them by
A
i
=
flag
||
N
||
i
where
N
is the nonce (of 15
L
bytes),
i
is the counter (encoded with
L
bytes), and
flag is a byte whose three rightmost bits encode
L
and all others are basically set to
zero.
−
To encrypt
T
, we XOR it to the first
M
bytes of
C
K
(
A
0
) where
C
is the block cipher.
To encrypt the message
m
, we XOR it to the first
(
m
) bytes of
C
K
(
A
1
)
||
C
K
(
A
2
)
||···
.
Processing
m
finally yields the concatenation of the two ciphertexts.
Decryption is quite straightforward from
M
,
K
, and
N
. Note that we can decrypt
on the fly. We can also compute the CBC-MAC on the fly and do the final check with
the decrypted
T
.
Search WWH ::
Custom Search