20

A fixed length CBC-MAC uses an all-zero block as the initialization vector.

Suppose that we used a randomized IV instead, and sent the IV along with the tag. So if the message $m$ will be $m = b_1 || b_2 || b_3 || ... || b_l$, the MAC will be $(IV, t)$ where $t$ is the authentication tag defined as normal.

Why is this method of using a randomized IV more insecure than the normal method of using an all zero IV?

(This method was used in some nCipher products, and declared insecure in nCipher Advisory #13 – see also nCipher Insecure CBC-MAC API Vulnerability.)

Paŭlo Ebermann
  • 22,656
  • 7
  • 79
  • 117
Bobby S
  • 1,943
  • 4
  • 23
  • 30
  • Welcome to Cryptography Stack Exchange. Your question was migrated here because of being not directly related to software development (the topic of Stack Overflow), and being fully on-topic here. Please register your account here, too, to be able to comment (if necessary). – Paŭlo Ebermann Oct 27 '11 at 12:24

2 Answers2

26

The nCipher Advisory #13 cited in your securityfocus.com link contains the explanation of the vulnerability (in the section "Cryptographic details").

The CBC-MAC algorithm works similar to the CBC encryption algorithm, but only outputting the final block (or a part of this). Each block of the plain text is XOR-ed with the previous ciphertext and then encrypted.

This means we XOR the first block with the initialization vector before it first comes into contact with the block cipher. So changing only the first block together with a corresponding change in the initialization vector will mean that the same value is input to the block cipher, which gives the same resulting authentication tag at the end (which does not have to be changed).

If the initialization vector is fixed as zero (or some other constant), there is no way for the attacker to change it together with the first block, and this kind of attack is not possible. As an added bonus, we have one block of data less to transfer.

Paŭlo Ebermann
  • 22,656
  • 7
  • 79
  • 117
  • 1
    The link to nCipher Advisory #13 shows a diagram in the section "Cryptographic details" that is distorted. Could you provide a better one?

    Thanks.

     – Ursa Major May 24 '16 at 05:13
0

Having in mind the answer given by Paŭlo Ebermann, I think that in order for CBC-MAC to be secure the IV needs to be a constant in the code implementation and not a parameter of the algorithm. A zero constant simplifies the things.

Renato Campos
  • 1
  • Welcome to crypto.stackexchange - I noticed that the question asked Why is this method of using a randomized IV more insecure than the normal method of using an all zero IV?, but this answer doesn't seem to address the key point of "why". Consider editing an explanation into the answer, and your answer could garner more up votes. – Ella Rose Jun 19 '19 at 13:24
  • Can you expand on how this provides different information from Paŭlo's answer? – Squeamish Ossifrage Jun 19 '19 at 20:26