AES CMAC计算C#

AES CMAC Calculation C#

我知道MAC是最后一个块加密的第4个字节,并且找到了这个CMAC解释here但是有点难以理解。也许已经有一些 CMAC AES 问题,但很抱歉我不能很好地理解它。

谁能解释一下如何计算CMAC?如果需要,还可以使用 C# 中的一些示例代码。谢谢

首先,您需要从 AES 密钥中派生出两个子密钥。该算法在 RFC4493 中有很好的描述,但我将在此处包含一些代码示例以供参考。 为此,您将需要 AESEncrypt 函数,您可以使用 dotNet AesCryptoServiceProvider:

编写该函数
    byte[] AESEncrypt(byte[] key, byte[] iv, byte[] data)
    {
        using (MemoryStream ms = new MemoryStream())
        {
            AesCryptoServiceProvider aes = new AesCryptoServiceProvider();

            aes.Mode = CipherMode.CBC;
            aes.Padding = PaddingMode.None;

            using (CryptoStream cs = new CryptoStream(ms, aes.CreateEncryptor(key, iv), CryptoStreamMode.Write))
            {
                cs.Write(data, 0, data.Length);
                cs.FlushFinalBlock();

                return ms.ToArray();
            }
        }
    }

还有将数组左移一位的东西:

    byte[] Rol(byte[] b)
    {
        byte[] r = new byte[b.Length];
        byte carry = 0;

        for (int i = b.Length - 1; i >= 0; i--)
        {
            ushort u = (ushort)(b[i] << 1);
            r[i] = (byte)((u & 0xff) + carry);
            carry = (byte)((u & 0xff00) >> 8);
        }

        return r;
    }

现在只保留 RFC4493 中的算法实现。我评论了RFC中的逻辑以便于理解。

    byte[] AESCMAC(byte[] key, byte[] data)
    {
        // SubKey generation
        // step 1, AES-128 with key K is applied to an all-zero input block.
        byte[] L = AESEncrypt(key, new byte[16], new byte[16]);

        // step 2, K1 is derived through the following operation:
        byte[] FirstSubkey = Rol(L); //If the most significant bit of L is equal to 0, K1 is the left-shift of L by 1 bit.
        if ((L[0] & 0x80) == 0x80)
            FirstSubkey[15] ^= 0x87; // Otherwise, K1 is the exclusive-OR of const_Rb and the left-shift of L by 1 bit.

        // step 3, K2 is derived through the following operation:
        byte[] SecondSubkey = Rol(FirstSubkey); // If the most significant bit of K1 is equal to 0, K2 is the left-shift of K1 by 1 bit.
        if ((FirstSubkey[0] & 0x80) == 0x80)
            SecondSubkey[15] ^= 0x87; // Otherwise, K2 is the exclusive-OR of const_Rb and the left-shift of K1 by 1 bit.

        // MAC computing
        if (((data.Length != 0) && (data.Length % 16 == 0)) == true)
        {
            // If the size of the input message block is equal to a positive multiple of the block size (namely, 128 bits),
            // the last block shall be exclusive-OR'ed with K1 before processing
            for (int j = 0; j < FirstSubkey.Length; j++)
                data[data.Length - 16 + j] ^= FirstSubkey[j];
        }
        else
        {
            // Otherwise, the last block shall be padded with 10^i
            byte[] padding = new byte[16 - data.Length % 16];
            padding[0] = 0x80;

            data = data.Concat<byte>(padding.AsEnumerable()).ToArray();

            // and exclusive-OR'ed with K2
            for (int j = 0; j < SecondSubkey.Length; j++)
                data[data.Length - 16 + j] ^= SecondSubkey[j];
        }

        // The result of the previous process will be the input of the last encryption.
        byte[] encResult = AESEncrypt(key, new byte[16], data);

        byte[] HashValue = new byte[16];
        Array.Copy(encResult, encResult.Length - HashValue.Length, HashValue, 0, HashValue.Length);

        return HashValue;
    }

祝你好运!