Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [cbc-mac]

Cipher Block Chaining MAC (CBC-MAC) is a method of building a message authentication code from a block-cipher.

The Cipher Block Chaining MAC (CBC-MAC) method builds a message authentication code from a block-cipher by operating it in CBC mode over the message to authenticate, and outputting the final block as the authentication code.

CBC-MAC is not secure for variable-length messages, or if the same key is used to encrypt a message in CBC mode and then CBC-MAC the message, and is vulnerable to attacks if the initialization vector can be varied.

See the wikipedia page for more information.

116 questions
15
votes
2 answers

What is the correct way to implement PBKDF2 + AES CBC + HMAC?

I've been doing a lot of reading on the proper way to implement AES CBC mode with HMAC authentication. I've seen many explanations, however, I've had a hard time finding an actual real example (with code) on all steps including key derivation,…
izzle
  • 621
  • 1
  • 5
  • 12
15
votes
1 answer

Difference between CBC-MAC and CMAC

According to Wikipedia, CMAC is based on a variation of CBC-MAC and fixes some security deficiencies in it. However, I could not find a simple and clear explanation of what the differences between the two algorithms actually are, so I thought I'd…
enigma
  • 153
  • 1
  • 1
  • 7
12
votes
0 answers

Do CCM and EAX provide key commitment?

In an interesting paper called "Partitioning Oracle Attacks" by Julia Len, Paul Grubbs & Thomas Ristenpart an attack is presented on 1.5 pass AEAD schemes that utilize GMAC (GCM, AES-GCM, AES-GCM-SIV) and Poly1305 which is often used with a…
Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
11
votes
1 answer

Why does only length prepending improve the security of CBC-MAC

I know that length prepending improves security of CBC-MAC. However, wouldn't inserting the length elsewhere (middle, end or any other part of message) be equally good? After all, even the length is processed by the underlying cipher block.
TheRookierLearner
  • 1,011
  • 1
  • 11
  • 15
7
votes
2 answers

OMAC/CMAC constant for different block sizes

OMAC/CMAC only specifies constants for 64-bit (0x1B) and 128-bit (0x87) block size. I would like to know how to get constants for other block sizes. http://en.wikipedia.org/wiki/CMAC says it "is the non-leading coefficients of the lexicographically…
LightBit
  • 1,741
  • 14
  • 28
7
votes
1 answer

CBC-MAC , fixed length, all blocks returned

CBC-MAC, with fixed length message. Is it safe to return all ciphered blocks instead of the last? My intuition says it is less secure, since is gives an attacker more information. But how could one attack this scheme?
danieltorres
  • 415
  • 4
  • 6
7
votes
2 answers

Why does the CBC-MAC require PRFs?

I'm stuck on exercise 4.19 from Introduction to Modern Cryptography. Let $F$ be a keyed function that is a secure (deterministic) MAC for messages of length $n$. (Note that $F$ need not be a pseudorandom permutation.) Show that basic CBC-MAC is…
ambiso
  • 706
  • 4
  • 13
7
votes
1 answer

Why is padding used in CBC mode?

I am newbie to CBC crypto: When I try decrypt the cipher text to recover the plain text, things are not going smoothly as I face some issues in the decryption process with padding and not obtaining the plain text finally. So I would like to know…
danny
  • 253
  • 1
  • 3
  • 12
7
votes
1 answer

Security of a simple AEAD construction

Introduction I want securely communicate with a small 8-bit device which has a very limited program program memory (Arduino Uno - 32K). My goal is to minimize code size and RAM usage. There are multiple alternatives I could use, but I have reasons…
Roman
  • 73
  • 1
  • 6
6
votes
3 answers

When do I need to use CBC and HMAC?

As I know CBC does not provide integrity for the message, thus HMAC is used to provide integrity for CBC message. Also, I hear about CBC-MAC which can provide integrity and confidentiality. Which one is better CBC-MAC or CBC with HMAC? And when do…
Aymn Alaney
  • 473
  • 7
  • 18
6
votes
2 answers

Are TLS 1.2 AES-CBC and AES-GCM Authenticated Encryption ciphersuites?

In the answer of the following post: Why was AES CBC removed in TLS 1.3?, I quote the following from the chosen answer: After the Lucky13 attack (a timing oracle caused by MAC-then-encrypt), it was thought that TLS should change ordering of the…
user9371654
  • 457
  • 1
  • 6
  • 12
6
votes
1 answer

CBC with a fixed or random IV

I have three questions related to the use of IV within CBC mode of operation: Why, exactly, is it so bad to have a fixed (or predictable) IV in CBC mode? An example would be great! Given 1., why is a random IV better? And if the IV is "random", how…
Joe
  • 121
  • 1
  • 2
  • 4
5
votes
1 answer

CBC encryption + CBC MAC reusing key in MAC-then-Encrypt

I'm reading the Handbook of Applied Cryptography by ‎Alfred J. Menezes et al. Especially, I'm stuck with the case that reusing key for CBC encryption and CBC-MAC in MAC-then-encrypt structure. My question is: in MAC-then-encrypt structure, that…
pioneer
  • 335
  • 1
  • 11
5
votes
2 answers

Can AES-CBC be safely used in combination with RSA, or must it be CBC-MAC?

The plan is to encrypt files using an AES-256 in CBC mode secret key. The secret key itself will be encrypted with a RSA 2048-bit public key. Is using AES-CBC sufficiently secure if used in conjunction with RSA? Or must the files be authenticated…
DedCrypto
  • 53
  • 1
  • 3
5
votes
2 answers

Modifications of CBC-MAC

I'm preparing myself to exam, but I have a lot of troubles with rigorous proofs. This post is very long, but this is because I remind here 2 long definitions. At the beginning I want to remind the definicion of CBC-MAC. Let $F$ be a pseudo-random…
BiggBen1989
  • 127
  • 1
  • 6
1
2 3 4 5 6 7 8