Side Channel Attacks on Message Authentication Codes

  • Katsuyuki Okeya
  • Tetsu Iwata
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3813)


Side channel attacks are a serious menace to embedded devices with cryptographic applications which are utilized in sensor and ad hoc networks. In this paper we show that side channel attacks can be applied to message authentication codes, even if the countermeasure is applied to the underlying block cipher. In particular, we show that EMAC, OMAC, and PMAC are vulnerable to our attack. Based on simple power analysis, we show that several key bits can be extracted, and based on differential power analysis, we present selective forgery against these MACs. Our results suggest that protecting block ciphers against side channel attacks is not sufficient, and countermeasures are needed for MACs as well.


Side Channel Attacks MACs Selective Forgery SPA DPA 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [BKR00]
    Bellare, M., Kilian, J., Rogaway, P.: The Security of the Cipher Block Chaining Message Authentication Code. JCSS 61(3), 362–399 (2000); Earlier version In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 341–358. Springer, Heidelberg (1994)Google Scholar
  2. [BBB+95]
    Berendschot, A., den Boer, B., Boly, J.P., Bosselaers, A., Brandt, J., Chaum, D., Damgård, I., Dichtl, M., Fumy, W., van der Ham, M., Jansen, C.J.A., Landrock, P., Preneel, B., Roelofsen, G., de Rooij, P., Vandewalle, J. (eds.): Final Report of RACE Integrity Primitives. LNCS, vol. 1007. Springer, Heidelberg (1995)Google Scholar
  3. [BR02]
    Black, J., Rogaway, P.: A Block-Cipher Mode of Operation for Parallelizable Message Authentication. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 384–397. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  4. [BU02]
    Black, J., Urtubia, H.: Side-Channel Attacks on Symmetric Encryption Schemes: The Case for Authenticated Encryption. In: Proc. of 11th USENIX security symposium, pp. 327–338 (2002)Google Scholar
  5. [CHVV03]
    Canvel, B., Hiltgen, A., Vaudenay, S., Vaugnoux, M.: Password Interception in a SSL/TLS Channel. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 583–599. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  6. [DR02]
    Daemen, J., Rijmen, V.: The Design of Rijndael. Springer, Berlin (2002)zbMATHGoogle Scholar
  7. [FIPS94]
    FIPS 113, Computer data authentication. Federal Information Processing Standards Publication 113, U.S. Department of Commerce / National Bureau of Standards, National Technical Information Service, Springfield, Virginia (1994)Google Scholar
  8. [IEEE]
    IEEE 802.16 Task Group e (Mobile WirelessMAN),
  9. [ISO99]
    ISO/IEC 9797-1, Information technology — security techniques — data integrity mechanism using a cryptographic check function employing a block cipher algorithm. In: Organization for Standards, 2nd edn., Geneva, Switzerland (1999)Google Scholar
  10. [IK03]
    Iwata, T., Kurosawa, K.: OMAC: One-Key CBC MAC. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 129–153. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  11. [KR03]
    Klima, V., Rosa, T.: Side Channel Attacks on CBC Encrypted Messages in the PKCS#7 Format. IACR ePrint Archive 2003/098 (2003)Google Scholar
  12. [Koc96]
    Kocher, C.: Timing attacks on Implementations of Diffie-Hellman, RSA, DSS, and other Systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
  13. [KJJ99]
    Kocher, C., Jaffe, J., Jun, B.: Differential Power Analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)Google Scholar
  14. [Mes00a]
    Messerges, T.: Securing the AES Finalists against Power Analysis Attacks. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 150–164. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  15. [Mes00b]
    Messerges, T.: Using Second-Order Power Analysis to Attack DPA Resistant Software. In: Paar, C., Koç, Ç.K. (eds.) CHES 2000. LNCS, vol. 1965, pp. 238–251. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  16. [MDS02]
    Messerges, T.S., Dabbish, E.A., Sloan, R.H.: Examining Smart-Card Security under the Threat of Power Analysis Attacks. IEEE Trans. Computers 51(5), 541–552 (2002)CrossRefMathSciNetGoogle Scholar
  17. [Möl04]
    Möller, B.: Security of CBC Ciphersuites in SSL/TLS: Problems and Countermeasures (2004), Available at
  18. [NIST]
    Dworkin, M.: Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication (2005),
  19. [PY04]
    Paterson, K.G., Yau, A.: Padding Oracle Attacks on the ISO CBC Mode Encryption Standard. In: Okamoto, T. (ed.) CT-RSA 2004. LNCS, vol. 2964, pp. 305–323. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  20. [Vau02]
    Vaudenay, S.: Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 534–545. Springer, Heidelberg (2002)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Katsuyuki Okeya
    • 1
  • Tetsu Iwata
    • 2
  1. 1.Hitachi, Ltd., Systems Development LaboratoryKawasakiJapan
  2. 2.Dept. of Computer and Information SciencesIbaraki UniversityHitachi, IbarakiJapan

Personalised recommendations