Cryptography Reference
In-Depth Information
message forgery. CBC-MACs have the advantage of speed of operation since
only addition modulo 2 and DES encryption are applied to the blocks, and this
also makes implementation much simpler. In some implementations of the CBC-
MAC, an initialization vector different from
B
0
is used, but this typically does
not strengthen the algorithm. The triple encryption in step 3 does strengthen it,
although in some descriptions of CBC-MAC, this is considered to be an optional
step. We deem it to be necessary.
On pages 136 and 137, we discussed the importance of the CTR mode over
the other modes discussed in Section 3.3. In 2002, D. Whiting, R. Housley, and
N. Ferguson developed a combination of CTR mode with CBC-MAC, called
CCM, which was proposed as RFC
7.2
3610 to NIST in June of that year (see
[226]). CCM is a generic authenticated encryption block cipher mode, designed
for use with 128-bit block ciphers, such as AES.
The CBC-MAC based on DES, discussed above, is FIPS-113 (NIST 1985),
and ANSI standard X9
.
17, sometimes called the
D
ata
Authentication Algorithm
(DAA). The algorithm is illustrated below, where
✄
✂
✁
+
denotes addition modulo
2 in Diagram 7.5.
Diagram 7.5 CBC-MAC with DES
m
1
k
m
2
k
m
3
k
E
B
1
E
B
2
E
B
3
✄
✂
✄
✂
✄
✂
✁
✁
✁
B
0
→
+
→
+
→
+
→
−−−−→
···
−−−−→
−−−−→
k
k
k
m
n
E
B
n
E
✄
✂
B
n
−−−−→
✁
CBC-MAC
B
n
−
1
−−−−→
E
−
1
+
→
→
−−−−→
Cryptanalysis
: There are two brute-force attacks against MACs, either
with the secret key as the target, or the MAC itself. By its very nature, a
MAC employs a many-to-one function, so if messages are not encrypted, then
a cryptanalyst has access to plaintext messages and their associated MACs.
Suppose that the keylength
is larger than the MAC bitsize
n
. Then if Eve
knows
m
and
h
a
(
m
), then she can try
h
a
(
m
i
) for all
i
until she gets
h
a
(
m
)=
h
a
(
m
i
). Such a match will occur since Eve produces 2
MACs, but 2
n
<
2
so
2
−
n
values will produce a match.
Given the above, we now formulate properties that a MAC function should
possess to be secure. First, it should be computationally infeasible for Eve to
find an
m
such that
h
a
(
m
)=
h
a
(
m
), given that she has
m
and
h
a
(
m
). Second,
given
m
and
m
, the probability that
h
a
(
m
)=
h
a
(
m
) should be 2
−
n
where
n
is the number of bits in the MAC. This second property thwarts brute-force
7.2
Documents called RFC's,
Requests For Comments
, are the o3cial working notes of the
Internet research and development community. See
http://www.rfc-editor.org/rfcxx00.html
.
Search WWH ::
Custom Search