Login
Login

One-key MAC

{{Short description|Message authentication code algorithm}}

{{redirect|CMAC}}

One-key MAC (OMAC) is a family of message authentication codes constructed from a block cipher much like the CBC-MAC algorithm. It may be used to provide assurance of the authenticity and, hence, the integrity of data. Two versions are defined:

  • The original OMAC of February 2003, which is rarely used. The preferred name is now "OMAC2".
  • The OMAC1 refinement, which became an NIST recommendation in May 2005 under the name CMAC.{{Cite journal|last=Dworkin|first=Morris|title=Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication|url=http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf|doi=10.6028/nist.sp.800-38b|year=2016|doi-access=free}}

OMAC is free for all uses: it is not covered by any patents.{{cite web |url=http://www.cs.ucdavis.edu/~rogaway/xcbc/ip.html |title=CMAC: Non-licensing |last=Rogaway |first=Phillip |access-date=May 27, 2020 |quote=Phillip Rogaway's statement on intellectual property status of CMAC}}

History

The core of the CMAC algorithm is a variation of CBC-MAC that Black and Rogaway proposed and analyzed under the name "XCBC"{{Cite book|title=Advances in Cryptology – CRYPTO 2000|last1=Black|first1=John|last2=Rogaway|first2=Phillip|date=2000-08-20|publisher=Springer, Berlin, Heidelberg|isbn=978-3540445982|pages=197–215|language=en|doi=10.1007/3-540-44598-6_12}} and submitted to NIST.{{Cite journal|last1=Black|first1=J|last2=Rogaway|first2=P|title=A Suggestion for Handling Arbitrary-Length Messages with the CBC MAC|url=https://web.cs.ucdavis.edu/~rogaway/papers/xcbc.pdf}} The XCBC algorithm efficiently addresses the security deficiencies of CBC-MAC, but requires three keys.

Iwata and Kurosawa proposed an improvement of XCBC that requires less key material (just one key) and named the resulting algorithm One-Key CBC-MAC (OMAC) in their papers.{{Cite book|title=Fast Software Encryption|volume = 2887|last1=Iwata|first1=Tetsu|last2=Kurosawa|first2=Kaoru|date=2003-02-24|publisher=Springer, Berlin, Heidelberg|isbn=978-3-540-20449-7|pages=129–153|language=en|chapter=OMAC: One-Key CBC MAC|doi=10.1007/978-3-540-39887-5_11|series = Lecture Notes in Computer Science}} They later submitted the OMAC1 (= CMAC),{{Cite journal|last1=Iwata|first1=Tetsu|last2=Kurosawa|first2=Kaoru|year=2003|title=OMAC: One-Key CBC MAC – Addendum|url=http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/omac/omac-ad.pdf|quote=In this note, we propose OMAC1, a new choice of the parameters of OMAC-family (see [4] for the details). Test vectors are also presented. Accordingly, we rename the previous OMAC as OMAC2. (That is to say, test vectors for OMAC2 were already shown in [3].) We use OMAC as a generic name for OMAC1 and OMAC2.}} a refinement of OMAC, and additional security analysis.{{Cite book|url=https://archive.org/details/progresscryptolo00joha|url-access=limited|last1=Iwata|first1=Tetsu|last2=Kurosawa|first2=Kaoru|title=Progress in Cryptology - INDOCRYPT 2003 |date=2003-12-08|publisher=Springer Berlin Heidelberg|isbn=9783540206095|editor-last=Johansson|editor-first=Thomas|series=Lecture Notes in Computer Science|volume=2904 |pages=[https://archive.org/details/progresscryptolo00joha/page/n412 402]–415|language=en|chapter=Stronger Security Bounds for OMAC, TMAC, and XCBC|doi=10.1007/978-3-540-24582-7_30|editor-last2=Maitra|editor-first2=Subhamoy|citeseerx = 10.1.1.13.8229}}

Algorithm

Image:CMAC - Cipher-based Message Authentication Code.pdf

To generate an {{mvar|ℓ}}-bit CMAC tag (t) of a message (m) using a b-bit block cipher (E) and a secret key (k), one first generates two b-bit sub-keys (k1 and k2) using the following algorithm (this is equivalent to multiplication by x and x2 in a finite field GF(2b)). Let ≪ denote the standard left-shift operator and ⊕ denote bit-wise exclusive or:

  1. Calculate a temporary value k0 = Ek(0).
  2. If msb(k0) = 0, then k1 = k0 ≪ 1, else k1 = (k0 ≪ 1) ⊕ C; where C is a certain constant that depends only on b. (Specifically, C is the non-leading coefficients of the lexicographically first irreducible degree-b binary polynomial with the minimal number of ones: {{mono|0x1B}} for 64-bit, {{mono|0x87}} for 128-bit, and {{mono|0x425}} for 256-bit blocks.)
  3. If {{math|1=msb(k1) = 0}}, then {{math|1=k2 = k1 ≪ 1}}, else {{math|1=k2 = (k1 ≪ 1) ⊕ C}}.
  4. Return keys (k1, k2) for the MAC generation process.

As a small example, suppose {{math|1=b = 4}}, {{math|1=C = 00112}}, and {{math|1=k0 = Ek(0) = 01012}}. Then {{math|1=k1 = 10102}} and {{math|1=k2 = 0100 ⊕ 0011 = 01112}}.

The CMAC tag generation process is as follows:

  1. Divide message into b-bit blocks {{math|1=m = m1 ∥ ... ∥ mn−1mn}}, where m1, ..., mn−1 are complete blocks. (The empty message is treated as one incomplete block.)
  2. If mn is a complete block then {{math|1=mn′ = k1mn}} else {{math|1=mn′ = k2 ⊕ (mn ∥ 10...02)}}.
  3. Let {{math|1=c0 = 00...02}}.
  4. For {{math|1=i = 1, ..., n − 1}}, calculate {{math|1=ci = Ek(ci−1mi)}}.
  5. {{math|1=cn = Ek(cn−1mn′)}}
  6. Output {{math|1=t = msb(cn)}}.

The verification process is as follows:

  1. Use the above algorithm to generate the tag.
  2. Check that the generated tag is equal to the received tag.

Variants

CMAC-C1{{Cite book |last1=Bhaumik |first1=Ritam |last2=Chakraborty |first2=Bishwajit |last3=Choi |first3=Wonseok |last4=Dutta |first4=Avijit |last5=Govinden |first5=Jérôme |last6=Shen |first6=Yaobin |chapter=The Committing Security of MACs with Applications to Generic Composition |series=Lecture Notes in Computer Science |date=2024 |volume=14923 |editor-last=Reyzin |editor-first=Leonid |editor2-last=Stebila |editor2-first=Douglas |title=Advances in Cryptology – CRYPTO 2024 |chapter-url=https://link.springer.com/chapter/10.1007/978-3-031-68385-5_14 |language=en |location=Cham |publisher=Springer Nature Switzerland |pages=425–462 |doi=10.1007/978-3-031-68385-5_14 |isbn=978-3-031-68385-5}} is a variant of CMAC that provides additional commitment and context-discovery security guarantees.

Implementations

  • Python implementation: see the usage of the AES_CMAC() function in "[https://github.com/SecureAuthCorp/impacket/blob/master/tests/misc/test_crypto.py impacket/blob/master/tests/misc/test_crypto.py]", and its definition in "[https://github.com/SecureAuthCorp/impacket/blob/master/impacket/crypto.py#L94 impacket/blob/master/impacket/crypto.py]"{{cite web|url=https://github.com/SecureAuthCorp/impacket|title=Impacket is a collection of Python classes for working with network protocols.: SecureAuthCorp/impacket|date=15 December 2018|via=GitHub}}
  • Ruby implementation{{cite web|url=https://github.com/louismullie/cmac-rb|title=Ruby C extension for the AES-CMAC keyed hash function (RFC 4493): louismullie/cmac-rb|date=4 May 2016|via=GitHub}}

References

{{Reflist}}

External links

  • {{IETF RFC|4493|link=no}} The AES-CMAC Algorithm
  • {{IETF RFC|4494|link=no}} The AES-CMAC-96 Algorithm and Its Use with IPsec
  • {{IETF RFC|4615|link=no}} The Advanced Encryption Standard-Cipher-based Message Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128)
  • OMAC [https://web.archive.org/web/20150223220648/http://adder.demo.iworks.ro/Go/OMAC/ Online Test]
  • [http://www.nuee.nagoya-u.ac.jp/labs/tiwata/omac/omac.html More information on OMAC]
  • [https://github.com/RustCrypto/MACs/tree/master/cmac Rust implementation]

{{Cryptography navbox | hash}}

Category:Message authentication codes

Category:Finite fields