One-key MAC (OMAC) is a family of message authentication codes constructed from a block cipher much like the CBC-MAC algorithm. It may be used to provide assurance of the authenticity and, hence, the integrity of data. Two versions are defined:

  • The original OMAC of February 2003, which is rarely used.

OMAC is free for all uses: it is not covered by any patents.

History

The core of the CMAC algorithm is a variation of CBC-MAC that Black and Rogaway proposed and analyzed under the name "XCBC" and submitted to NIST. The XCBC algorithm efficiently addresses the security deficiencies of CBC-MAC, but requires three keys.

Iwata and Kurosawa proposed an improvement of XCBC that requires less key material (just one key) and named the resulting algorithm One-Key CBC-MAC (OMAC) in their papers. They later submitted the OMAC1 (= CMAC), a refinement of OMAC, and additional security analysis.

Algorithm

|800px

To generate an -bit CMAC tag (t) of a message (m) using a b-bit block cipher (E) and a secret key (k), one first generates two b-bit sub-keys (k<sub>1</sub> and k<sub>2</sub>) using the following algorithm (this is equivalent to multiplication by x and x<sup>2</sup> in a finite field GF(2<sup>b</sup>)). Let ≪ denote the standard left-shift operator and ⊕ denote bit-wise exclusive or:

  1. Calculate a temporary value k<sub>0</sub> = E<sub>k</sub>(0).
  2. If msb(k<sub>0</sub>) = 0, then k<sub>1</sub> = k<sub>0</sub> ≪ 1, else k<sub>1</sub> = (k<sub>0</sub> ≪ 1) ⊕ C; where C is a certain constant that depends only on b. (Specifically, C is the non-leading coefficients of the lexicographically first irreducible degree-b binary polynomial with the minimal number of ones: for 64-bit, for 128-bit, and for 256-bit blocks.)
  3. If , then , else .
  4. Return keys (k<sub>1</sub>, k<sub>2</sub>) for the MAC generation process.

As a small example, suppose , , and . Then and .

The CMAC tag generation process is as follows:

  1. Divide message into b-bit blocks , where m<sub>1</sub>, ..., m<sub>n−1</sub> are complete blocks. (The empty message is treated as one incomplete block.)
  2. If m<sub>n</sub> is a complete block then else .
  3. Let .
  4. For , calculate .
  6. Output .

The verification process is as follows:

  1. Use the above algorithm to generate the tag.
  2. Check that the generated tag is equal to the received tag.

Variants

CMAC-C1 is a variant of CMAC that provides additional commitment and context-discovery security guarantees.

Implementations

  • Python implementation: see the usage of the <code>AES_CMAC()</code> function in "impacket/blob/master/tests/misc/test_crypto.py", and its definition in "impacket/blob/master/impacket/crypto.py"
  • Ruby implementation

References

  • The AES-CMAC Algorithm
  • The AES-CMAC-96 Algorithm and Its Use with IPsec
  • The Advanced Encryption Standard-Cipher-based Message Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128)
  • OMAC Online Test
  • More information on OMAC
  • Rust implementation