2

I'm reading a protocol specification where the procedure is to generate a CMAC, take the first 4 bytes of it, append this authentication tag to the message and then encrypt the message + CMAC together with another key using CTR mode encryption.

Both CMAC and CTR mode are defined to use the AES-128 block cipher. A separate key is used for CMAC authentication and CTR encryption.

Does encrypting the MAC add any extra security? Shouldn't CMAC be already "secure" by itself?

Is this a typical approach for doing encryption + integrity verification?

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
RubenLaguna
  • 153
  • 1
  • 8

2 Answers2

2

If a MAC is encrypted using CTR specifically then specific bits can still be flipped by an attacker. So although the MAC isn't known, specific bits can still be altered in transit. This may allow certain attacks, depending on the error handling of the receiver of the protected messages.

[The question I cannot readily answer is if such a small authentication tag gains nothing from being encrypted. Please alter.]

A CMAC should indeed already be secure by itself. Encryption of a MAC should not be necessary.

In the protocol you are describing the CMAC is however truncated to a very low number of bits. Look at this snippet from RFC 4493, section 2.4:

It is possible to truncate the MAC. According to [NIST-CMAC], at least a 64-bit MAC should be used as protection against guessing attacks. The result of truncation should be taken in most significant bits first order.

No, it's not a "typical approach" in the sense that newer protocols usually calculate an authentication tag over the ciphertext instead of the plaintext.

There are however protocols where MAC-then-encrypt is used, notably Transport Layer Security (TLS). This actually opens up TLS to some attacks such as the Lucky Thirteen attack, although that attack also requires CBC mode encryption instead of CTR mode encryption.

Community
  • 1
Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
1

No, this is not a typical way to go.

Actually Encrypt-then-MAC would be the best way to go, attaching the MAC (in this case a CMAC) as is to the encrypted data.

Before starting the decryption, you would first check the MAC. Even in this setup using two different keys - one for the AES encryption and one for the CMAC - should be used.

Finally I am confused about the AES128-CBC-CTR - normally either CBC or CTR.

Thor
  • 788
  • 3
  • 6