Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [cbc-mac]

Cipher Block Chaining MAC (CBC-MAC) is a method of building a message authentication code from a block-cipher.

The Cipher Block Chaining MAC (CBC-MAC) method builds a message authentication code from a block-cipher by operating it in CBC mode over the message to authenticate, and outputting the final block as the authentication code.

CBC-MAC is not secure for variable-length messages, or if the same key is used to encrypt a message in CBC mode and then CBC-MAC the message, and is vulnerable to attacks if the initialization vector can be varied.

See the wikipedia page for more information.

111 questions
11
votes
1 answer

Why does only length prepending improve the security of CBC-MAC

I know that length prepending improves security of CBC-MAC. However, wouldn't inserting the length elsewhere (middle, end or any other part of message) be equally good? After all, even the length is processed by the underlying cipher block.
TheRookierLearner
  • 991
  • 1
  • 10
  • 15
6
votes
1 answer

OMAC/CMAC constant for different block sizes

OMAC/CMAC only specifies constants for 64-bit (0x1B) and 128-bit (0x87) block size. I would like to know how to get constants for other block sizes. http://en.wikipedia.org/wiki/CMAC says it "is the non-leading coefficients of the lexicographically…
LightBit
  • 1,649
  • 13
  • 27
5
votes
1 answer

Why does CBC-MAC need prefix-free inputs to be a good PRF?

In the FFX spec, there is a note about using CBC-MAC as the round function. Security notes. The round function F is constructed in such a way that the set of inputs on which the CBC-MAC is invoked is prefix-free. (A set of strings is prefix-free…
pg1989
  • 4,636
  • 23
  • 42
2
votes
0 answers

Modify basic CBC-MAC construction using a keyed function

Typically, CBC-MAC is a secure MAC for fixed length message if the construction uses a pseudorandom function. However, for a secure MAC, we can use a keyed function that is not necessarily pseudorandom. For example, the generated tag of this secure…
Zhiyong
  • 53
  • 4
2
votes
1 answer

What's the reason why CBC-MAC shouldn't use IV or random IV?

I searched the answer but I'm not sure if I understood exactly, and have some other questions. I understood that the reason for CBC-MAC not to have random IV is if CBC-MAC has a random IV, the attacker can change the P1 block, making the tag…
CYDF
  • 31
  • 2
1
vote
2 answers

Why use CBC-MAC? Why not just apply hash function on the whole message?

Why not just apply hash function on the whole message? Why convert that message into blocks and hash those blocks? To avoid collisions?
evening
  • 1,373
  • 2
  • 15
  • 21
0
votes
0 answers

CBC-MAC padded message difference

If an attacker had a padded message and its corresponding CBC-MAC tag, how would they construct another message which produces the same tag for the same key as the original? The padding scheme used in this scenario is to add 0's to the end of the…
Kabiru
  • 1