idnits 2.17.1 draft-rogers-cbc-mac-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Cannot find the required boilerplate sections (Copyright, IPR, etc.) in this document. Expected boilerplate is as follows today (2024-04-26) according to https://trustee.ietf.org/license-info : IETF Trust Legal Provisions of 28-dec-2009, Section 6.a: This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 2: Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 3: This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity. ** The document seems to lack a 1id_guidelines paragraph about the list of current Internet-Drafts. ** The document seems to lack a 1id_guidelines paragraph about the list of Shadow Directories. == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** The abstract seems to contain references ([RFC2119], [Sch96], [BKR94]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (February 1998) is 9567 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC 2119' is mentioned on line 57, but not defined -- Possible downref: Non-RFC (?) normative reference: ref. 'BKR94' -- Possible downref: Non-RFC (?) normative reference: ref. 'Sch96' Summary: 10 errors (**), 0 flaws (~~), 3 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Submitted to:IP Security B. Rogers 3 Internet Draft Ascend Communications 4 expires in six months 12. February 1998 6 Use of Block Ciphers for Message Authentication 7 9 Status of this Memo 11 This document is an Internet Draft. Internet Drafts are working 12 documents of the Internet Engineering Task Force (IETF), its areas, 13 and working groups. Note that other groups may also distribute 14 working documents as Internet Drafts. 16 Internet Drafts are draft documents valid for a maximum of six months 17 and may be updated, replaced, or obsoleted by other documents at any 18 time. It is inapproporiate to use Internet Drafts as reference 19 material or to cite them other than as "work in progress." 21 To learn the current status of any Internet Draft, please check the 22 "1id-abstracts.txt" listing contained in the Internet Drafts Shadow 23 Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe), 24 munnari.oz.au (Australia), ds.internic.net (US East Coast), or 25 ftp.isi.edu (US West Coast). 27 Abstract 29 This draft describes CBC-MAC, a method for using encryption functions 30 to produce message authentication hashes. CBC-MAC can be used with 31 any block cipher (eg. DES, 3DES, Blowfish) in combination with a 32 secret key appropriate for that cipher. The cryptographic strength 33 of this authentication depends on the strength of the algorithm, and 34 may be influenced by other factors appropriate to the algorighm (eg. 35 Weak Keys for DES). 37 Introduction 39 Providing a way to check the integrity of information transmitted 40 over or stored in an unreliable medium is a prime necessity in the 41 world of open computing and communications. Mechanisms that provide 42 such integrity check based on a secret key are usually called 43 "message authentication codes" (MAC). Typically, message 44 authentication codes are used between two parties that share a secret 45 key in order to validate information transmitted between these 46 parties. 48 A method for creating MACs using block ciphers has been well known to 49 the cryptographic community for quite some time [Sch96]. However, 50 cryptographers tend to omit details necessary for programmers to 51 produce interoperable implementations. This document is intended to 52 provide those details. 54 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 55 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 56 document are to be interpreted as described in [RFC 2119]. 58 Notation 60 b1^b2 This is the bitwise exclusive or of blocks `b1' and 61 `b2'. These blocks are assumed to be the same length. 63 e(k,b) This is the result of encrypting block `b' using 64 algorithm `e' and key `k'. 66 e-CBC-MAC(k,m) This is the authenticator produced by the CBC-MAC 67 algorithm given the message `m' and the key `k'. In 68 practice, `e' will be replaced by the name of a cipher 69 (eg. 3DES-CBC-MAC). 71 Definition of CBC-MAC 73 CBC-MAC is defined with regards to a specific shared key block cipher 74 (Such as DES, 3DES or Blowfish). It produces a message authenticator 75 for arbitrary octet streams which can be verified by any entity 76 sharing the key of the authenticator. 78 The basic algorithm is only capable of authenticating messages which 79 are an integral number of blocks in length. Thus, for a given cipher 80 and message, the message must be tail-padded the the closest block 81 boundary using all zeroes. 83 Once this padding is done (producing m'), the message should be 84 divided into sequential blocks P(0),...,P(n). The production of the 85 authenticator can be described inductively: 87 C(0) = e(k, P(0)) 89 C(i+1) = e(k, P(i+1)^C(i)) 91 The result e-CBC-MAC(k,m) is the result of C(n). 93 Discussion 95 The property we look for in a "good" message authentication code is 96 that another party cannot create valid codes without knowing the 97 shared secret key. In this case, we need only to show that it is 98 "difficult" to either discover information about the key, or to 99 produce valid results without having the key. If these two 100 properties hold, the MAC will be called strong. 102 While it does not make sense to compare the strength of an encryption 103 algorighm to that of an authentication algorithm, it can be shown 104 that the strength of a CBC-MAC on fixed lenght messages will be 105 dependent on the strength of the base cipher `e' [BKR94]. In fact, 106 for fixed length messages, it has been proven that discovering 107 information about the key, or producing invalid results without the 108 key is at least as difficult as compromising the key, or generating 109 arbitrary ciphertext-plaintext pairs within the given encryption 110 algorithm. 112 This is not the case for variable length messages. Certainly, the 113 padding can be exploited to produce collisions in a trivial manner. 114 [BKR94] shows that CBC-MAC can be compromized as well when the length 115 of the message follows the message itself, assuming a system exists 116 which will authenticate arbitrary messages. This problem can be 117 addressed by prepending the length to the message. 119 CBC-MAC will also serve well as a pseudo-random number generator, as 120 it demonstrates the characteristics (distribution of entropy from the 121 input string and irreversibility) we would like to see in such a 122 function simply as a result of the same characteristics being evident 123 in the underlying block cipher. The tail vulnerability of CBC-MAC 124 may compromise the effectiveness of this function if mutually hostile 125 parties are allowed to contribute pieces to the encrypted string. 127 References 129 [BKR94] Bellare, M., J. Kilian and P. Rogaway., "The Security of 130 Cipher Block Chaining", Advances in Cryptology - CRYPTO 94 131 Proceedings. 133 [Sch96] Schneier, B., "Applied Cryptography, Protocols, Algorithms, 134 and Source Code in C", 2nd edition. 136 Author's Address 138 Ben Rogers 139 Ascend Communications 140 655 Metro Place South 141 Suite 370 142 Dublin, OH 43017 144 Phone: (614) 760-4045 145 EMail: ben@ascend.com