Cryptography Reference
In-Depth Information
MAC forgery resistance also prevents this attack since conducting it involves
finding a message/MAC pair without knowledge of
K
.
2. Legitimate MAC key holders (the sender and receiver) are in a position similar
to that of everyone in the case of hash functions. Namely, they have the ability
to produce a valid MAC on any message of their choosing. Since legitimate
MAC key holders all have this same capability, we have to assume that they
'trust' each other, which is the case for any symmetric cryptographic primitive.
We thus do not care whether they can find collisions or second preimages for
MAC values. This is because we will never be able to use the cryptography
alone to resolve any disputes between legitimate senders and receivers. We
return to this point in Section 6.3.5.
Note that it would have been simpler to have an equivalently general security
property as MAC forgery resistance for hash functions. Unfortunately this is
impossible because the equivalent property would have to involve preventing
attackers from computing the hash of a message. Since hash functions have no
key, we can never stop attackers doing this.
Another subtle difference between hash functions and MACs is that the strong
data integrity assurance provided by a MAC is only provided to the legitimate
receiver of theMAC, who is the only other entitywith the capability of verifying the
correctness of the MAC. In contrast, the weak data integrity assurance provided
by a hash function is provided to everyone.
Hopefully this rather involved discussion has illustrated how useful it is
to introduce a key into a function that otherwise resembles a hash function.
We now show precisely how this key can be used to provide data origin
authentication.
6.3.3
CBC-MAC
The most well known examples of MAC algorithms are based on either using a
block cipher or a hash function as a 'building block'. We will look at one example
of each technique, beginning with block ciphers.
The first MAC design that we describe will hopefully look familiar. This MAC
is commonly referred to as CBC-MAC and is based on a block cipher. An early
banking standard defined CBC-MAC using DES, so the MAC operated on blocks
of 64 bits. We present the CBC-MAC construction in a more general form. Any
block cipher, such as AES, could be used.
COMPUTING CBC-MAC
We assume that the sender and receiver have both agreed in advance upon a
symmetric key
K
. We also assume that the message
M
has been split into blocks
of the same length as the block length of the block cipher (64 bits for DES or
128 bits for AES) in order to process it. In Figure 6.7 these blocks are labelled
