In
cryptography
Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or ''-logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adver ...
, a cipher block chaining message authentication code (CBC-MAC) is a technique for constructing a
message authentication code (MAC) from a
block cipher
In cryptography, a block cipher is a deterministic algorithm operating on fixed-length groups of bits, called ''blocks''. Block ciphers are specified cryptographic primitive, elementary components in the design of many cryptographic protocols and ...
. The message is encrypted with some block cipher algorithm in
cipher block chaining (CBC) mode to create a chain of blocks such that each block depends on the proper encryption of the previous block. This interdependence ensures that a change to any of the plaintext bits will cause the final encrypted block to change in a way that cannot be predicted or counteracted without knowing the key to the block cipher.
To calculate the CBC-MAC of message , one encrypts in CBC mode with zero
initialization vector
In cryptography, an initialization vector (IV) or starting variable (SV) is an input to a cryptographic primitive being used to provide the initial state. The IV is typically required to be random or pseudorandom, but sometimes an IV only needs to ...
and keeps the last block. The following figure sketches the computation of the CBC-MAC of a message comprising blocks
using a secret key and a block cipher :
Security with fixed and variable-length messages
If the block cipher used is secure (meaning that it is a
pseudorandom permutation
In cryptography, a pseudorandom permutation (PRP) is a function that cannot be distinguished from a random permutation (that is, a permutation selected at random with uniform probability, from the family of all permutations on the function's domain ...
), then CBC-MAC is secure for fixed-length messages.
[M. Bellare, J. Kilian and P. Rogaway]
The security of the cipher block chaining message authentication code.
JCSS 61(3):362–399, 2000. However, by itself, it is not secure for variable-length messages. Thus, any single key must only be used for messages of a fixed and known length. This is because an attacker who knows the correct message-tag (i.e. CBC-MAC) pairs for two messages
and
can generate a third message
whose CBC-MAC will also be
. This is simply done by XORing the first block of
with and then concatenating with this modified
; i.e., by making