Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [cmac]

CMAC is a block cipher-based message authentication code algorithm.

CMAC is a block cipher-based message authentication code algorithm. It may be used to provide assurance of the authenticity and the integrity of binary data. This mode of operation fixes security deficiencies of CBC-MAC).

CMAC is the name defined by NIST. It is also known as OMAC1, which in turn sometimes is abbreviated to OMAC (which includes OMAC1 and OMAC2 according to one of the authors of the OMAC paper).

58 questions
27
votes
1 answer

Use cases for CMAC vs. HMAC?

Both can be used to verify the integrity of a message. Assuming you have the needed primitives available to you (i.e. the code space of needing both a cipher and a hash function isn't prohibitive), is there any reason to prefer one over an other? In…
Alex Gaynor
  • 356
  • 1
  • 4
  • 11
15
votes
1 answer

Difference between CBC-MAC and CMAC

According to Wikipedia, CMAC is based on a variation of CBC-MAC and fixes some security deficiencies in it. However, I could not find a simple and clear explanation of what the differences between the two algorithms actually are, so I thought I'd…
enigma
  • 153
  • 1
  • 1
  • 7
12
votes
0 answers

Do CCM and EAX provide key commitment?

In an interesting paper called "Partitioning Oracle Attacks" by Julia Len, Paul Grubbs & Thomas Ristenpart an attack is presented on 1.5 pass AEAD schemes that utilize GMAC (GCM, AES-GCM, AES-GCM-SIV) and Poly1305 which is often used with a…
Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
9
votes
1 answer

Side channel security of HMAC in software

Assume we have a processor with a symmetric co-processor that supports AES. This processor does however not provide co-processor support for hash algorithms such as SHA-1 or SHA-256. I've got the following strongly related questions: Would an HMAC…
Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
7
votes
2 answers

What are the implications of a birthday attack on a HMAC?

After collecting approximately $2^{n/2}$ message-tag pairs a collision can be observed. So two different messages (m1 and m2) will have the same tag. This paper states: Then, for any string x, (m1,x) and (m2,x) have the same tags (with high…
Logan
  • 161
  • 7
6
votes
2 answers

Can CMAC be used as a 128bit Key Derivation Function?

I want to derive a key a number of times for a deterministic scenario, where I can get n keys from a single one. The logic looks something like this: masterKey = random 128-bit For i from 0 to n: let key[i] = CMAC(masterKey, i) Is this a proper…
shewa
  • 61
  • 2
6
votes
1 answer

Difference between AES CMAC and AES HMAC?

Can someone elaborate on how 'signing' is done using AES- CMAC and AES-HMAC? HMAC Signing as I understand: Compute the HMAC( Hash the key and the input concatenated in a special way) Verification: Verify if for the given input and secret key the…
user907810
  • 451
  • 2
  • 7
  • 13
5
votes
1 answer

AES - CCM, why not use CMAC inside instead of CBC-MAC?

I was reading up on AES-CMAC when I learned that this basically is an improved and more robust version of CBC-MAC, with the ability to safely have variable-length messages. Difference between CBC-MAC and CMAC The AES-CCM uses AES in counter-mode,…
Martin Aa S
  • 105
  • 4
5
votes
1 answer

Should AES-CMAC key cryptoperiod be affected by MAC truncation to avoid birthday-attacks?

Given a 128-bit key used for authentication based on AES-CMAC, the NIST 800-38B recommendations suggest at least two criteria for a good key cryptoperiod: after 'MaxInvalids' error messages the key should be retired (considering the MAC truncation…
gentooise
  • 254
  • 1
  • 9
5
votes
1 answer

Robust CMAC-based key derivation function

I need to select a function that will be used as a key derivation function (KDF) and pseudorandom function (PRF) in contexts that I haven't anticipated. It will run on very low-end devices (think potato-powered IoT sensor with a bulk cost of a…
Gilles 'SO- stop being evil'
  • 20,442
  • 4
  • 54
  • 97
4
votes
2 answers

Any point using CMAC with AES-256?

As we know, AES-256 is a block cipher with 256-bit key and 128-bit block size. The CMAC message authentication code outputs tag length equal to block cipher block size - thus 128 bits with AES. And this provides an assurence that only 1 in 2^128…
DannyNiu
  • 10,640
  • 2
  • 27
  • 64
4
votes
1 answer

Is CMAC vulnerable to length extension attacks?

Given $m_1, m_2$ such that $MAC_k(m_1) = MAC_k(m_2)$ is it possible to construct more collisions with pairs of the form $m_1|x, m_2|x$? Here is the CMAC picture from Wikipedia where it is only part of the one-key MAC article: I don't see how it…
Elias
  • 4,933
  • 1
  • 16
  • 32
3
votes
1 answer

CMAC - how is ambiguity resolved?

To avoid the dummy padding block, CMAC uses 2 separate keys K1 & K2. If padding is required, the final block is padded & then XORed with K1. If no padding is required, then it's XORed with K2. I understand how this avoids the extension attack.…
user93353
  • 2,348
  • 3
  • 28
  • 49
3
votes
1 answer

MAC size: Should MAC be shorter than cipher block size?

Many sources claim that (if possible) a length of MAC should be as long as possible. So it should have the same size as size of the block of used cipher. However there is the following note in Bouncy Castle source codes (CMac.java): "Note: the size…
Quark
  • 173
  • 6
3
votes
1 answer

Is this MAC-then-encrypt scheme secure?

I have the following requirements: 64 bits (8 bytes) of data ($D$) that requires confidentiality and integrity; the data itself is a nonce, never need to authenticate/encrypt the same value twice (e.g. a counter); I can only use AES cipher…
gentooise
  • 254
  • 1
  • 9
1
2 3 4