I've just read about CBC-MAC for the authentication of arbitrary length messages. In particular I cannot figure out why appending the message length before computing the MAC yields a non-secure MAC. I've already read other topics on crypto about this problem, but i did not find a rigorous proof.
Asked
Active
Viewed 3,185 times
3
-
1I attempted to clarify your question, please fix if I messed it up. Does this not answer your question: http://crypto.stackexchange.com/a/11152/13625 – otus Jan 11 '16 at 09:49
1 Answers
3
I'll give you a hint, and you can work out the details yourself.
Take any $m_1,m_2,m_3$ of length $n$ (where $n$ is the block length), with $m_1\neq m_2$. Query the oracle with $m_1$, then query the oracle with $m_2$, and finally query the oracle with $m_1\|n\|m_3$.
Work through this, and you can find a message and its forgery.
Yehuda Lindell
- 27,820
- 1
- 66
- 83