Any point using CMAC with AES-256?












3














As we know, AES-256 is a block cipher with 256-bit key and 128-bit block size.



The CMAC message authentication code outputs tag length equal to block cipher block size - thus 128 bits with AES. And this provides an assurence that only 1 in 2^128 attempts in forgery may possibly succeed.



So is there any point using a 256-bit key as may be the case with AES-256?










share|improve this question






















  • If you use AES-128 an attacker may find (in theory) brute-forcing the 128-bit key to be easier than trying the random forging approach, especially if it's a protocol like TLS that rekeys after a single MAC fail.
    – SEJPM
    Dec 22 at 15:05
















3














As we know, AES-256 is a block cipher with 256-bit key and 128-bit block size.



The CMAC message authentication code outputs tag length equal to block cipher block size - thus 128 bits with AES. And this provides an assurence that only 1 in 2^128 attempts in forgery may possibly succeed.



So is there any point using a 256-bit key as may be the case with AES-256?










share|improve this question






















  • If you use AES-128 an attacker may find (in theory) brute-forcing the 128-bit key to be easier than trying the random forging approach, especially if it's a protocol like TLS that rekeys after a single MAC fail.
    – SEJPM
    Dec 22 at 15:05














3












3








3







As we know, AES-256 is a block cipher with 256-bit key and 128-bit block size.



The CMAC message authentication code outputs tag length equal to block cipher block size - thus 128 bits with AES. And this provides an assurence that only 1 in 2^128 attempts in forgery may possibly succeed.



So is there any point using a 256-bit key as may be the case with AES-256?










share|improve this question













As we know, AES-256 is a block cipher with 256-bit key and 128-bit block size.



The CMAC message authentication code outputs tag length equal to block cipher block size - thus 128 bits with AES. And this provides an assurence that only 1 in 2^128 attempts in forgery may possibly succeed.



So is there any point using a 256-bit key as may be the case with AES-256?







aes cmac






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Dec 22 at 14:31









DannyNiu

1,047526




1,047526












  • If you use AES-128 an attacker may find (in theory) brute-forcing the 128-bit key to be easier than trying the random forging approach, especially if it's a protocol like TLS that rekeys after a single MAC fail.
    – SEJPM
    Dec 22 at 15:05


















  • If you use AES-128 an attacker may find (in theory) brute-forcing the 128-bit key to be easier than trying the random forging approach, especially if it's a protocol like TLS that rekeys after a single MAC fail.
    – SEJPM
    Dec 22 at 15:05
















If you use AES-128 an attacker may find (in theory) brute-forcing the 128-bit key to be easier than trying the random forging approach, especially if it's a protocol like TLS that rekeys after a single MAC fail.
– SEJPM
Dec 22 at 15:05




If you use AES-128 an attacker may find (in theory) brute-forcing the 128-bit key to be easier than trying the random forging approach, especially if it's a protocol like TLS that rekeys after a single MAC fail.
– SEJPM
Dec 22 at 15:05










2 Answers
2






active

oldest

votes


















2














Brute forcing ciphertext an offline attack, while attacking the authentication tag (the result of the CMAC-calculation) is an online attack: it requires an active oracle. That is: you can try and break the confidentiality of a message on your own PC network of computers. However, you need to send many ciphertext (including authentication tag) to a receiver to see if a guessed tag is correct or not and an invalid ciphertext is accepted (to test if a message is successfully forged). Generally you only get one oracle, and the speed of this oracle is usually limited (e.g. by networking speeds).



If an authentication tag is not accepted then that doesn't give any information to an attacker if the next message changes. This would for instance be the case if a unique sequence number is included in the messages (although usually the authentication tag is verified earlier, so oracle attacks would be possible). Furthermore, many protocols will break a session and re-establish the session keys if an incorrect authentication tag is received.



In conclusion: attacking an authentication tag is much harder than breaking a cipher, even if the order of the attack is the same. Because of this it makes sense to increase the key size even if the tag size stays the same.





If you need more than 128 bits of security is of course another question; 128 bits seems plenty as long as quantum computers are not available. 256 bit encryption should be considered for messages that require long-term protection.






share|improve this answer































    1














    From rfc4493 (The AES-CMAC Algorithm);




    The security provided by AES-CMAC is built on the strong cryptographic algorithm AES. However, as is true with any cryptographic algorithm, part of its strength lies in the secret key, K, and the correctness of the implementation in all of the participating systems.




    As the standard states; the longer key the harder to forgery. However, the standard is not mentioning about using the AES with 256-bit key.



    Your suggestion to increase the key size to 256-bit will definitely make the brute-force infeasible for a long time.



    To forge a message by trying every tag is measured by the tag space, in this case, the attacker needs to attack $128$-bit and this is always same for AES.






    share|improve this answer























    • I'm finding your answer here a bit hard to follow. In particular, in the last paragraph you write about "the case of the brute force", even though both trying all $2^{256}$ keys and trying all $2^{128}$ tags would generally be considered brute force attacks.
      – Ilmari Karonen
      Dec 22 at 19:46










    • @IlmariKaronen clear now?
      – kelalaka
      Dec 22 at 20:05











    Your Answer





    StackExchange.ifUsing("editor", function () {
    return StackExchange.using("mathjaxEditing", function () {
    StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
    StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
    });
    });
    }, "mathjax-editing");

    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "281"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    noCode: true, onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f66050%2fany-point-using-cmac-with-aes-256%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    2














    Brute forcing ciphertext an offline attack, while attacking the authentication tag (the result of the CMAC-calculation) is an online attack: it requires an active oracle. That is: you can try and break the confidentiality of a message on your own PC network of computers. However, you need to send many ciphertext (including authentication tag) to a receiver to see if a guessed tag is correct or not and an invalid ciphertext is accepted (to test if a message is successfully forged). Generally you only get one oracle, and the speed of this oracle is usually limited (e.g. by networking speeds).



    If an authentication tag is not accepted then that doesn't give any information to an attacker if the next message changes. This would for instance be the case if a unique sequence number is included in the messages (although usually the authentication tag is verified earlier, so oracle attacks would be possible). Furthermore, many protocols will break a session and re-establish the session keys if an incorrect authentication tag is received.



    In conclusion: attacking an authentication tag is much harder than breaking a cipher, even if the order of the attack is the same. Because of this it makes sense to increase the key size even if the tag size stays the same.





    If you need more than 128 bits of security is of course another question; 128 bits seems plenty as long as quantum computers are not available. 256 bit encryption should be considered for messages that require long-term protection.






    share|improve this answer




























      2














      Brute forcing ciphertext an offline attack, while attacking the authentication tag (the result of the CMAC-calculation) is an online attack: it requires an active oracle. That is: you can try and break the confidentiality of a message on your own PC network of computers. However, you need to send many ciphertext (including authentication tag) to a receiver to see if a guessed tag is correct or not and an invalid ciphertext is accepted (to test if a message is successfully forged). Generally you only get one oracle, and the speed of this oracle is usually limited (e.g. by networking speeds).



      If an authentication tag is not accepted then that doesn't give any information to an attacker if the next message changes. This would for instance be the case if a unique sequence number is included in the messages (although usually the authentication tag is verified earlier, so oracle attacks would be possible). Furthermore, many protocols will break a session and re-establish the session keys if an incorrect authentication tag is received.



      In conclusion: attacking an authentication tag is much harder than breaking a cipher, even if the order of the attack is the same. Because of this it makes sense to increase the key size even if the tag size stays the same.





      If you need more than 128 bits of security is of course another question; 128 bits seems plenty as long as quantum computers are not available. 256 bit encryption should be considered for messages that require long-term protection.






      share|improve this answer


























        2












        2








        2






        Brute forcing ciphertext an offline attack, while attacking the authentication tag (the result of the CMAC-calculation) is an online attack: it requires an active oracle. That is: you can try and break the confidentiality of a message on your own PC network of computers. However, you need to send many ciphertext (including authentication tag) to a receiver to see if a guessed tag is correct or not and an invalid ciphertext is accepted (to test if a message is successfully forged). Generally you only get one oracle, and the speed of this oracle is usually limited (e.g. by networking speeds).



        If an authentication tag is not accepted then that doesn't give any information to an attacker if the next message changes. This would for instance be the case if a unique sequence number is included in the messages (although usually the authentication tag is verified earlier, so oracle attacks would be possible). Furthermore, many protocols will break a session and re-establish the session keys if an incorrect authentication tag is received.



        In conclusion: attacking an authentication tag is much harder than breaking a cipher, even if the order of the attack is the same. Because of this it makes sense to increase the key size even if the tag size stays the same.





        If you need more than 128 bits of security is of course another question; 128 bits seems plenty as long as quantum computers are not available. 256 bit encryption should be considered for messages that require long-term protection.






        share|improve this answer














        Brute forcing ciphertext an offline attack, while attacking the authentication tag (the result of the CMAC-calculation) is an online attack: it requires an active oracle. That is: you can try and break the confidentiality of a message on your own PC network of computers. However, you need to send many ciphertext (including authentication tag) to a receiver to see if a guessed tag is correct or not and an invalid ciphertext is accepted (to test if a message is successfully forged). Generally you only get one oracle, and the speed of this oracle is usually limited (e.g. by networking speeds).



        If an authentication tag is not accepted then that doesn't give any information to an attacker if the next message changes. This would for instance be the case if a unique sequence number is included in the messages (although usually the authentication tag is verified earlier, so oracle attacks would be possible). Furthermore, many protocols will break a session and re-establish the session keys if an incorrect authentication tag is received.



        In conclusion: attacking an authentication tag is much harder than breaking a cipher, even if the order of the attack is the same. Because of this it makes sense to increase the key size even if the tag size stays the same.





        If you need more than 128 bits of security is of course another question; 128 bits seems plenty as long as quantum computers are not available. 256 bit encryption should be considered for messages that require long-term protection.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Dec 22 at 17:13

























        answered Dec 22 at 17:07









        Maarten Bodewes

        52.6k677191




        52.6k677191























            1














            From rfc4493 (The AES-CMAC Algorithm);




            The security provided by AES-CMAC is built on the strong cryptographic algorithm AES. However, as is true with any cryptographic algorithm, part of its strength lies in the secret key, K, and the correctness of the implementation in all of the participating systems.




            As the standard states; the longer key the harder to forgery. However, the standard is not mentioning about using the AES with 256-bit key.



            Your suggestion to increase the key size to 256-bit will definitely make the brute-force infeasible for a long time.



            To forge a message by trying every tag is measured by the tag space, in this case, the attacker needs to attack $128$-bit and this is always same for AES.






            share|improve this answer























            • I'm finding your answer here a bit hard to follow. In particular, in the last paragraph you write about "the case of the brute force", even though both trying all $2^{256}$ keys and trying all $2^{128}$ tags would generally be considered brute force attacks.
              – Ilmari Karonen
              Dec 22 at 19:46










            • @IlmariKaronen clear now?
              – kelalaka
              Dec 22 at 20:05
















            1














            From rfc4493 (The AES-CMAC Algorithm);




            The security provided by AES-CMAC is built on the strong cryptographic algorithm AES. However, as is true with any cryptographic algorithm, part of its strength lies in the secret key, K, and the correctness of the implementation in all of the participating systems.




            As the standard states; the longer key the harder to forgery. However, the standard is not mentioning about using the AES with 256-bit key.



            Your suggestion to increase the key size to 256-bit will definitely make the brute-force infeasible for a long time.



            To forge a message by trying every tag is measured by the tag space, in this case, the attacker needs to attack $128$-bit and this is always same for AES.






            share|improve this answer























            • I'm finding your answer here a bit hard to follow. In particular, in the last paragraph you write about "the case of the brute force", even though both trying all $2^{256}$ keys and trying all $2^{128}$ tags would generally be considered brute force attacks.
              – Ilmari Karonen
              Dec 22 at 19:46










            • @IlmariKaronen clear now?
              – kelalaka
              Dec 22 at 20:05














            1












            1








            1






            From rfc4493 (The AES-CMAC Algorithm);




            The security provided by AES-CMAC is built on the strong cryptographic algorithm AES. However, as is true with any cryptographic algorithm, part of its strength lies in the secret key, K, and the correctness of the implementation in all of the participating systems.




            As the standard states; the longer key the harder to forgery. However, the standard is not mentioning about using the AES with 256-bit key.



            Your suggestion to increase the key size to 256-bit will definitely make the brute-force infeasible for a long time.



            To forge a message by trying every tag is measured by the tag space, in this case, the attacker needs to attack $128$-bit and this is always same for AES.






            share|improve this answer














            From rfc4493 (The AES-CMAC Algorithm);




            The security provided by AES-CMAC is built on the strong cryptographic algorithm AES. However, as is true with any cryptographic algorithm, part of its strength lies in the secret key, K, and the correctness of the implementation in all of the participating systems.




            As the standard states; the longer key the harder to forgery. However, the standard is not mentioning about using the AES with 256-bit key.



            Your suggestion to increase the key size to 256-bit will definitely make the brute-force infeasible for a long time.



            To forge a message by trying every tag is measured by the tag space, in this case, the attacker needs to attack $128$-bit and this is always same for AES.







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited Dec 22 at 20:05

























            answered Dec 22 at 16:11









            kelalaka

            5,16321939




            5,16321939












            • I'm finding your answer here a bit hard to follow. In particular, in the last paragraph you write about "the case of the brute force", even though both trying all $2^{256}$ keys and trying all $2^{128}$ tags would generally be considered brute force attacks.
              – Ilmari Karonen
              Dec 22 at 19:46










            • @IlmariKaronen clear now?
              – kelalaka
              Dec 22 at 20:05


















            • I'm finding your answer here a bit hard to follow. In particular, in the last paragraph you write about "the case of the brute force", even though both trying all $2^{256}$ keys and trying all $2^{128}$ tags would generally be considered brute force attacks.
              – Ilmari Karonen
              Dec 22 at 19:46










            • @IlmariKaronen clear now?
              – kelalaka
              Dec 22 at 20:05
















            I'm finding your answer here a bit hard to follow. In particular, in the last paragraph you write about "the case of the brute force", even though both trying all $2^{256}$ keys and trying all $2^{128}$ tags would generally be considered brute force attacks.
            – Ilmari Karonen
            Dec 22 at 19:46




            I'm finding your answer here a bit hard to follow. In particular, in the last paragraph you write about "the case of the brute force", even though both trying all $2^{256}$ keys and trying all $2^{128}$ tags would generally be considered brute force attacks.
            – Ilmari Karonen
            Dec 22 at 19:46












            @IlmariKaronen clear now?
            – kelalaka
            Dec 22 at 20:05




            @IlmariKaronen clear now?
            – kelalaka
            Dec 22 at 20:05


















            draft saved

            draft discarded




















































            Thanks for contributing an answer to Cryptography Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            Use MathJax to format equations. MathJax reference.


            To learn more, see our tips on writing great answers.





            Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


            Please pay close attention to the following guidance:


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f66050%2fany-point-using-cmac-with-aes-256%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            "Incorrect syntax near the keyword 'ON'. (on update cascade, on delete cascade,)

            Alcedinidae

            Origin of the phrase “under your belt”?