Score:0

Is CMAC secure without IV and the same key? (authenticate only)

cn flag

I am a bit unsure about CMAC and GMAC and maybe someone can help me. As far as I know, CMAC does not use an IV [SP 800-38B ch. 6.2]. Is it then secure if I use the same key for different messages? ...and why do I need an IV for GMAC? What happens here if I reuse the IV and the same key?

In my case I don't encrypt any messages, I just create a MAC which I attach to the message (plaintext). Is this vulnerable?

...With UMAC, VMAC or Poly1305 I also read that a (key, nonce) tuple may only be used once. But with OpenSSL I can't specify a nonce with Poly1305. ...somehow all this confuses me.

Score:2
my flag

Is it then secure if I use the same key for different messages?

Sure; it wouldn't be a very good MAC if a key could be used for a single message.

and why do I need an IV for GMAC?

Because CMAC and GMAC has different internals.

With CMAC, what you do is mostly the same computation as a CBC-mode encryption, except that you retain only the last block (and that's the MAC). I said mostly because if you just do this operation (which is known as CBCMAC), this would allow the attacker to play some games with extending the message - to prevent that, CMAC xor's in some secret data with the last block, foiling such games.

The reason we ask the IV to be different (and unpredictable) in CBC mode is so that the initial block doesn't leak information; CMAC doesn't output the initial CBC-mode block (unless the message fits in one block, and even if so, the xor of the secret data will prevent any such leakage), and so CMAC doesn't share the concern about IVs.


As for GMAC, well, that is entirely different; with that, you logically convert the message into the coefficients of a polynomial $M_k, M_{k-1}, ..., M_1$; then you convert the IV into the constant term $M_0$ in a secret key, and then evaluate the polynomial (in a finite field) at a secret point $H$, that is, you compute:

$$M_kH^k + M_{k-1}H^{k-1} + ... + M_1 H^1 + M_0$$

and that's the MAC. Note that the attacker knows everything, except for the secret values $H$ (which is constant for a given key) and $M_0$ (and the latter depends on the IV).

Now, if you have two MACs for two different messages with the same IV, the $M_0$ values will be the same; you can subtract them out and then solve for $H$ - that gives you all the secrets, and so you can generate messages with valid MAC values at will.

And, at the rather high level I described things, Poly1305 works the same way (and so shares the same weakness for repeating IVs).

In my case I don't encrypt any messages, I just create a MAC which I attach to the message (plaintext). Is this vulnerable?

Any good MAC would be fine - that really is the use case that a MAC is supposed to address [1]. CMAC is fine - GMAC and Poly1305 would also be fine if you avoid repeating IVs.

[1]: Assuming, of course, that the sender and the receiver share the same secret key - if you need something where the receiver cannot generate valid-looking messages, you'll need to look at signatures.

SBond avatar
cn flag
many many thanks. You have helped me a lot. Have a nice day and stay healthy :)
Score:0
tr flag

I am a bit unsure about CMAC and GMAC, and maybe someone can help me. As far as I know, CMAC does not use an IV [SP 800-38B ch. 6.2]. Is it then secure if I use the same key for different messages? ...and why do I need an IV for GMAC? What happens here if I reuse the IV and the same key?

The two constructions use two different underlying building blocks/logic. Therefore they have different security requirements. Namely:

  1. CMAC: We can abstractly describe CMCA as a construction that builds a secure PRF for variable-length inputs. Why, because secure PRFs are also secure MACs. But to deal with the variable-length CMAC imposes that the actual input to the MAC functions is prefix-free. i.e (w.l.o.g) there are no inputs $x,y$ such that $y$ starts with $x$. However, in CMAC, this requirement is not absolute; instead, a randomized encoding scheme is used, ensuring that lack of prefix-freeness happens with very low probability. So, in short, an abstract version of CMAC uses a randomized prefix-free encoding $e$ with a key $k_1$, a secure PRF for long but prefix-free inputs $F$ with a key $k$. On a message $m$, the mac is computed as $\tau = F(k, e(m,k_1))$
  • For the actual details and key derivation, refer to the standard you've also referenced.
  1. GMAC: See the first answer for details.

Therefore, we can see that CMAC does not require any IV, while GMAC does and more importantly, security depends on not reusing the IV.

As for OpenSSL, it may be useful to see how they use Poly1305 themselves? Perhaps in chacha20_poly1305

SBond avatar
cn flag
Thank you for the reply and your valuable time. :)
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.