Cryptography Reference
In-Depth Information
CHECKING CBC-MAC
The computation of
MAC
K
(
M
) can be performed by anyone who knows the
MAC key
K
. The receiver obtains the message
M
1
,
M
2
,...,
M
n
and the MAC
value
MAC
K
(
M
), then simply:
1. Repeats the computation in Figure 6.7.
2. Checks that the output of this computation is the same value
MAC
K
(
M
) that
was received. If it is then the message is authenticated, otherwise it is rejected.
SECURITY OF CBC-MAC
The security of CBC-MAC relies on the security of the symmetric key
K
that is
shared by the sender and receiver. Since we assume that the CBC-MAC process
can be conducted by anyone, and that the message itself is not secret, the only
information that an attacker does not have is the key
K
.
We can check the effectiveness of the MAC by reviewing the four attacks on
data origin authentication that we mentioned in Section 6.3.1:
Unauthorised changing of part of a message
. Any alteration of the message
(including swapping message blocks around) will result in a different sequence
of message blocks. Since the MAC is computed using all of these message
blocks in a specific order, the MAC on the modified message will be different
from that of the original message. To compute the new MAC, the key
K
will
be needed. Only the sender and receiver know
K
, so unauthorised changing of
a message is detectable.
Unauthorised deletion of part of a message
. This is just the same argument as
above.
Unauthorised insertion of a false message
. The attacker can easily send a
false message, but without knowledge of the key
K
they cannot compute the
correct MAC on this message. Thus CBC-MAC allows us to detect this type of
attack.
Trying to persuade the receiver that the message came from someone other
than it did
. Suppose that an attacker Archie (who shares a MAC key
K
with
receiver Bob) claims that the message came from him rather than the genuine
sender Alice (who shares MAC key
K
with Bob). Since the message
M
has
been sent along with
MAC
K
(
M
), if Bob believes it came from Archie and
computes
MAC
K
(
M
) then he will reject the MAC, since it is very unlikely that
MAC
K
(
M
)
=
MAC
K
(
M
) just by chance.
Note that
in this last scenario,
the attacker Archie could intercept
the
message:
M
,
MAC
K
(
M
)
from Alice, and replace it with:
M
,
MAC
K
(
M
)
,