[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Generic CBC-MAC specification
Actually, the extra encryption of the last block was defined in
ANSI X9.19 (retail MAC for things like ATM transactions).
A recent paper by Bellare and Rogaway proves that this approach
does indeed provide the optimum amount of extra security.
Regards,
Rich
----------
> From: Theodore Y. Ts'o <tytso@MIT.EDU>
> To: FUKUMOTO Atsushi <fukumoto@isl.rdc.toshiba.co.jp>
> Cc: ipsec@tis.com
> Subject: Re: Generic CBC-MAC specification
> Date: Thursday, February 12, 1998 2:48 PM
>
> Date: Thu, 12 Feb 1998 17:59:36 +0900
> From: FUKUMOTO Atsushi <fukumoto@isl.rdc.toshiba.co.jp>
>
> Only description I could find about CBC-MAC in "Applied Cryptography
> 2nd ed." (first print) is in p.456, where it says:
>
> [...] encrypt a message with a block algorithm in CBC or CFB
> modes. The hash is the last encrypted block, encrypted once
> more in CBC or CFB modes.
>
> This last line, "encrypted once more in CBC or CFB modes", seems to be
> different from FIPS81 Appendix F, or Mr.Rogers' CBC-MAC draft.
>
> So my question is, am I right that the description of Applied
> Cryptography is wrong, and the "encrypted once more" should only be
> applied to CFB mode?
>
> If Applied Crypto says this, Applied Crypto is wrong....
>
> - Ted
Follow-Ups: