I can find descriptions of using CFB mode to create a MAC and even implementations, but cannot find any standard or papers analyzing its security bounds.
Is there a standard for CFB-MAC?
Where can I find an analysis of its security bounds?
Asked
Active
Viewed 1,437 times
1 Answers
4
According to Handbook of Applied Cryptography (15.3.2, ii), ANSI X9.9 (which SEJPM mentioned in the comments but I have no access to) defined CFB-MAC only as a compatible alternative to CBC-MAC:
The X9.9 MAC algorithm may be implemented using either the cipher-block chaining (CBC) or 64-bit cipher feedback (CFB-64) mode, initialized to produce the same result (see Note 15.1).
With a segment size equal to the block size (so 64 bits with DES) and using the first message block as IV, the two are indeed equivalent. So this case of CFB-MAC clearly has all the properties of CBC-MAC.
However, the first definition of CFB MAC seems to be from FIPS 81 (DES Modes of Operation, see Appendix F):
A MAC may be generated using either the CBC or the CFB mode. [...]
In CFB authentication, a message is encrypted in the normal CFB manner except that the cipher text is discarded. After encrypting the final Kbits of data and feeding the resulting cipher text back into the DES inputblock, the DES device is operated one more time and the most significant M bits of the resulting DES output block are used as the MAC.
The example shows 8-bit CFB MAC using an IV, so clearly it was defined for arbitrary CFB modes.
What remains unanswered is how the security compares to that of CBC-MAC when segment size differs from the block size. However, the use of segments is somewhat historical anyway, so it is only a curiosity.