Cryptography Reference
In-Depth Information
M
1
M
2
M
3
M
n
⊕
⊕
⊕
1
2
3
K
E
K
E
E
E
K
K
C
n
=
MAC
K
(
M
)
C
1
C
2
MAC
K
(
M
)
M
1
M
2
M
3
...,
M
n
4
Figure 6.7.
CBC-MAC
M
1
,
M
2
,...,
M
n
. If the message does not fit neatly into blocks then we pad the
last block (see Section 4.3.2).
As illustrated in Figure 6.7, the sender computes the MAC as follows:
1. Take the first message block
M
1
and encrypt it (using the block cipher) with the
key
K
to obtain
C
1
.
2. XOR
C
1
to the second message block
M
2
and encrypt the result with the key
K
to obtain
C
2
.
3. Repeat this process until the second-last ciphertext block
C
n
−
1
has been
XORed to the last message block
M
n
, and the result encrypted with key
K
to obtain
C
n
.
4. Send the message
M
1
,
M
n
to the receiver, accompanied by the last
ciphertext block
C
n
. This last ciphertext block
C
n
is the MAC, which we denote
MAC
K
(
M
).
The reason that this process is familiar (and the name CBC-MAC should have
provided a significant clue) is because theMAC in CBC-MAC is the last ciphertext
block of a computation that is very similar to encryption of the message using the
CBC mode of operation that we discussed in Section 4.6.3.
The main difference between CBC encryption and CBC-MAC is the start of
the process. For CBC encryption we need to artificially generate an initial block,
hence both parties agree on an IV to use as this initial block. For CBC-MAC we
are in the advantageous position of knowing the 'plaintext' (the message). Thus
we can start the process using the first message block instead of creating an IV.
After that, both CBC encryption and CBC-MAC conduct the same process of
'XOR then encrypt'.
Note also that in the case of CBC-MAC we discard all the intermediate
'ciphertext' blocks
C
1
,
M
2
,...,
C
n
−
1
, since these are only temporary values that
are generated on the way to obtaining the final MAC value.
C
2
,...,
