Misplaced Pages

#100899

53-505: To calculate the CBC-MAC of message m , one encrypts m in CBC mode with zero initialization vector and keeps the last block. The following figure sketches the computation of the CBC-MAC of a message comprising blocks m 1 ‖ m 2 ‖ ⋯ ‖ m x {\displaystyle m_{1}\|m_{2}\|\cdots \|m_{x}} using

106-423: A case, it may also be recommended to use a different mode of operation, for example, CMAC or HMAC to protect the integrity of variable-length messages. One solution is to include the length of the message in the first block; in fact CBC-MAC has been proven secure as long as no two messages that are prefixes of each other are ever used and prepending the length is a special case of this. This can be problematic if

159-544: A different plain text P n ′ {\displaystyle P_{n}'} is produced when chaining the previous cipher text block into the exclusive-OR after decryption of C n {\displaystyle C_{n}} : P n ′ = C n − 1 ′ ⊕ E K − 1 ( C n ) {\displaystyle P_{n}'=C_{n-1}'\oplus E_{K}^{-1}(C_{n})} . It follows that Bob will now compute

212-426: A key for different purposes is a bad practice in general, in this particular case the mistake leads to a spectacular attack: Suppose Alice has sent to Bob the cipher text blocks C = C 1 ‖ C 2 ‖ … ‖ C n {\displaystyle C=C_{1}\|C_{2}\|\dots \|C_{n}} . During the transmission process, Eve can tamper with any of

265-541: A message which she did not produce. If, instead, we use different keys for the encryption and authentication stages, say K 1 {\displaystyle K_{1}} and K 2 {\displaystyle K_{2}} , respectively, this attack is foiled. The decryption of the modified cipher-text blocks C i ′ {\displaystyle C_{i}'} obtains some plain text string P i ′ {\displaystyle P_{i}'} . However, due to

318-432: A relationship exists. When computing a message authentication code, such as by CBC-MAC, the use of an initialization vector is a possible attack vector. In the operation of a ciphertext block chaining cipher, the first block of plain text is mixed with the initialization vector using an exclusive OR ( P 1 ⊕ I V {\displaystyle P_{1}\oplus IV} ). The result of this operation

371-655: A secret key k and a block cipher E : CBC-MAC on its own is not secure for variable-length messages (see the discussion below) and is currently used to construct a pseudorandom function family and as a component of the CCM mode . The CBC-MAC construct is used as part of the CCM mode utilized in IEEE 802.11i and NIST SP 800-97 (as CCMP , the CCM encryption protocol for WPA2 ), IPsec , and TLS 1.2, as well as Bluetooth Low Energy (as of Bluetooth 4.0 , see NIST SP 800-121 Rev2). It

424-503: A sender to be forwarded to receivers, stateful schemes allow sender and receiver to share a common IV state, which is updated in a predefined way at both sides. Block cipher processing of data is usually described as a mode of operation. Modes are primarily defined for encryption as well as authentication , though newer designs exist that combine both security solutions in so-called authenticated encryption modes. While encryption and authenticated encryption modes usually take an IV matching

477-417: A set of input blocks. The first mode implements the simple strategy described above, and was specified as the electronic codebook (ECB) mode. In contrast, each of the other modes describe a process where ciphertext from one block encryption step gets intermixed with the data from the next encryption step. To initiate this process, an additional input value is required to be mixed with the first block, and which

530-457: A short, 24-bit IV, leading to reused IVs with the same key, which led to it being easily cracked. Packet injection allowed for WEP to be cracked in times as short as several seconds. This ultimately led to the deprecation of WEP. In cipher-block chaining mode (CBC mode), the IV need not be secret, but must be unpredictable (In particular, for any given plaintext, it must not be possible to predict

583-485: Is C ′ = C 1 ′ ‖ … ‖ C n − 1 ′ ‖ C n {\displaystyle C'=C_{1}'\|\dots \|C_{n-1}'\|C_{n}} . Bob first decrypts the message received using the shared secret key K to obtain corresponding plain text. Note that all plain text produced will be different from that which Alice originally sent, because Eve has modified all but

SECTION 10

#1732800776101

636-443: Is broken if we can find a different message (a sequence of plain-text pairs P ′ {\displaystyle P'} ) which produces the same tag as the previous message, P , with P ≠ P ′ {\displaystyle P\not =P'} . It follows that the message authentication protocol, in this usage scenario, has been broken, and Bob has been deceived into believing Alice sent him

689-420: Is also included into ANSI X9.9, ANSI X9.19, ISO 8731-1, and ISO/IEC 9797-1 MAC (Algorithm 1). If the block cipher used is secure (meaning that it is a pseudorandom permutation ), then CBC-MAC is secure for fixed-length messages. However, by itself, it is not secure for variable-length messages. Thus, any single key must only be used for messages of a fixed and known length. This is because an attacker who knows

742-522: Is available for TLS 1.3, but not enabled by default in OpenSSL . CBC-MAC is also used as a "conditioning component" (a.k.a. randomness extractor, a method to generate bitstrings with full entropy ) in NIST SP 800-90B . FIPS PUB 113 Computer Data Authentication is a (now obsolete) U.S. government standard that specified the CBC-MAC algorithm using DES as the block cipher. The CBC-MAC algorithm

795-406: Is common to introduce an initialization vector to the first stage of the encryption process. It is typically required that this vector be chosen randomly (a nonce ) and that it is not repeated for any given secret key under which the block cipher operates. This provides semantic security, by means of ensuring the same plain text is not encrypted to the same cipher text, allowing an attacker to infer

848-413: Is crucial for some encryption schemes to achieve semantic security , a property whereby repeated usage of the scheme under the same key does not allow an attacker to infer relationships between (potentially similar) segments of the encrypted message. For block ciphers , the use of an IV is described by the modes of operation . Some cryptographic primitives require the IV only to be non-repeating, and

901-511: Is identical to that for M 1 {\displaystyle M_{1}} . If no further changes are made to the plain text, the same tag will be derived despite a different message being transmitted. If the freedom to select an initialization vector is removed and all implementations of CBC-MAC fix themselves on a particular initialization vector (often the vector of zeroes, but in theory, it could be anything provided all implementations agree), this attack cannot proceed. To sum up, if

954-459: Is one of the most basic primitives in cryptography, and frequently used for data encryption . However, by itself, it can only be used to encode a data block of a predefined size, called the block size . For example, a single invocation of the AES algorithm transforms a 128-bit plaintext block into a ciphertext block of 128 bits in size. The key , which is given as one input to the cipher, defines

1007-440: Is referred to as an initialization vector . For example, the cipher-block chaining (CBC) mode requires an unpredictable value, of size equal to the cipher's block size, as additional input. This unpredictable value is added to the first plaintext block before subsequent encryption. In turn, the ciphertext produced in the first encryption step is added to the second plaintext block, and so on. The ultimate goal for encryption schemes

1060-570: Is simply done by XORing the first block of m ′ {\displaystyle m'} with t and then concatenating m with this modified m ′ {\displaystyle m'} ; i.e., by making m ″ = m ‖ [ ( m 1 ′ ⊕ t ) ‖ m 2 ′ ‖ … ‖ m x ′ ] {\displaystyle m''=m\|[(m_{1}'\oplus t)\|m_{2}'\|\dots \|m_{x}']} . When computing

1113-410: Is the input to the block cipher for encryption. However, when performing encryption and decryption, we are required to send the initialization vector in plain text - typically as the block immediately preceding the first block of cipher text - such that the first block of plain text can be decrypted and recovered successfully. If computing a MAC, we will also need to transmit the initialization vector to

SECTION 20

#1732800776101

1166-983: Is to encrypt the IV before using it (i.e., prepending IV to the data). Alternatively MAC in CFB mode can be used, because in CFB mode the IV is encrypted before it is XORed with the data. Another solution (in case protection against message replay attacks is not required) is to always use a zero vector IV. Note that the above formula for M 1 ′ {\displaystyle M_{1}'} becomes M 1 ′ = ( P 1 ⊕ 0 ⊕ 0 ) | P 2 | ⋯ = P 1 | P 2 | ⋯ = M 1 {\displaystyle M_{1}'=(P_{1}\oplus 0\oplus 0)|P_{2}|\dots =P_{1}|P_{2}|\dots =M_{1}} . So since M 1 {\displaystyle M_{1}} and M 1 ′ {\displaystyle M_{1}'} are

1219-485: Is to provide semantic security : by this property, it is practically impossible for an attacker to draw any knowledge from observed ciphertext. It can be shown that each of the three additional modes specified by the NIST are semantically secure under so-called chosen-plaintext attacks . Properties of an IV depend on the cryptographic scheme used. A basic requirement is uniqueness , which means that no IV may be reused under

1272-404: The C 1 , … , C n − 1 {\displaystyle C_{1},\dots ,C_{n-1}} cipher-text blocks and adjust any of the bits therein as she chooses, provided that the final block, C n {\displaystyle C_{n}} , remains the same. We assume, for the purposes of this example and without loss of generality, that

1325-458: The CBC-MAC process to some value M A C i ≠ C i ′ {\displaystyle \mathrm {MAC} _{i}\not =C_{i}'} . This example also shows that a CBC-MAC cannot be used as a collision-resistant one-way function: given a key it is trivial to create a different message which "hashes" to the same tag. When encrypting data using a block cipher in cipher block chaining (or another) mode, it

1378-496: The IV is chosen at random, the probability of collisions due to the birthday problem must be taken into account. Traditional stream ciphers such as RC4 do not support an explicit IV as input, and a custom solution for incorporating an IV into the cipher's key or internal state is needed. Some designs realized in practice are known to be insecure; the WEP protocol is a notable example, and is prone to related-IV attacks. A block cipher

1431-399: The IV that will be associated to the plaintext in advance of the generation of the IV.) at encryption time. Additionally for the output feedback mode (OFB mode), the IV must be unique. In particular, the (previously) common practice of re-using the last ciphertext block of a message as the IV for the next message is insecure (for example, this method was used by SSL 2.0). If an attacker knows

1484-483: The MAC for the message m ″ {\displaystyle m''} , it follows that we compute the MAC for m in the usual manner as t , but when this value is chained forwards to the stage computing E K MAC ( m 1 ′ ⊕ t ) {\displaystyle E_{K_{\text{MAC}}}(m_{1}'\oplus t)} we will perform an exclusive OR operation with

1537-411: The MAC for this message, we begin the computation by E K ( P 1 ′ ⊕ I V 1 ′ ) {\displaystyle E_{K}(P_{1}'\oplus IV_{1}')} . As bits in both the plain text and initialization vector have been flipped in the same places, the modification is cancelled in this first stage, meaning the input to the block cipher

1590-424: The MAC's usage of a different key K 2 {\displaystyle K_{2}} , we cannot "undo" the decryption process in the forward step of the computation of the message authentication code so as to produce the same tag; each modified P i ′ {\displaystyle P_{i}'} will now be encrypted by K 2 {\displaystyle K_{2}} in

1643-418: The attacker is able to set the IV that will be used for MAC verification, he can perform arbitrary modification of the first data block without invalidating the MAC. Sometimes IV is used as a counter to prevent message replay attacks. However, if the attacker can predict what IV will be used for MAC verification, he or she can replay previously observed message by modifying the first data block to compensate for

CBC-MAC - Misplaced Pages Continue

1696-463: The authentication tag using CBC-MAC over all the values of plain text which he decoded. The tag for the new message, t ′ {\displaystyle t'} , is given by: Notice that this expression is equal to which is exactly C n {\displaystyle C_{n}} : and it follows that t ′ = C n = t {\displaystyle t'=C_{n}=t} . Therefore, Eve

1749-401: The chance of a duplicate IV is negligible , but the effect of the birthday problem must be considered. As for the uniqueness requirement, a predictable IV may allow recovery of (partial) plaintext. Depending on whether the IV for a cryptographic scheme must be random or only unique the scheme is either called randomized or stateful . While randomized schemes always require the IV chosen by

1802-847: The change in the IV that will be used for the verification. For example, if the attacker has observed message M 1 = P 1 | P 2 | … {\displaystyle M_{1}=P_{1}|P_{2}|\dots } with I V 1 {\displaystyle IV_{1}} and knows I V 2 {\displaystyle IV_{2}} , he can produce M 1 ′ = ( P 1 ⊕ I V 1 ⊕ I V 2 ) | P 2 | … {\displaystyle M_{1}'=(P_{1}\oplus IV_{1}\oplus IV_{2})|P_{2}|\dots } that will pass MAC verification with I V 2 {\displaystyle IV_{2}} . The simplest countermeasure

1855-467: The cipher's block size, authentication modes are commonly realized as deterministic algorithms , and the IV is set to zero or some other fixed value. In stream ciphers, IVs are loaded into the keyed internal secret state of the cipher, after which a number of cipher rounds are executed prior to releasing the first bit of output. For performance reasons, designers of stream ciphers try to keep that number of rounds as small as possible, but because determining

1908-400: The computation. As with many cryptographic schemes, naïve use of ciphers and other protocols may lead to attacks being possible, reducing the effectiveness of the cryptographic protection (or even rendering it useless). We present attacks which are possible due to using the CBC-MAC incorrectly. One common mistake is to reuse the same key k for CBC encryption and CBC-MAC. Although a reuse of

1961-437: The correct authentication tag (i.e. CBC-MAC) pairs for two messages ( m , t ) {\displaystyle (m,t)} and ( m ′ , t ′ ) {\displaystyle (m',t')} can generate a third message m ″ {\displaystyle m''} whose CBC-MAC will also be t ′ {\displaystyle t'} . This

2014-480: The encryption key. To hide patterns in encrypted data while avoiding the re-issuing of a new key after each block cipher invocation, a method is needed to randomize the input data. In 1980, the NIST published a national standard document designated Federal Information Processing Standard (FIPS) PUB 81, which specified four so-called block cipher modes of operation , each describing a different solution for encrypting

2067-495: The initialization vector used for the encryption process is a vector of zeroes. When Bob receives the message, he will first decrypt the message by reversing the encryption process which Alice applied, using the cipher text blocks C = C 1 ‖ C 2 ‖ ⋯ ‖ C n {\displaystyle C=C_{1}\|C_{2}\|\cdots \|C_{n}} . The tampered message, delivered to Bob in replacement of Alice's original,

2120-496: The last cipher text block. In particular, the final plain text, P n ′ {\displaystyle P_{n}'} , differs from the original, P n {\displaystyle P_{n}} , which Alice sent; although C n {\displaystyle C_{n}} is the same, C n − 1 ′ ≠ C n − 1 {\displaystyle C_{n-1}'\not =C_{n-1}} , so

2173-431: The mapping between plaintext and ciphertext. If data of arbitrary length is to be encrypted, a simple strategy is to split the data into blocks each matching the cipher's block size, and encrypt each block separately using the same key. This method is not secure as equal plaintext blocks get transformed into equal ciphertexts, and a third party observing the encrypted data may easily determine its content even when not knowing

CBC-MAC - Misplaced Pages Continue

2226-484: The message M 2 = P 1 ′ | P 2 | … {\displaystyle M_{2}=P_{1}'|P_{2}|\dots } . For each bit modified in P 1 ′ {\displaystyle P_{1}'} , flip the corresponding bit in the initialization vector to produce the initialization vector I V 1 ′ {\displaystyle IV_{1}'} . It follows that to compute

2279-402: The message length may not be known when processing begins. Encrypt-last-block CBC-MAC (ECBC-MAC) is defined as CBC-MAC-ELB( m , ( k 1 , k 2 )) = E ( k 2 , CBC-MAC( k 1 , m )) . Compared to the other discussed methods of extending CBC-MAC to variable-length messages, encrypt-last-block has the advantage of not needing to know the length of the message until the end of

2332-488: The message tag for CBC-MAC, suppose we choose an initialization vector I V 1 {\displaystyle IV_{1}} such that computation of the MAC begins with E K ( I V 1 ⊕ P 1 ) {\displaystyle E_{K}(IV_{1}\oplus P_{1})} . This produces a (message, tag) pair ( M 1 , T 1 ) {\displaystyle (M_{1},T_{1})} . Now produce

2385-432: The message to consider message loss.) An example of stateful encryption schemes is the counter mode of operation, which has a sequence number for a nonce. The IV size depends on the cryptographic primitive used; for block ciphers it is generally the cipher's block-size. In encryption schemes, the unpredictable part of the IV has at best the same size as the key to compensate for time/memory/data tradeoff attacks. When

2438-443: The minimal secure number of rounds for stream ciphers is not a trivial task, and considering other issues such as entropy loss, unique to each cipher construction, related-IVs and other IV-related attacks are a known security issue for stream ciphers, which makes IV loading in stream ciphers a serious concern and a subject of ongoing research. The 802.11 encryption algorithm called WEP (short for Wired Equivalent Privacy ) used

2491-535: The other party in plain text so that they can verify the tag on the message matches the value they have computed. If we allow the initialization vector to be selected arbitrarily, it follows that the first block of plain text can potentially be modified (transmitting a different message) while producing the same message tag. Consider a message M 1 = P 1 | P 2 | … {\displaystyle M_{1}=P_{1}|P_{2}|\dots } . In particular, when computing

2544-418: The required randomness is derived internally. In this case, the IV is commonly called a nonce (a number used only once), and the primitives (e.g. CBC ) are considered stateful rather than randomized . This is because an IV need not be explicitly forwarded to a recipient but may be derived from a common state updated at both sender and receiver side. (In practice, a short nonce is still transmitted along with

2597-443: The same key. For block ciphers, repeated IV values devolve the encryption scheme into electronic codebook mode: equal IV and equal plaintext result in equal ciphertext. In stream cipher encryption uniqueness is crucially important as plaintext may be trivially recovered otherwise. Many schemes require the IV to be unpredictable by an adversary . This is effected by selecting the IV at random or pseudo-randomly . In such schemes,

2650-454: The same message, by definition they will have the same tag. This is not a forgery, rather the intended use of CBC-MAC. Initialization vector In cryptography , an initialization vector ( IV ) or starting variable is an input to a cryptographic primitive being used to provide the initial state. The IV is typically required to be random or pseudorandom , but sometimes an IV only needs to be unpredictable or unique. Randomization

2703-400: The tag for m ″ {\displaystyle m''} is t ′ {\displaystyle t'} . This problem cannot be solved by adding a message-size block to the end. There are three main ways of modifying CBC-MAC so that it is secure for variable length messages: 1) Input-length key separation; 2) Length-prepending; 3) Encrypt last block. In such

SECTION 50

#1732800776101

2756-513: The value derived for the MAC of the first message. The presence of that tag in the new message means it will cancel, leaving no contribution to the MAC from the blocks of plain text in the first message m : E K MAC ( m 1 ′ ⊕ t ⊕ t ) = E K MAC ( m 1 ′ ) {\displaystyle E_{K_{\text{MAC}}}(m_{1}'\oplus t\oplus t)=E_{K_{\text{MAC}}}(m_{1}')} and thus

2809-403: Was able to modify the cipher text in transit (without necessarily knowing what plain text it corresponds to) such that an entirely different message, P ′ {\displaystyle P'} , was produced, but the tag for this message matched the tag of the original, and Bob was unaware that the contents had been modified in transit. By definition, a Message Authentication Code

#100899