Post: AES CMAC - RFC 4493 signature

A little bit of everything, sometimes more

RSS

Categories

Contact: Àlex

AES CMAC - RFC 4493 signature

Now that 3DES is phasing out, a new signature is need to replace the veteran X9.19. So here comes the brand new (from 2006!) AES CMAC signature. It uses AES instead of 3DES, but externally it uses the same 128bit long keys. I've programmed, with help from StackOverflow, a version in C#, and another version using the BouncyCastle library. Both ways return the same result, and I don't know which one performs better. The program is easy to understand, the only difficult step lays in the subkey generation. I've cut&pasted the RFC part that explains it to be sure I've done the correct thing.


byte[] AESEncrypt(byte[] key, byte[] iv, byte[] data)
{
    using (MemoryStream ms = new MemoryStream())
    {
	AesCryptoServiceProvider aes = new AesCryptoServiceProvider();

	aes.Mode = CipherMode.CBC;
	aes.Padding = PaddingMode.None;

	using (CryptoStream cs = new CryptoStream(ms, aes.CreateEncryptor(key, iv), CryptoStreamMode.Write))
	{
	    cs.Write(data, 0, data.Length);
	    cs.FlushFinalBlock();

	    return ms.ToArray();
	}
    }
}

/// <summary>
/// This function does:
/// x << 1
/// Left-shift of the string x by 1 bit.
/// The most significant bit disappears, and a zero
/// comes into the least significant bit.
/// 10010001 << 1 is 00100010.
/// </summary>
/// <param name="b">Array de bytes a fer shift</param>
/// <returns>El byte shiftejat</returns>
byte[] Rol(byte[] b)
{
    byte[] r = new byte[b.Length];
    byte carry = 0;

    for (int i = b.Length - 1; i >= 0; i--)
    {
	ushort u = (ushort)(b[i] << 1);
	r[i] = (byte)((u & 0xff) + carry);
	carry = (byte)((u & 0xff00) >> 8);
    }

    return r;
}

byte[] AESCMAC(byte[] key, byte[] data)
{
    /*
    // SubKey generation
    Figure 2.2 specifies the subkey generation algorithm.
 

    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +
    +Algorithm Generate_Subkey +
    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    + +
    +Input    : K(128 - bit key) +
    +Output   : K1(128 - bit first subkey) +
    +K2(128 - bit second subkey) +
    +-------------------------------------------------------------------+
    + +
    +Constants: const_Zero is 0x00000000000000000000000000000000 +
    +const_Rb is 0x00000000000000000000000000000087 +
    +Variables: L          for output of AES - 128 applied to 0 ^ 128 +
    + +
    +Step 1.L := AES - 128(K, const_Zero); +
    +Step 2.  if MSB(L) is equal to 0 +
    +then    K1:= L << 1; +
    +            else    K1:= (L << 1) XOR const_Rb; +
    +Step 3.  if MSB(K1) is equal to 0 +
    +then    K2:= K1 << 1; +
    +            else    K2:= (K1 << 1) XOR const_Rb; +
    +Step 4.  return K1, K2; +
    + +
    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    Figure 2.2.Algorithm Generate_Subkey

    In step 1, AES - 128 with key K is applied to an all-zero input block.

       In step 2, K1 is derived through the following operation:

		If the most significant bit of L is equal to 0, K1 is the left - shift
       of L by 1 bit.

       Otherwise, K1 is the exclusive - OR of const_Rb and the left - shift of L
       by 1 bit.

       In step 3, K2 is derived through the following operation:

		If the most significant bit of K1 is equal to 0, K2 is the left - shift
       of K1 by 1 bit.

       Otherwise, K2 is the exclusive - OR of const_Rb and the left - shift of
	   K1 by 1 bit.

       In step 4, (K1, K2) := Generate_Subkey(K) is returned.
       */


    // step 1, AES-128 with key K is applied to an all-zero input block.
    byte[] L = AESEncrypt(key, new byte[16], new byte[16]);

    // step 2, K1 is derived through the following operation:
    byte[] FirstSubkey = Rol(L); //If the most significant bit of L is equal to 0, K1 is the left-shift of L by 1 bit.
    if ((L[0] & 0x80) == 0x80)
	FirstSubkey[15] ^= 0x87; // Otherwise, K1 is the exclusive-OR of const_Rb and the left-shift of L by 1 bit.

    // step 3, K2 is derived through the following operation:
    byte[] SecondSubkey = Rol(FirstSubkey); // If the most significant bit of K1 is equal to 0, K2 is the left-shift of K1 by 1 bit.
    if ((FirstSubkey[0] & 0x80) == 0x80)
	SecondSubkey[15] ^= 0x87; // Otherwise, K2 is the exclusive-OR of const_Rb and the left-shift of K1 by 1 bit.

    // MAC computing
    if (((data.Length != 0) && (data.Length % 16 == 0)) == true)
    {
	// If the size of the input message block is equal to a positive multiple of the block size (namely, 128 bits),
	// the last block shall be exclusive-OR'ed with K1 before processing
	for (int j = 0; j < FirstSubkey.Length; j++)
	    data[data.Length - 16 + j] ^= FirstSubkey[j];
    }
    else
    {
	//S'afegeix padding a l'ultim bloc, però en realitat és afegir padding a les dades
	data = AddPaddingAES(data);
	/*
	// Otherwise, the last block shall be padded with 10^i
	byte[] padding = new byte[16 - data.Length % 16];
	padding[0] = 0x80;

	data = data.Concat<byte>(padding.AsEnumerable()).ToArray();
	*/

	// and exclusive-OR'ed with K2, la SecondSubkey té 16 de longitud
	for (int j = 0; j < 16; j++) data[data.Length - 16 + j] ^= SecondSubkey[j];
    }

    // The result of the previous process will be the input of the last encryption.
    byte[] encResult = AESEncrypt(key, new byte[16], data);

    byte[] HashValue = new byte[16];
    Array.Copy(encResult, encResult.Length - HashValue.Length, HashValue, 0, HashValue.Length);

    return HashValue;
}

All that code from above, that seems very complex, can be reduced to a few lines using BouncyCastle. But you know, in the code lays the truth, and with the library you don't see it...


//Using BouncyCastle
Org.BouncyCastle.Crypto.Engines.AesEngine aes = new Org.BouncyCastle.Crypto.Engines.AesEngine();
Org.BouncyCastle.Crypto.Macs.CMac cMac = new Org.BouncyCastle.Crypto.Macs.CMac(aes, 64);
Org.BouncyCastle.Crypto.Parameters.KeyParameter kp = new Org.BouncyCastle.Crypto.Parameters.KeyParameter(key);
cMac.Init(kp);
int MacLenght = cMac.GetMacSize();
byte[] output = new byte[MacLenght];
cMac.BlockUpdate(data, 0, data.Length);
cMac.DoFinal(output, 0);

txtBase64.Text = ConvertByteArrayToHexString(output);

There are some examples in a RFC.


//https://tools.ietf.org/html/rfc4493
/*
CMAC EXAMPLE:
-------------
NIST publication 800 - 38B: http://csrc.nist.gov/publications/nistpubs/800-38B/Updated_CMAC_Examples.pdf

>>> key 2b7e151628aed2a6abf7158809cf4f3c
>>> plaintext 6bc1bee22e409f96e93d7e117393172a
<<< CMAC 070a16b46b4d4144f79bdd9dd04a287c

>>> key 2B7E151628AED2A6ABF7158809CF4F3C
>>> pt: 6BC1BEE22E409F96E93D7E117393172AAE2D8A57
<<< CMAC 7D85449E A6EA19C8 23A7BF78 837DFADE

>>> key 2B7E151628AED2A6ABF7158809CF4F3C
>>> pt: 6BC1BEE22E409F96E93D7E117393172AAE2D8A571E03AC9C9EB76FAC45AF8E5130C81C46A35CE411E5FBC1191A0A52EFF69F2445DF4F9B17AD2B417BE66C3710
<<< CMAC 51F0BEBF7E3B9D92FC49741779363CFE
*/

And that's all, another signature done!

#23/01/2020 17:24
Programming
C#
Author: Alex Canalda