com.entrust.toolkit.security.crypto.mac

Class CMac

java.lang.Object

javax.crypto.MacSpi

com.entrust.toolkit.security.crypto.mac.CMac

Direct Known Subclasses:

AesCMac, TripleDesCMac

public abstract class CMac
extends javax.crypto.MacSpi

Defines Entrust's Cipher-based Message Authentication Code (CMAC) architecture; it contains all the common functionality used by Entrust's CMAC algorithms.

CMAC is a keyed hash function that is based on a symmetric key block cipher based on NIST 800-38B, but modified to operate with any symmetric cipher. CMAC is equivalent to the One-Key CBC MAC1 (OMAC1) submitted by Iwata and Kurosawa. OMAC1 is an improvement of the eXtended Cipher Block Chaining mode (XCBC) submitted by Black and Rogaway [XCBCa, XCBCb], which itself is an improvement of the basic CBC-MAC. XCBC efficiently addresses the security deficiencies of CBC-MAC, and OMAC1 efficiently reduces the key size of XCBC.

The core of CMAC is the basic CBC-MAC. For a message M to be authenticated, the CBC-MAC is applied to M. There are two modes of operation in CMAC:

• If the size of input message block is equal to the multiple of the block size (64 or 128 bits), the last block processing shall be exclusive-OR'ed with K1.
• If the size of the input message is not equal to the multiple of the block size, then the last block must be padded with 10^i and exclusive-OR'ed with K2. (For example, if block size was 64, but the input size of the last block was only 57, then 1000000 would be appended to the end).

The result of the previous process will be the input of the last CBC operation. K1 and K2 are keys which are generated during the subkey generation phase which is described as follows:

 Step 1.  L := Cipher(K, const_Zero);                           
 Step 2.  if MSB(L) is equal to 0                                
          then    K1 := L << 1;                                  
          else    K1 := (L << 1) XOR const_Rb;                   
 Step 3.  if MSB(K1) is equal to 0                               
          then    K2 := K1 << 1;                                 
          else    K2 := (K1 << 1) XOR const_Rb;                  
 Step 4.  return K1, K2;
 

The const_Rb is is defined as 0x87 if block size is 128, 0x1b if the block size is 64. The following is a specification of the MAC generation process of CMAC (as defined in NIST SP 800-38B).

 Prerequisites:
 block cipher CIPH with block size b;
 key K;
 MAC length parameter Tlen.
 Input:  
 message M of bit length Mlen.
 Output:
 MAC T of bit length Tlen.
 Suggested Notation:
 CMAC(K, M, Tlen) or, if Tlen is understood from the context, CMAC(K, M).
 
 Steps:
 1. Apply the subkey generation process in Sec. 6.1 to K to produce K1 and K2.
 2. If Mlen = 0, let n = 1; else, let n = ?Mlen/b?.
 3. Let M1, M2, ... , Mn-1, Mn* denote the unique sequence of bit strings such that M =
    M1 || M2 || ... || Mn-1 || Mn, where M1, M2,..., Mn-1 
    are complete blocks.2
 4. If Mn* is a complete block, let Mn = K1 ? Mn*;
    else, let Mn = K2 ? (Mn*||10j),
    where j = nb-Mlen-1.
 5. Let C0 = 0b.
 6. For i = 1 to n, let Ci = CIPHK(Ci-1 ? Mi).
 7. Let T = MSBTlen(Cn).
 8. Return T.
 
 In Step 1, the subkeys are generated from the key. 
 
 In Steps 2–4, the input message is formatted into a sequence of complete 
 blocks in which the final block has been masked by a subkey. There are two
 cases (as detailed above).
 
 In Steps 5 and 6, the cipher block chaining (CBC) technique, with the zero block as the
 initialization vector, is applied to the formatted message. 
 
 In Steps 7 and 8, the final CBC output block is truncated according to the MAC length 
 parameter that is associated with the key, and the result is returned as the MAC.
 

Since:

7.2

See Also:

SP 800-38B, Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication

Method Summary

Methods

Modifier and Type	Method and Description
protected byte[]	engineDoFinal() Completes the MAC computation and resets the MAC for further use, maintaining the secret key that the MAC was initialized with.
protected int	engineGetMacLength() Returns the length of the MAC in bytes.
protected void	engineInit(java.security.Key key, java.security.spec.AlgorithmParameterSpec params) Initializes the MAC with the given (secret) key and algorithm parameters.
protected void	engineReset() Resets the MAC for further use, maintaining the secret key that the MAC was initialized with.
protected void	engineUpdate(byte input) Processes the given byte.
protected void	engineUpdate(byte[] input, int offset, int len) Processes the first len bytes in input, starting at offset inclusive.

Methods inherited from class javax.crypto.MacSpi

clone, engineUpdate

Methods inherited from class java.lang.Object

equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Detail

engineGetMacLength

protected final int engineGetMacLength()

Returns the length of the MAC in bytes.

FIPS 140-2:

FIPS Service: Query Object

This API is part of the logical interface to the Toolkit's FIPS 140-2 cryptographic module; use of this API causes the caller to assume the FIPS 140-2 user role and accesses the following FIPS 140-2 logical interfaces:

• control input interface (API call)
• data output interface (return value)
• status output interface (exceptions)

Specified by:

engineGetMacLength in class javax.crypto.MacSpi

Returns:

[FIPS 140-2 data output] the MAC length in bytes.

Throws:

Fips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not allowed to perform cryptographic operations

engineInit

protected final void engineInit(java.security.Key key,
              java.security.spec.AlgorithmParameterSpec params)
                         throws java.security.InvalidKeyException,
                                java.security.InvalidAlgorithmParameterException

Initializes the MAC with the given (secret) key and algorithm parameters.

FIPS 140-2:

FIPS Service: Initialization

This API is part of the logical interface to the Toolkit's FIPS 140-2 cryptographic module; use of this API causes the caller to assume the FIPS 140-2 user role and accesses the following FIPS 140-2 logical interfaces:

• control input interface (API call)
• data input interface (parameters)
• status output interface (exceptions)

Specified by:

engineInit in class javax.crypto.MacSpi

Parameters:

key - [FIPS 140-2 data input] [FIPS 140-2 CSP] the (secret) key.

params - [FIPS 140-2 data input] the algorithm parameters.

Throws:

java.security.InvalidKeyException - [FIPS 140-2 status output] if the given key is inappropriate for initializing this MAC.

java.security.InvalidAlgorithmParameterException - [FIPS 140-2 status output] if the given algorithm parameters are inappropriate for this MAC.

Fips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not allowed to perform cryptographic operations

engineUpdate

protected final void engineUpdate(byte input)

Processes the given byte.

FIPS 140-2:

FIPS Service: MAC Generation/Verification

This API is part of the logical interface to the Toolkit's FIPS 140-2 cryptographic module; use of this API causes the caller to assume the FIPS 140-2 user role and accesses the following FIPS 140-2 logical interfaces:

• control input interface (API call)
• data input interface (parameters)
• status output interface (exceptions)

Specified by:

engineUpdate in class javax.crypto.MacSpi

Parameters:

input - [FIPS 140-2 data input] the input byte to be processed.

Throws:

Fips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not allowed to perform cryptographic operations

engineUpdate

protected final void engineUpdate(byte[] input,
                int offset,
                int len)

Processes the first len bytes in input, starting at offset inclusive.

FIPS 140-2:

FIPS Service: MAC Generation/Verification

This API is part of the logical interface to the Toolkit's FIPS 140-2 cryptographic module; use of this API causes the caller to assume the FIPS 140-2 user role and accesses the following FIPS 140-2 logical interfaces:

• control input interface (API call)
• data input interface (parameters)
• status output interface (exceptions)

Specified by:

engineUpdate in class javax.crypto.MacSpi

Parameters:

input - [FIPS 140-2 data input] the input buffer.

offset - [FIPS 140-2 data input] the offset in input where the input starts.

len - [FIPS 140-2 data input] the number of bytes to process.

Throws:

Fips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not allowed to perform cryptographic operations

engineDoFinal

protected final byte[] engineDoFinal()

Completes the MAC computation and resets the MAC for further use, maintaining the secret key that the MAC was initialized with.

FIPS 140-2:

FIPS Service: MAC Generation/Verification

This API is part of the logical interface to the Toolkit's FIPS 140-2 cryptographic module; use of this API causes the caller to assume the FIPS 140-2 user role and accesses the following FIPS 140-2 logical interfaces:

• control input interface (API call)
• data output interface (return value)
• status output interface (exceptions)

Specified by:

engineDoFinal in class javax.crypto.MacSpi

Returns:

[FIPS 140-2 data output] the MAC result.

Throws:

Fips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not allowed to perform cryptographic operations

engineReset

protected final void engineReset()

Resets the MAC for further use, maintaining the secret key that the MAC was initialized with.

FIPS 140-2:

FIPS Service: Modify Object

This API is part of the logical interface to the Toolkit's FIPS 140-2 cryptographic module; use of this API causes the caller to assume the FIPS 140-2 user role and accesses the following FIPS 140-2 logical interfaces:

• control input interface (API call)
• status output interface (exceptions)

Specified by:

engineReset in class javax.crypto.MacSpi

Throws:

Fips140ErrorStateException - [FIPS 140-2 status output] thrown if the Toolkit is not allowed to perform cryptographic operations