AES CMAC Calculation C#

ⅰ亾dé卋堺 提交于 2019-12-06 08:47:38

问题


I know MAC is 4 first byte of last block encryption, and found this CMAC explanation here but it's kinda hard to understand. And maybe there are already some CMAC AES questions but I'm sorry I can't understand it well.

Anyone can explain how to calculate CMAC? and if necessary with some example code in C#. Thanks


回答1:


First you need to derive two subkeys from your AES key. The algorithm is described well in RFC4493, but I will include some code samples here for reference. For this, you will need the AESEncrypt function, which you can write using dotNet AesCryptoServiceProvider:

    byte[] AESEncrypt(byte[] key, byte[] iv, byte[] data)
    {
        using (MemoryStream ms = new MemoryStream())
        {
            AesCryptoServiceProvider aes = new AesCryptoServiceProvider();

            aes.Mode = CipherMode.CBC;
            aes.Padding = PaddingMode.None;

            using (CryptoStream cs = new CryptoStream(ms, aes.CreateEncryptor(key, iv), CryptoStreamMode.Write))
            {
                cs.Write(data, 0, data.Length);
                cs.FlushFinalBlock();

                return ms.ToArray();
            }
        }
    }

And something to shift arrays left by one bit:

    byte[] Rol(byte[] b)
    {
        byte[] r = new byte[b.Length];
        byte carry = 0;

        for (int i = b.Length - 1; i >= 0; i--)
        {
            ushort u = (ushort)(b[i] << 1);
            r[i] = (byte)((u & 0xff) + carry);
            carry = (byte)((u & 0xff00) >> 8);
        }

        return r;
    }

Now just the implementation of the algorithm in RFC4493 remains. I commented the logic from the RFC for easier understanding.

    byte[] AESCMAC(byte[] key, byte[] data)
    {
        // SubKey generation
        // step 1, AES-128 with key K is applied to an all-zero input block.
        byte[] L = AESEncrypt(key, new byte[16], new byte[16]);

        // step 2, K1 is derived through the following operation:
        byte[] FirstSubkey = Rol(L); //If the most significant bit of L is equal to 0, K1 is the left-shift of L by 1 bit.
        if ((L[0] & 0x80) == 0x80)
            FirstSubkey[15] ^= 0x87; // Otherwise, K1 is the exclusive-OR of const_Rb and the left-shift of L by 1 bit.

        // step 3, K2 is derived through the following operation:
        byte[] SecondSubkey = Rol(FirstSubkey); // If the most significant bit of K1 is equal to 0, K2 is the left-shift of K1 by 1 bit.
        if ((FirstSubkey[0] & 0x80) == 0x80)
            SecondSubkey[15] ^= 0x87; // Otherwise, K2 is the exclusive-OR of const_Rb and the left-shift of K1 by 1 bit.

        // MAC computing
        if (((data.Length != 0) && (data.Length % 16 == 0)) == true)
        {
            // If the size of the input message block is equal to a positive multiple of the block size (namely, 128 bits),
            // the last block shall be exclusive-OR'ed with K1 before processing
            for (int j = 0; j < FirstSubkey.Length; j++)
                data[data.Length - 16 + j] ^= FirstSubkey[j];
        }
        else
        {
            // Otherwise, the last block shall be padded with 10^i
            byte[] padding = new byte[16 - data.Length % 16];
            padding[0] = 0x80;

            data = data.Concat<byte>(padding.AsEnumerable()).ToArray();

            // and exclusive-OR'ed with K2
            for (int j = 0; j < SecondSubkey.Length; j++)
                data[data.Length - 16 + j] ^= SecondSubkey[j];
        }

        // The result of the previous process will be the input of the last encryption.
        byte[] encResult = AESEncrypt(key, new byte[16], data);

        byte[] HashValue = new byte[16];
        Array.Copy(encResult, encResult.Length - HashValue.Length, HashValue, 0, HashValue.Length);

        return HashValue;
    }

Good luck!



来源:https://stackoverflow.com/questions/29163493/aes-cmac-calculation-c-sharp

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!