CBC-MAC decryption, how MAC works in encryption

Question

I just figured out Triple DES encryption and decryption for credit card. Can any one tell me how to de-crypt CBC-MAC...CBC-MAC at the end would give a 4 byte MAC. From MAC to Encryption, how exactly does it work? What is MAC doing?

Once there is an encryption done through CBC-MAC, how can we de-crypt them? Triple-DES would not work for my case.

Another question here. have you all heard of any decryption algorithm that involves:

• DUKPT
• TDES, and
• MAC variant (versus PIN variant)

I have good understanding of TDES and DUKPT, but how would MAC variant play a role in the decryption algorithm?

How is MAC variant different from PIN variant?

Thank you!

Answer 1

You cannot "decrypt" a CBC-MAC tag. A message authentication code (MAC) is a keyed integrity check. It means that the tag that is created from a MAC algorithm has always the same length regardless of the data length that you put in. In the case of CBC-MAC with Triple-DES that is the size of the block of 3DES which is 64-bit (or a shorter slice of it).

If your data is longer than that, then you can't "decrypt" it, because there are multiple solutions now. You can however run the original data again through CBC-MAC with the same key and re-create the tag again. Then you check the two tags to see if they match. If they do, then you know that your data wasn't tampered with. (But probably not, because 3DES is not that good when not used with 3 distinct keys and CBC-MAC is not considered secure anymore if you accept arbitrary messages.)

Answer 2

I just figured out Triple DES encryption and decryption for credit card. Can any one tell me how to de-crypt CBC-MAC...CBC-MAC at the end would give a 4 bit MAC.

Here's a visual of how CBC mode works via Wikipedia.

What CBC-MAC does is simply take the last block of ciphertext that is output and calls that the MAC. So your MAC should be the size of the block cipher which is probably not 4 bits. If you're using 3DES it would be 64 bits.

From MAC to Encryption, how exactly does it work? What is MAC doing?

MAC and encryption are two very separate things. I'll try to give a brief rundown of each.

• Encryption provides confidentiality, which means (in the symmetric crypto case) that only someone with the correct key can read the contents of a message.
• MAC provides integrity, which means that message has not been tampered with somewhere between the sender and recipient.

The reason MACs exist is that even if I cannot read an encrypted messages, I can still possibly modify the encrypted message without the recipient knowing it was modified (this has caused all sorts of nasty problems in the real world). A MAC is generally send along with an encrypted message. What the recipient does is first compute the MAC of the encrypted message, and then checks if it matches the MAC that was sent with the encrypted message. If they match then the recipient knows the message was not tampered with.

Once there is an encryption done through CBC-MAC, how can we de-crypt >them? Triple-DES would not work for my case.

If you are using 3DES to encrypt I would recommend first encrypting your message (let's call it C). I'd also recommend using something other than CBC-MAC because CBC-MAC does not provide good security. I'd recommend you use HMAC to compute a MAC for the encrypted message (HMAC(C)). This means you'll need two keys, one for 3DES and one for HMAC. HMAC is widely supported in most languages so finding an implementation shouldn't be an issue.

So in summary, take your message M, compute 3DES(M) = C, then compute HMAC(C) = T, and send (C, T) to whoever is receiving this data. The recipient will then compute HMAC(C) = T', check that T' == T, and if they match compute 3DES(C) = M to get the original message. Hope that helps, quite a bit of info, feel free to ask anything to clarify. :)