One-key MAC

Appearance move to sidebar hide

One-key MAC (OMAC) is a family of message authentication codes constructed from a block cipher much like the CBC-MAC algorithm. It may be used to provide assurance of the authenticity and, hence, the integrity of data. Two versions are defined:

• The original OMAC of February 2003, which is seldom used. The preferred name is now "OMAC2".
• The OMAC1 refinement, which became an NIST recommendation in May 2005 under the name CMAC.

OMAC is free for all uses: it is not covered by any patents.

History

The core of the CMAC algorithm is a variation of CBC-MAC that Black and Rogaway proposed and analyzed under the name "XCBC" and submitted to NIST. The XCBC algorithm efficiently addresses the security deficiencies of CBC-MAC, but requires three keys.

Iwata and Kurosawa proposed an improvement of XCBC that requires less key material (just one key) and named the resulting algorithm One-Key CBC-MAC (OMAC) in their papers. They later submitted the OMAC1 (= CMAC), a refinement of OMAC, and additional security analysis.

Algorithm

To generate an ℓ-bit CMAC tag (t) of a message (m) using a b-bit block cipher (E) and a secret key (k), one first generates two b-bit sub-keys (k1 and k2) using the following algorithm (this is equivalent to multiplication by x and x2 in a finite field GF(2b)). Let ≪ denote the standard left-shift operator and ⊕ denote bit-wise exclusive or:

1. Calculate a temporary value k0 = Ek(0).
2. If msb(k0) = 0, then k1 = k0 ≪ 1, else k1 = (k0 ≪ 1) ⊕ C; where C is a certain constant that depends only on b. (Specifically, C is the non-leading coefficients of the lexicographically first irreducible degree-b binary polynomial with the minimal number of ones: 0x1B for 64-bit, 0x87 for 128-bit, and 0x425 for 256-bit blocks.)
3. If msb(k1) = 0, then k2 = k1 ≪ 1, else k2 = (k1 ≪ 1) ⊕ C.
4. Return keys (k1, k2) for the MAC generation process.

As a small example, suppose b = 4, C = 00112, and k0 = Ek(0) = 01012. Then k1 = 10102 and k2 = 0100 ⊕ 0011 = 01112.

The CMAC tag generation process is as follows:

1. Divide message into b-bit blocks m = m1 ∥ ... ∥ mn−1 ∥ mn, where m1, ..., mn−1 are complete blocks. (The empty message is treated as one incomplete block.)
2. If mn is a complete block then mn′ = k1 ⊕ mn else mn′ = k2 ⊕ (mn ∥ 10...02).
3. Let c0 = 00...02.
4. For i = 1, ..., n − 1, calculate ci = Ek(ci−1 ⊕ mi).
5. cn = Ek(cn−1 ⊕ mn′)
6. Output t = msbℓ(cn).

The verification process is as follows:

1. Use the above algorithm to generate the tag.
2. Check that the generated tag is equal to the received tag.

Implementations

• Python implementation: see the usage of the AES_CMAC() function in "impacket/blob/master/tests/misc/test_crypto.py", and its definition in "impacket/blob/master/impacket/crypto.py"
• Ruby implementation

References

1. ^ a b Iwata, Tetsu; Kurosawa, Kaoru (2003-02-24). "OMAC: One-Key CBC MAC". Fast Software Encryption. Lecture Notes in Computer Science. Vol. 2887. Springer, Berlin, Heidelberg. pp. 129–153. doi:10.1007/978-3-540-39887-5_11. ISBN 978-3-540-20449-7.
2. ^ a b c Iwata, Tetsu; Kurosawa, Kaoru (2003). "OMAC: One-Key CBC MAC – Addendum" (PDF). In this note, we propose OMAC1, a new choice of the parameters of OMAC-family (see for the details). Test vectors are also presented. Accordingly, we rename the previous OMAC as OMAC2. (That is to say, test vectors for OMAC2 were already shown in .) We use OMAC as a generic name for OMAC1 and OMAC2. {{cite journal}}: Cite journal requires |journal= (help)
3. ^ Dworkin, Morris (2016). "Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication" (PDF). doi:10.6028/nist.sp.800-38b. {{cite journal}}: Cite journal requires |journal= (help)
4. ^ Rogaway, Phillip. "CMAC: Non-licensing". Retrieved May 27, 2020. Phillip Rogaway's statement on intellectual property status of CMAC
5. ^ Black, John; Rogaway, Phillip (2000-08-20). Advances in Cryptology – CRYPTO 2000. Springer, Berlin, Heidelberg. pp. 197–215. doi:10.1007/3-540-44598-6_12. ISBN 978-3540445982.
6. ^ Black, J; Rogaway, P. "A Suggestion for Handling Arbitrary-Length Messages with the CBC MAC" (PDF). {{cite journal}}: Cite journal requires |journal= (help)
7. ^ Iwata, Tetsu; Kurosawa, Kaoru (2003-12-08). "Stronger Security Bounds for OMAC, TMAC, and XCBC". In Johansson, Thomas; Maitra, Subhamoy (eds.). Progress in Cryptology - INDOCRYPT 2003. Lecture Notes in Computer Science. Vol. 2904. Springer Berlin Heidelberg. pp. 402–415. CiteSeerX 10.1.1.13.8229. doi:10.1007/978-3-540-24582-7_30. ISBN 9783540206095.
8. ^ "Impacket is a collection of Python classes for working with network protocols.: SecureAuthCorp/impacket". 15 December 2018 – via GitHub.
9. ^ "Ruby C extension for the AES-CMAC keyed hash function (RFC 4493): louismullie/cmac-rb". 4 May 2016 – via GitHub.

External links

• RFC 4493 The AES-CMAC Algorithm
• RFC 4494 The AES-CMAC-96 Algorithm and Its Use with IPsec
• RFC 4615 The Advanced Encryption Standard-Cipher-based Message Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128)
• OMAC Online Test
• More information on OMAC
• Rust implementation

v t e Cryptographic hash functions and message authentication codes List Comparison Known attacks Common functions MD5 (compromised) SHA-1 (compromised) SHA-2 SHA-3 BLAKE2 SHA-3 finalists BLAKE Grøstl JH Skein Keccak (winner) Other functions BLAKE3 CubeHash ECOH FSB Fugue GOST HAS-160 HAVAL Kupyna LSH Lane MASH-1 MASH-2 MD2 MD4 MD6 MDC-2 N-hash RIPEMD RadioGatún SIMD SM3 SWIFFT Shabal Snefru Streebog Tiger VSH Whirlpool Password hashing/ key stretching functions Argon2 Balloon bcrypt Catena crypt LM hash Lyra2 Makwa PBKDF2 scrypt yescrypt General purpose key derivation functions HKDF KDF1/KDF2 MAC functions CBC-MAC DAA GMAC HMAC NMAC OMAC/CMAC PMAC Poly1305 SipHash UMAC VMAC Authenticated encryption modes CCM ChaCha20-Poly1305 CWC EAX GCM IAPM OCB Attacks Collision attack Preimage attack Birthday attack Brute-force attack Rainbow table Side-channel attack Length extension attack Design Avalanche effect Hash collision Merkle–Damgård construction Sponge function HAIFA construction Standardization CAESAR Competition CRYPTREC NESSIE NIST hash function competition Password Hashing Competition Utilization Hash-based cryptography Merkle tree Message authentication Proof of work Salt Pepper

v t e Cryptography General History of cryptography Outline of cryptography Cryptographic protocol Authentication protocol Cryptographic primitive Cryptanalysis Cryptocurrency Cryptosystem Cryptographic nonce Cryptovirology Hash function Cryptographic hash function Key derivation function Digital signature Kleptography Key (cryptography) Key exchange Key generator Key schedule Key stretching Keygen Cryptojacking malware Ransomware Random number generation Cryptographically secure pseudorandom number generator (CSPRNG) Pseudorandom noise (PRN) Secure channel Insecure channel Subliminal channel Encryption Decryption End-to-end encryption Harvest now, decrypt later Information-theoretic security Plaintext Codetext Ciphertext Shared secret Trapdoor function Trusted timestamping Key-based routing Onion routing Garlic routing Kademlia Mix network Mathematics Cryptographic hash function Block cipher Stream cipher Symmetric-key algorithm Authenticated encryption Public-key cryptography Quantum key distribution Quantum cryptography Post-quantum cryptography Message authentication code Random numbers Steganography Category