A message authentication code (MAC) computes for each (arbitrarily long) message $$m$$m and key k a short authentication tag which is hard to forge when k is unknown. One of the most popular ways to process m in such a scheme is to use some variant of AES in CBC mode, and to derive the tag from the final ciphertext block. In this paper, we analyze the security of several proposals of this type, and show that they are vulnerable to a new type of attack which we call almost universal forgery, in which it is easy to generate the correct tag of any given message if the attacker is allowed to change a single block in it.
Bibliographical notePublisher Copyright:
© 2014, Springer Science+Business Media New York.
- Almost Universal Forgery
- Message authentication codes
ASJC Scopus subject areas
- Theoretical Computer Science
- Computer Science Applications
- Discrete Mathematics and Combinatorics
- Applied Mathematics