Online Cryptography Course

Message Integrity MAC padding

Dan Boneh Dan Boneh

m[0] F(k,  )

Recall: ECBC-MAC

m[1]  F(k,  ) m[3]  F(k,  ) m[4]  F(k,  ) Let

F: K × X

⟶

X

be a PRP Define new PRF

F ECBC : K 2 × X ≤L

⟶

X

F(k

1

,  ) tag Dan Boneh

What if msg. len. is not multiple of block-size? m[0] F(k,  ) m[1]  F(k,  ) m[3]  F(k,  ) m[4]  ???

F(k,  ) F(k

1

,  ) tag Dan Boneh

CBC MAC padding

Bad idea: pad m with 0 ’ s m[0] m[1] m[0] m[1] 0000 Is the resulting MAC secure?

Yes, the MAC is secure It depends on the underlying MAC No, given tag on msg

m

attacker obtains tag on

mll0

Problem: pad(m) = pad(mll0)

CBC MAC padding

For security, padding must be invertible ! m 0 ≠ m 1 ⇒ pad(m 0 ) ≠ pad(m 1 ) ISO: pad with “ 1000  00 ” . Add new dummy block if needed.

– The “ 1 ” indicates beginning of pad.

m[0] m[1] m[0] m[1] 100 m’[0] m’[1] m’[0] m’[1] 1000…000 Dan Boneh

CMAC

(NIST standard) • • Variant of CBC-MAC where key = (k, k 1 , k 2 ) No final encryption step (extension attack thwarted by last keyed xor) No dummy block (ambiguity resolved by use of k 1 or k 2 ) m[0] F(k,  ) m[1]  ⋯ m[w] 100  k 1 F(k,  ) F(k,  ) tag m[0] F(k,  ) m[1]  ⋯ m[w]  F(k,  ) F(k,  ) tag k 2 Dan Boneh

End of Segment

Dan Boneh