I\'m reading a protocol specification where the procedure is to generate a CMAC,

Question

I'm reading a protocol specification where the procedure is to generate a CMAC, take the first 4 bytes of it, append this authentication tag to the message and then encrypt the message + CMAC together with another key using CTR mode encryption. Both CMAC and CTR mode are defined to use the AES-128 block cipher. A separate key is used for CMAC authentication and CTR encryption. Does encrypting the MAC add any extra security? Shouldn't CMAC be already "secure" by itself? Is this a typical approach for doing encryption + integrity verification?

Explanation / Answer

No, this is not a typical way to go.

Actually Encrypt-then-MAC would be the best way to go, attaching the MAC (in this case a CMAC) as is to the encrypted data.

Before starting the decryption, you would first check the MAC. Even in this setup using two different keys - one for the AES encryption and one for the CMAC - should be used.

Finally I am confused about the AES128-CBC-CTR - normally either CBC or CTR.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

---