In cryptography, a Cipher Block Chaining Message Authentication Code, abbreviated CBC-MAC, is a technique for constructing a message authentication code from a block cipher. The message is encrypted with some block cipher algorithm in CBC mode to create a chain of blocks such that each block depends on the proper encryption of the previous block. This interdependence ensures that a change to any of the plaintext bits will cause the final encrypted block to change in a way that cannot be predicted or counteracted without knowing the key to the block cipher.
To calculate the CBC-MAC of message 
one encrypts in CBC mode with zero initialization vector. The following figure sketches the computation of the CBC-MAC of a message comprising blocks 
using a secret key 
and a block cipher 
:
File:CBC-MAC structure (en).svg
Contents
- 1 Variable-length messages
- 2 Using the same key for encryption and authentication
- 3 See also
- 4 References
Variable-length messages[]
Given a secure block cipher, CBC-MAC is secure for fixed-length messages. However, by itself, it is not secure for variable-length messages.An attacker who knows the correct message-tag (i.e. CBC-MAC) pairs 
and 
can generate a third message 
whose CBC-MAC will also be 
. This is simply done by XORing the first block of 
with 
and then concatenating with this modified , i.e. by making 
.
This problem cannot be solved by adding a message-size block (e.g., with Merkle-Damgård strengthening) and thus it is recommended to use a different mode of operation, for example, CMAC to protect integrity of variable-length messages. Slatty
Using the same key for encryption and authentication[]
One common mistake is to reuse the same key for CBC encryption and CBC-MAC. Although a reuse of a key for different purposes is a bad practice in general, in this particular case the mistake leads to a spectacular attack. Suppose that one encrypts a message 
in the CBC mode using an 
and gets the following ciphertext: 
, where 
. He also generates the CBC-MAC tag for the IV and the message: 
Now an attacker can change every bit before the last block 
and the MAC tag still be valid. The reason is that 
(this is actually the reason why people make this mistake so often—it allows to increase the performance by a factor of two). Hence as far as the last block is not changed the equivalence 
holds and thus the CBC-MAC tag is correct.
This example also shows that a CBC-MAC cannot be used as a collision resistant one-way function: given a key it is trivial to create a different message which “hashes” to the same tag.
See also[]
- CMAC — A block-cipher–based MAC algorithm which is secure for messages of different lengths (recommended by NIST).
- OMAC and PMAC — Other methods to turn block ciphers into message authentication codes (MACs).
- One-way compression function - Hash functions can be made from block ciphers. But note, there are significant differences in function and uses for security between MACs (such as CBC-MAC) and hashes.
- DAA — A (now obsolete) U.S. government standard instantiation of CBC-MAC.
References[]
fr:CBC-MACit:CBC-MAC
