Cryptography Reference
In-Depth Information
and then claim that the message comes from himself (Archie). However, this is
not an attack on data origin authentication since indeed this new message
does
come from Archie!
Thus CBC-MAC provides data origin authentication. Note in particular that
the two examples that we gave in Section 6.3.1 of encryption failing to provide
data origin authentication are now both detectable using CBC-MAC or, more
generally, any reputable MAC algorithm:
• If an attacker swaps message blocks around then we can detect this using
a MAC.
• If the message consists of randomly generated data then modification of it is
detectable using a MAC.
Without knowledge of the key
K
, the attacker's best strategy is simply to attempt to
guess the MAC. If the MAC is just one bit long then the attacker has a half chance
of guessing the MAC correctly. However, in general, if the MAC is
n
bits long
then there are 2
n
possible MAC values to choose from, hence the attacker only
hasa1
/
2
n
chance of guessing. In the case of CBC-MAC as depicted in Figure 6.7
based on AES,
n
128, and hence the attacker will have to be very lucky indeed
to guess the MAC correctly.
=
CBC-MAC IN PRACTICE
Our description of CBC-MAC presents the general idea. Practical reality is, as
always, a little bit more complicated. The following notes are very important:
• Our description of CBC-MAC is oversimplified. In practice the final block
C
n
does not form
MAC
K
(
M
), as depicted in Figure 6.7. Instead,
C
n
is subjected to
some further processing before being turned into
MAC
K
(
M
), in order to prevent
some special forgery attacks. It is best to consult relevant standards before
implementing a MAC of this type.
• It is possible to use just a portion of the output of CBC-MAC as the MAC, rather
than the whole output. It does not matter exactly how much of this last block
is sent as the MAC, so long as the sender and receiver agree on how much to
use and that it is not so small that guessing the MAC becomes realistic. This is
another efficiency-security tradeoff. In the original version of CBC-MAC (based
on DES) just half of the 64 output bits were used as the MAC, the remainder
being called the
MAC residue
. Note that MAC residues can be useful, as we will
see in Section 10.4.2.
6.3.4
HMAC
We will now briefly look at another well-known and widely deployed MAC, this
time based on a hash function. Our discussion in Section 6.3.2 should hopefully
have made it clear that a very natural way to design a MAC might be to start with
a hash function and then somehow build in the use of a key. This is precisely
