I've just read about CBC-MAC for the authentication of arbitrary length messages. In particular I cannot figure out why appending the message length before computing the MAC yields a non-secure MAC. I've already read other topics on crypto about this problem, but i did not find a rigorous proof.
Asked
Active
Viewed 3,623 times
1 Answers
3
I'll give you a hint, and you can work out the details yourself.
Take any $m_1,m_2,m_3$ of length $n$ (where $n$ is the block length), with $m_1\neq m_2$. Query the oracle with $m_1$, then query the oracle with $m_2$, and finally query the oracle with $m_1\|n\|m_3$.
Work through this, and you can find a message and its forgery.
Yehuda Lindell
- 28,270
- 1
- 69
- 86