It is known that the MAC value generated via SM4 CBC-MAC is as follows
MSG1:
E55E3E24A3AE7797808FDCA05A16AC15EB5FA2E6185C23A814A35BA32B4637C2
MAC1:
0712C867AA6EC7C1BB2B66312367B2C8
MSG2:
D8D94F33797E1F41CAB9217793B2D0F02B93D46C2EAD104DCE4BFEC453767719
MAC2:
43669127AE268092C056FD8D03B38B5B
It is required to generate 64 bytes (128 hexadecimal words) of MSG3 and corresponding MAC3.
Analysis:
A. SM4-CBC, the input is a 128-bit IV random number, symmetric key K, 128-bit plaintext group
B. SM4 CBC-MAC, the input is the same as SM4-CBC, except that the IV value is fixed to 0, and the output only takes the last The length of the encrypted ciphertext
C and MSG1 of a group is 32 bytes (256 bits), so there are 2 groups (M1a and M1b), and the output is MAC1 M1a =E55E3E24A3AE7797808FDCA05A16AC15 M1b =EB5FA2E6185C23A814A35BA32B4637C2 MAC1=0712C86 7AA6EC7C1BB2B66312367B2C8 IV
=
00000000000000000000000000000000
MAC1
=
Ek (k, Ek(k,IV⊕M1a)⊕M1b) = Ek(k, Ek(k,M1a)⊕M1b) D. Same as above
for MSG2 and MSG1, so
MAC2 = Ek(k, Ek(k,M2a) ⊕M2b)
E. Similarly, for MSG3, there are 4 groups (M3a, M3b, M3c, M3d), and the output is MAC3 MAC3
= Ek(k,Ek(k,Ek(k, Ek(k,M3a)⊕M3b) )⊕M3c)⊕M3d)
After analysis, the general idea is that MSG3 can be properly spliced from MSG1 and MSG2. Specifically,
M3a = M1a
M3b = M1b
, so there is Ek(k, Ek(k,M3a)⊕M3b) = Ek(k, Ek(k,M1a)⊕M1b) = MAC1.
Now we need to construct an M3c to satisfy: M3c⊕MAC1 = M2a, that is, M3c = M2a⊕MAC1.
In this way, when IV=MAC1, Ek(k,MAC1⊕M3a) = Ek(k,M2a)
M3d = M2b
In summary,
MSG3 = M1a||M1b||M2a⊕MAC1||M2b
MAC3 = MAC2