Cryptography Reference
In-Depth Information
CHECKING CBC-MAC
The computation of MAC K ( M ) can be performed by anyone who knows the
MAC key K . The receiver obtains the message M 1 ,
M 2 ,...,
M n and the MAC
value MAC K ( M ), then simply:
1. Repeats the computation in Figure 6.7.
2. Checks that the output of this computation is the same value MAC K ( M ) that
was received. If it is then the message is authenticated, otherwise it is rejected.
SECURITY OF CBC-MAC
The security of CBC-MAC relies on the security of the symmetric key K that is
shared by the sender and receiver. Since we assume that the CBC-MAC process
can be conducted by anyone, and that the message itself is not secret, the only
information that an attacker does not have is the key K .
We can check the effectiveness of the MAC by reviewing the four attacks on
data origin authentication that we mentioned in Section 6.3.1:
Unauthorised changing of part of a message . Any alteration of the message
(including swapping message blocks around) will result in a different sequence
of message blocks. Since the MAC is computed using all of these message
blocks in a specific order, the MAC on the modified message will be different
from that of the original message. To compute the new MAC, the key K will
be needed. Only the sender and receiver know K , so unauthorised changing of
a message is detectable.
Unauthorised deletion of part of a message . This is just the same argument as
above.
Unauthorised insertion of a false message . The attacker can easily send a
false message, but without knowledge of the key K they cannot compute the
correct MAC on this message. Thus CBC-MAC allows us to detect this type of
attack.
Trying to persuade the receiver that the message came from someone other
than it did . Suppose that an attacker Archie (who shares a MAC key K with
receiver Bob) claims that the message came from him rather than the genuine
sender Alice (who shares MAC key K with Bob). Since the message M has
been sent along with MAC K ( M ), if Bob believes it came from Archie and
computes MAC K ( M ) then he will reject the MAC, since it is very unlikely that
MAC K ( M ) = MAC K ( M ) just by chance.
Note that
in this last scenario,
the attacker Archie could intercept
the
message:
M , MAC K ( M )
from Alice, and replace it with:
M , MAC K ( M ) ,
Search WWH ::




Custom Search