AES CMAC计算C#
我知道MAC是最后一个块加密的第一个字节,并且在这里找到了这个CMAC解释,但它有点难以理解。 也许已经有一些CMAC AES问题但我很抱歉我无法理解它。
任何人都可以解释如何计算CMAC? 如果需要,可以使用C#中的一些示例代码。 谢谢
首先,您需要从AES密钥派生两个子密钥。 该算法在RFC4493中有详细描述,但我将在此处包含一些代码示例以供参考。 为此,您需要AESEncrypt函数,您可以使用dotNet AesCryptoServiceProvider编写该函数:
byte[] AESEncrypt(byte[] key, byte[] iv, byte[] data) { using (MemoryStream ms = new MemoryStream()) { AesCryptoServiceProvider aes = new AesCryptoServiceProvider(); aes.Mode = CipherMode.CBC; aes.Padding = PaddingMode.None; using (CryptoStream cs = new CryptoStream(ms, aes.CreateEncryptor(key, iv), CryptoStreamMode.Write)) { cs.Write(data, 0, data.Length); cs.FlushFinalBlock(); return ms.ToArray(); } } } 还有一些东西可以将数组左移一位:
byte[] Rol(byte[] b) { byte[] r = new byte[b.Length]; byte carry = 0; for (int i = b.Length - 1; i >= 0; i--) { ushort u = (ushort)(b[i] << 1); r[i] = (byte)((u & 0xff) + carry); carry = (byte)((u & 0xff00) >> 8); } return r; }
现在只剩下RFC4493中算法的实现了。 我评论了RFC中的逻辑以便于理解。
byte[] AESCMAC(byte[] key, byte[] data) { // SubKey generation // step 1, AES-128 with key K is applied to an all-zero input block. byte[] L = AESEncrypt(key, new byte[16], new byte[16]); // step 2, K1 is derived through the following operation: byte[] FirstSubkey = Rol(L); //If the most significant bit of L is equal to 0, K1 is the left-shift of L by 1 bit. if ((L[0] & 0x80) == 0x80) FirstSubkey[15] ^= 0x87; // Otherwise, K1 is the exclusive-OR of const_Rb and the left-shift of L by 1 bit. // step 3, K2 is derived through the following operation: byte[] SecondSubkey = Rol(FirstSubkey); // If the most significant bit of K1 is equal to 0, K2 is the left-shift of K1 by 1 bit. if ((FirstSubkey[0] & 0x80) == 0x80) SecondSubkey[15] ^= 0x87; // Otherwise, K2 is the exclusive-OR of const_Rb and the left-shift of K1 by 1 bit. // MAC computing if (((data.Length != 0) && (data.Length % 16 == 0)) == true) { // If the size of the input message block is equal to a positive multiple of the block size (namely, 128 bits), // the last block shall be exclusive-OR'ed with K1 before processing for (int j = 0; j < FirstSubkey.Length; j++) data[data.Length - 16 + j] ^= FirstSubkey[j]; } else { // Otherwise, the last block shall be padded with 10^i byte[] padding = new byte[16 - data.Length % 16]; padding[0] = 0x80; data = data.Concat(padding.AsEnumerable()).ToArray(); // and exclusive-OR'ed with K2 for (int j = 0; j < SecondSubkey.Length; j++) data[data.Length - 16 + j] ^= SecondSubkey[j]; } // The result of the previous process will be the input of the last encryption. byte[] encResult = AESEncrypt(key, new byte[16], data); byte[] HashValue = new byte[16]; Array.Copy(encResult, encResult.Length - HashValue.Length, HashValue, 0, HashValue.Length); return HashValue; }
祝好运!