One-key MAC
Template:Short description Script error: No such module "redirect hatnote". One-key MAC (OMAC) is a family of message authentication codes constructed from a block cipher much like the CBC-MAC algorithm. It may be used to provide assurance of the authenticity and, hence, the integrity of data. Two versions are defined:
- The original OMAC of February 2003, which is rarely used.[1] The preferred name is now "OMAC2".[2]
- The OMAC1 refinement,[2] which became an NIST recommendation in May 2005 under the name CMAC.[3]
OMAC is free for all uses: it is not covered by any patents.[4]
History
The core of the CMAC algorithm is a variation of CBC-MAC that Black and Rogaway proposed and analyzed under the name "XCBC"[5] and submitted to NIST.[6] The XCBC algorithm efficiently addresses the security deficiencies of CBC-MAC, but requires three keys.
Iwata and Kurosawa proposed an improvement of XCBC that requires less key material (just one key) and named the resulting algorithm One-Key CBC-MAC (OMAC) in their papers.[1] They later submitted the OMAC1 (= CMAC),[2] a refinement of OMAC, and additional security analysis.[7]
Algorithm
File:CMAC - Cipher-based Message Authentication Code.pdf
To generate an Template:Mvar-bit CMAC tag (t) of a message (m) using a b-bit block cipher (E) and a secret key (k), one first generates two b-bit sub-keys (k1 and k2) using the following algorithm (this is equivalent to multiplication by x and x2 in a finite field GF(2b)). Let ≪ denote the standard left-shift operator and ⊕ denote bit-wise exclusive or:
- Calculate a temporary value k0 = Ek(0).
- If msb(k0) = 0, then k1 = k0 ≪ 1, else k1 = (k0 ≪ 1) ⊕ C; where C is a certain constant that depends only on b. (Specifically, C is the non-leading coefficients of the lexicographically first irreducible degree-b binary polynomial with the minimal number of ones: Template:Mono for 64-bit, Template:Mono for 128-bit, and Template:Mono for 256-bit blocks.)
- If Template:Math, then Template:Math, else Template:Math.
- Return keys (k1, k2) for the MAC generation process.
As a small example, suppose Template:Math, Template:Math, and Template:Math. Then Template:Math and Template:Math.
The CMAC tag generation process is as follows:
- Divide message into b-bit blocks Template:Math, where m1, ..., mn−1 are complete blocks. (The empty message is treated as one incomplete block.)
- If mn is a complete block then Template:Math else Template:Math.
- Let Template:Math.
- For Template:Math, calculate Template:Math.
- Template:Math
- Output Template:Math.
The verification process is as follows:
- Use the above algorithm to generate the tag.
- Check that the generated tag is equal to the received tag.
Variants
CMAC-C1[8] is a variant of CMAC that provides additional commitment and context-discovery security guarantees.
Implementations
- Python implementation: see the usage of the
AES_CMAC()function in "impacket/blob/master/tests/misc/test_crypto.py", and its definition in "impacket/blob/master/impacket/crypto.py"[9] - Ruby implementation[10]
References
External links
- Template:IETF RFC The AES-CMAC Algorithm
- Template:IETF RFC The AES-CMAC-96 Algorithm and Its Use with IPsec
- Template:IETF RFC The Advanced Encryption Standard-Cipher-based Message Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128)
- OMAC Online Test
- More information on OMAC
- Rust implementation
- ↑ a b Script error: No such module "citation/CS1".
- ↑ a b c Script error: No such module "Citation/CS1".
- ↑ Script error: No such module "Citation/CS1".
- ↑ Script error: No such module "citation/CS1".
- ↑ Script error: No such module "citation/CS1".
- ↑ Script error: No such module "Citation/CS1".
- ↑ Script error: No such module "citation/CS1".
- ↑ Script error: No such module "citation/CS1".
- ↑ Script error: No such module "citation/CS1".
- ↑ Script error: No such module "citation/CS1".