One-key MAC

Template:Short description Template:Redirect One-key MAC (OMAC) is a family of message authentication codes constructed from a block cipher much like the CBC-MAC algorithm. It may be used to provide assurance of the authenticity and, hence, the integrity of data. Two versions are defined:

• The original OMAC of February 2003, which is rarely used.<ref name=omac03/> The preferred name is now "OMAC2".<ref name=omac1/>
• The OMAC1 refinement,<ref name=omac1/> which became an NIST recommendation in May 2005 under the name CMAC.<ref>Template:Cite journal</ref>

OMAC is free for all uses: it is not covered by any patents.<ref>{{#invoke:citation/CS1|citation |CitationClass=web }}</ref>

HistoryEdit

The core of the CMAC algorithm is a variation of CBC-MAC that Black and Rogaway proposed and analyzed under the name "XCBC"<ref>Template:Cite book</ref> and submitted to NIST.<ref>Template:Cite journal</ref> The XCBC algorithm efficiently addresses the security deficiencies of CBC-MAC, but requires three keys.

Iwata and Kurosawa proposed an improvement of XCBC that requires less key material (just one key) and named the resulting algorithm One-Key CBC-MAC (OMAC) in their papers.<ref name=omac03>Template:Cite book</ref> They later submitted the OMAC1 (= CMAC),<ref name=omac1>Template:Cite journal</ref> a refinement of OMAC, and additional security analysis.<ref>Template:Cite book</ref>

AlgorithmEdit

File:CMAC - Cipher-based Message Authentication Code.pdf

To generate an Template:Mvar-bit CMAC tag (t) of a message (m) using a b-bit block cipher (E) and a secret key (k), one first generates two b-bit sub-keys (k₁ and k₂) using the following algorithm (this is equivalent to multiplication by x and x² in a finite field GF(2^b)). Let ≪ denote the standard left-shift operator and ⊕ denote bit-wise exclusive or:

1. Calculate a temporary value k₀ = E_k(0).
2. If msb(k₀) = 0, then k₁ = k₀ ≪ 1, else k₁ = (k₀ ≪ 1) ⊕ C; where C is a certain constant that depends only on b. (Specifically, C is the non-leading coefficients of the lexicographically first irreducible degree-b binary polynomial with the minimal number of ones: Template:Mono for 64-bit, Template:Mono for 128-bit, and Template:Mono for 256-bit blocks.)
3. If Template:Math, then Template:Math, else Template:Math.
4. Return keys (k₁, k₂) for the MAC generation process.

As a small example, suppose Template:Math, Template:Math, and Template:Math. Then Template:Math and Template:Math.

The CMAC tag generation process is as follows:

1. Divide message into b-bit blocks Template:Math, where m₁, ..., m_n−1 are complete blocks. (The empty message is treated as one incomplete block.)
2. If m_n is a complete block then Template:Math else Template:Math.
3. Let Template:Math.
4. For Template:Math, calculate Template:Math.
5. Template:Math
6. Output Template:Math.

The verification process is as follows:

1. Use the above algorithm to generate the tag.
2. Check that the generated tag is equal to the received tag.

VariantsEdit

CMAC-C1<ref>Template:Cite book</ref> is a variant of CMAC that provides additional commitment and context-discovery security guarantees.

ImplementationsEdit

• Python implementation: see the usage of the AES_CMAC() function in "impacket/blob/master/tests/misc/test_crypto.py", and its definition in "impacket/blob/master/impacket/crypto.py"<ref>{{#invoke:citation/CS1|citation

|CitationClass=web }}</ref>

• Ruby implementation<ref>{{#invoke:citation/CS1|citation

|CitationClass=web }}</ref>

ReferencesEdit

Template:Reflist

External linksEdit

• Template:IETF RFC The AES-CMAC Algorithm
• Template:IETF RFC The AES-CMAC-96 Algorithm and Its Use with IPsec
• Template:IETF RFC The Advanced Encryption Standard-Cipher-based Message Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128)
• OMAC Online Test
• More information on OMAC
• Rust implementation

Template:Cryptography navbox