Download
mac padding n.
Skip this Video
Loading SlideShow in 5 Seconds..
MAC padding PowerPoint Presentation
Download Presentation
MAC padding

MAC padding

126 Vues Download Presentation
Télécharger la présentation

MAC padding

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Online Cryptography Course Dan Boneh Message Integrity MAC padding

  2. Recall: ECBC-MAC m[0] m[1] m[3] m[4]    F(k,) F(k,) F(k,) F(k,) Let F: K × X ⟶ X be a PRP Define new PRF FECBC :K2 × X≤L ⟶ X F(k1,) tag

  3. What if msg. len. is not multiple of block-size? m[0] m[1] m[3] ??? m[4]    F(k,) F(k,) F(k,) F(k,) F(k1,) tag

  4. CBC MAC padding Bad idea: pad m with 0’s m[0] m[1] m[0] 0000 m[1] Is the resulting MAC secure? Yes, the MAC is secure It depends on the underlying MAC No, given tag on msgm attacker obtains tag on mll0 Problem: pad(m) = pad(mll0)

  5. CBC MAC padding For security, padding must be invertible ! m0 ≠ m1 ⇒ pad(m0) ≠ pad(m1) ISO: pad with “100000”. Add new dummy block if needed. • The “1” indicates beginning of pad. m[1] m[0] m[0] 100 m[1] m’[0] m’[1] m’[1] 1000…000 m’[0]

  6. CMAC (NIST standard) Variant of CBC-MAC where key = (k, k1, k2) • No final encryption step (extension attack thwarted by last keyed xor) • No dummy block (ambiguity resolved by use of k1 or k2) ⋯ ⋯ m[0] m[1] m[w] m[0] m[1] m[w] 100     k1 k2 F(k,) F(k,) F(k,) F(k,) F(k,) F(k,) tag tag

  7. End of Segment