Cryptography Reference
In-Depth Information
pare the computed MAC
m
with the received MAC value
m
. In case
m
=
m
,the
message is verified as correct. In case
m
=
m
, the message and/or the MAC value
m
have been altered during transmission. We note that the MAC verification is dif-
ferent from CBC decryption, which actually reverses the encryption operation.
The output length of the MAC is determined by the block size of the cipher used.
Historically, DES was widely used, e.g., for banking applications. More recently,
AES is often used; it yields a MAC of length 128 bit.
12.4 Galois Counter Message Authentication Code (GMAC)
GMAC
is a variant of the Galois Counter Mode (GCM) introduced in Section 5.1.6.
GMAC is specified in [160] and is a mode of operation for an underlying symmet-
ric key block cipher. In contrast to the GCM mode, GMAC does not encrypt data
but only computes a message authentication code. GMAC is easily parallelizable,
which is attractive for high-speed applications. The use of GMAC in IPsec Encap-
sulating Security Payload (ESP) and Authentication Header (AH) is described in
the RFC 4543 [119]. The RFC describes how to use AES in GMAC to provide data
origin authentication without confidentiality within the IPsec ESP and AH. GMAC
can be efficiently implemented in hardware and can reach a speed of 10 Gbit/sec
and above.
12.5 Discussion and Further Reading
Block Cipher-Based MACs
Historically, block cipher-based MACs have been the
dominant method for constructing message authentication codes. As early as in
1977, i.e., only a couple of years after the announcement of the Data Encryption
Standard (DES), it was suggested that DES could be used to compute cryptographic
checksums [39]. In the following years, block cipher-based MACs were standard-
ized in the US and became popular for assuring the integrity of financial transac-
tions, see, e.g., the ANSI X9.17 standard [3]. Much more recently, the NIST recom-
mendation [65] specifies a message authentication code algorithm based on a sym-
metric key block cipher (
CMAC
), which is similar to CBC-MAC. The AES-CMAC
algorithm is specified in RFC 4493 [159].
In this chapter the CBC-MAC was introduced. In addition to the CBC-MAC,
there are the OMAC and PMAC, which are both constructed with block ciphers.
Counter with CBC-MAC (
CCM
) is a mode for authenticated encryption and is de-
fined for use with a 128-bit block cipher [173]. It is described in the NIST recom-
mendation [64]. The GMAC construction is standardized in IPSec [119] and in the
NIST recommendation for Block Cipher Modes of Operation [66].
