Cryptography Reference
In-Depth Information
m512 := "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c4\
6a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710":
k128 := "2b7e151628aed2a6abf7158809cf4f3c";
k192 := "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b";
k256 := "603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4"
The resulting tags are the following; note that in some cases the empty string is
being authenticated:
> CMAC(k128, "", hex);
CMAC(k128, m320, hex);
CMAC(k192, "", hex);
CMAC(k192, m128, hex);
CMAC(k256, "", hex);
CMAC(k256, m512, hex);
"bb1d6929e95937287fa37d129b756746"
"dfa66747de9ae63030ca32611497c827"
"d17ddf46adaacde531cac483de7a9367"
"9e99a7bf31e710900662f65e617c5184"
"028962f61b7bf89efc6b551f4667d983"
"e1992190549f6ed5696a2c056c315410"
Exercise 5.7
Convert the hexadecimal string
m512
to a list of bytes and write this
list to a file named
"m512"
in the current directory. Then compute the CMAC tag of
this file using the key
k256
and check that it is equal to the tag
CMAC(k256,m512,
hex)
computed above.
Apart from the key generation algorithm, for which we refer to our earlier dis-
cussions on the topic, there is still one ingredient missing in the implementation of
CMAC, namely, the verification algorithm. It is given in the next function whose
input is the (received) message, the received tag and the key, and whose output is
VALID
(if indeed the tag corresponds to the message) or
INVALID
otherwise.
> CMACVer :=
proc(key::{list, string}, message::string, tag::string, messagetype::name:=file)
if not (StringTools:-IsHexDigit(tag) and StringTools:-Length(tag) = 32) then
error "Incorrectly formatted tag"
end if;
if evalb(CMAC(key, message, messagetype) = StringTools:-LowerCase(tag)) then
VALID
else
INVALID
end if
end proc:
Example 5.5
Let us verify one of the previously computed tags:
> CMACVer(k192, m128, "9e99a7bf31e710900662f65e617c5184", hex);
VALID
Exercise 5.8
Let
k
be an AES key and
k
1
,
k
2
, the corresponding CMAC subkeys.
Let
x
be a byte string of length
i
, where 0
0
15
−
i
. Prove
≤
i
≤
15 and
m
=
x
||
128
||
that the messages
x
and
m
⊕
k
1
⊕
k
2
have the same CMAC tag under the key
k
.
Exercise 5.8 shows that it is easy to find two different messages with the same
CMAC tag, but this does not compromise the security of the scheme because of one
important detail: it is necessary to know the key or, at least, the subkeys
k
1
,
k
2
. Thus,
even if we consider the operation of Xor-ing the last block with either
k
1
or
k
2
as part
