Cryptography Reference
In-Depth Information
approach in practice is to use a block cipher such as AES in cipher block chaining
(CBC) mode, as discussed in Section 5.1.2.
Figure 12.3 depicts the complete setting for the application of a MAC on basis
of a block cipher in CBC mode. The left side shows the sender, the right side the
receiver. This scheme is also referred to as CBC-MAC.
Fig. 12.3
MAC built from a block cipher in CBC mode
MAC Generation
For the generation of a MAC, we have to divide the message
x
into blocks
x
i
,
i
=
1
, ...,
n
. With the secret key
k
and an initial value IV, we can compute the first itera-
tion of the MAC algorithm as
y
1
=
e
k
(
x
1
⊕
IV
)
,
where the IV can be a public but random value. For subsequent message blocks we
use the XOR of the block
x
i
and the previous output
y
i
−
1
as input to the encryption
algorithm:
y
i
=
e
k
(
x
i
⊕
y
i
−
1
)
.
Finally, the MAC of the message
x
=
x
1
x
2
x
3
...
x
n
is the output
y
n
of the last round:
m
= MAC
k
(
x
)=
y
n
In contrast to CBC encryption, the values
y
1
,
y
2
,
y
3
,...,
y
n
−
1
are
not
transmitted.
They are merely internal values which are used for computing the final MAC value
m
=
y
n
.
MAC Verification
As with every MAC, verification involves simply repeating the operation that were
used for the MAC generation. For the actual verification decision we have to com-
