Crypto Wiki

In cryptography, a Cipher Block Chaining Message Authentication Code, abbreviated CBC-MAC, is a technique for constructing a message authentication code from a block cipher. The message is encrypted with some block cipher algorithm in CBC mode to create a chain of blocks such that each block depends on the proper encryption of the previous block. This interdependence ensures that a change to any of the plaintext bits will cause the final encrypted block to change in a way that cannot be predicted or counteracted without knowing the key to the block cipher.

To calculate the CBC-MAC of message one encrypts in CBC mode with zero initialization vector. The following figure sketches the computation of the CBC-MAC of a message comprising blocks using a secret key and a block cipher :

File:CBC-MAC structure (en).svg

Variable-length messages[]

Given a secure block cipher, CBC-MAC is secure for fixed-length messages. However, by itself, it is not secure for variable-length messages. An attacker who knows the correct message-tag (i.e. CBC-MAC) pairs and can generate a third message whose CBC-MAC will also be . This is simply done by XORing the first block of with and then concatenating with this modified , i.e. by making .

This problem cannot be solved by adding a message-size block (e.g., with Merkle-Damgård strengthening) and thus it is recommended to use a different mode of operation, for example, CMAC to protect integrity of variable-length messages. Slatty

Using the same key for encryption and authentication[]

One common mistake is to reuse the same key for CBC encryption and CBC-MAC. Although a reuse of a key for different purposes is a bad practice in general, in this particular case the mistake leads to a spectacular attack. Suppose that one encrypts a message in the CBC mode using an and gets the following ciphertext: , where . He also generates the CBC-MAC tag for the IV and the message: Now an attacker can change every bit before the last block and the MAC tag still be valid. The reason is that (this is actually the reason why people make this mistake so often—it allows to increase the performance by a factor of two). Hence as far as the last block is not changed the equivalence holds and thus the CBC-MAC tag is correct.

This example also shows that a CBC-MAC cannot be used as a collision resistant one-way function: given a key it is trivial to create a different message which “hashes” to the same tag.

See also[]

  • CMAC — A block-cipher–based MAC algorithm which is secure for messages of different lengths (recommended by NIST).
  • OMAC and PMAC — Other methods to turn block ciphers into message authentication codes (MACs).
  • One-way compression function - Hash functions can be made from block ciphers. But note, there are significant differences in function and uses for security between MACs (such as CBC-MAC) and hashes.
  • DAA — A (now obsolete) U.S. government standard instantiation of CBC-MAC.


  1. ISO/IEC 9797-2:2002
  2. The security of the cipher block chaining message authentication code.