Paper 2006/095
MAC Reforgeability
John Black and Martin Cochran
Abstract
Message Authentication Codes (MACs) are central algorithms deployed in virtually every security protocol in common usage. In these protocols, the integrity and authenticity of messages rely entirely on the security of the MAC; we examine cases in which this security is lost. In this paper, we examine the notion of “reforgeability” for MACs. We first give a definition for this new notion, then examine some of the most widely-used and well-known MACs under our definition. We show that for each of these MACs there exists an attack that allows efficient forgeries after the first one is obtained, and we show that simply making these schemes stateful is usually insufficient. For those schemes where adding state is effective, we go one step further to examine how counter misuse affects the security of the MAC, finding, in many cases, simply repeating a single counter value yields complete insecurity. These issues motivated the design of a new scheme, WMAC, which has a number of desirable properties. It is as efficient as the fastest MACs, resists counter misuse, and has tags which may be truncated to the desired length without affecting security (currently, the fastest MACs do not have this property), making it resistant to reforging attacks and arguably the best MAC for constrained environments.
Note: Updated to full version of FSE 2009 proceedings.
Metadata
- Available format(s)
- Category
- Secret-key cryptography
- Publication info
- Published elsewhere. Unknown where it was published
- Keywords
- Message Authentication CodesBirthday AttacksProvable Security
- Contact author(s)
- Martin Cochran @ colorado edu
- History
- 2009-02-24: last of 6 revisions
- 2006-03-12: received
- See all versions
- Short URL
- https://ia.cr/2006/095
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2006/095, author = {John Black and Martin Cochran}, title = {{MAC} Reforgeability}, howpublished = {Cryptology {ePrint} Archive, Paper 2006/095}, year = {2006}, url = {https://eprint.iacr.org/2006/095} }