Cryptography Reference
In-Depth Information
the MAA. Its major problem is that it generates MACs of only 32 bits length. This
is unacceptable for most applications in use today. Consequently, we don't address
this MAC construction in this topic.
11.2.1
MACs Using Symmetric Encryption Systems
A standard method for message authentication is to use a symmetric encryption sys-
tem (e.g., DES), encrypt the plaintext message in CBC mode (see Section 10.2.3.2),
use the last ciphertext block as MAC, and send it along with the (plaintext) message
to the recipient(s). In this case, the last ciphertext block is sometimes also called
CBC residue
or
CBC MAC
. The use of CBC MACs is, for example, standardized
in ANSI X9.9 [2], FIPS PUB 113 [3], and ISO/IEC 9797 [4]. Unfortunately, the
terminology is not used consistently. For example, the algorithm to compute a CBC
MAC is sometimes called
data authentication algorithm
(DAA) and the MAC itself
is sometimes called
data authentication code
(DAC). These terms are not used in
this topic.
In order to compute and verify a CBC MAC, one must know the secret key
k
. If somebody not knowing the key (e.g., an adversary) modified the message, then
the CBC MAC would no longer be valid, and he or she would have to adapt the CBC
MAC accordingly (otherwise, the message modification could easily be detected).
If the CBC MAC is generated using a block cipher with block length
n
,thenheor
she has a success probability of 1
/
2
n
. This probability is sufficiently small for large
block lengths. A more fomal analysis of the CBC MAC construction is provided
in [5]. Furthermore, a general birthday attack against iterated MACs, including, for
example, MAA and CBC MAC, is described in [6].
Sometimes, people argue that the encryption of a message also protects its
authenticity and integrity, and hence that one must not authenticate a message
that is encrypted (using, for example, an additive stream cipher). This line of
argumentation is inherently flawed, and it is generally recommended and good
practice to authenticate a message even if it is encrypted. If one uses a block
cipher in CBC mode, this means that one has to encrypt the message twice with
two independent keys (in one step the message is CBC encrypted to generate the
ciphertext, and in the other step the message is CBC encrypted to generate the
CBC MAC). Alternatively, one may also use two keys that are not independent
(e.g., derived from a master key or derived from each other). There are no known
weaknesses or vulnerabilities in this approach, but few advantages either. It is
generally neither much more difficult to distribute and manage a pair of keys than
a single key, nor is it computationally more efficient. A more efficient approach is
to replace the CBC MAC with a MAC that uses a keyed hash function. In this case,
one uses a cryptographic hash function to compute a hash value from the message,
