1

I'm trying to wrap my head around how different padding methods affect the strength of CBC-MAC's. Suppose a message is split into different blocks, m1, m2, m3 etc. and the last block is padded with 0's to fill it if needed.

If the message is intercepted, why can an attacker easily create another message with the same MAC tag for the same key as the message that was intercepted?

If another message is intercepted that does not contain any padding (so it completely fills the last block), how does this make it more difficult for the attacker to create a tag that matches? Does the message need to meet any conditions for the attack to work?

If this padding method is not secure, what is a better method to secure against these attacks? Would it be more secure if the padding was just random? Not sure how that would work.

sharkyxy
  • 11
  • 1
  • 2
    How you will differentiate 10||0 to 1||00as the message. You need at least use message||10...0 padding. – kelalaka Sep 18 '19 at 08:33
  • I understand what you are saying, but does this change anything about the security of the padding? The padding method I mentioned was just a quick example, it could be padded using your method as well I suppose. – sharkyxy Sep 18 '19 at 08:44
  • 2
    @JacquesvanZyl If you use the "one and zeroes" padding kelalaka suggested and you make sure to always pad the message, even if it already fits neatly into block, then the padded message uniquely defines the unpadded one and the attack is no longer possible. – Maeher Sep 18 '19 at 09:42
  • In the zero padding an attacker can simply replace a message by a message that contains an additional zero bit or byte, and the MAC would still verify. It depends on the protocol and application if that's dangerous, but generally we want to secure any message, hence it is less secure. – Maarten Bodewes Sep 18 '19 at 23:36

0 Answers0