To avoid the dummy padding block, CMAC uses 2 separate keys K1 & K2. If padding is required, the final block is padded & then XORed with K1. If no padding is required, then it's XORed with K2. I understand how this avoids the extension attack. However, at the verification side, how does Bob know whether the final block was XORed with K1 or K2?
Asked
Active
Viewed 381 times
1 Answers
8
However, at the decryption side, after decrypting the final block, how does Bob know whether the final block was XORed with K1 or K2?
CMAC is not an encryption scheme but a MAC - and more precisely a PRF - by design. As such the input you get during authentication is a subset of the input you get during verification. In particular during authentication you get the message and the key $(k,m)$ and during verification you additionally get a transmitted authentication tag $(k,m,\tau)$.
Verification then works by computing the MAC on $(k,m)$ yourself and checking the result against $\tau$. As you now have the message to be authenticated yourself you can use the same decision strategy as the original signer to decide which key to use for the final block.
SEJPM
- 46,697
- 9
- 103
- 214