I apologize if you already received the following message--originally I
sent it to an out-of-date version of our mailing list.
The draft NIST Special Publication 800-38B, Recommendation for Block
Cipher Modes of Operation: the RMAC Authentication Mode is available for
public comment, from a
On Tue, 22 Oct 2002, Adam Back wrote:
The one difference which is an incremental improvement over raw
CBC-MAC is that the final CBC-MAC a-like output is encrypted with the
2nd key K3. (K3 defined as K2 xor salt, K2 an independent key).
Which isn't even a new idea (it's done in ANSI X9.19,
The problem with this one-size fits all approach is that for most
applications given the key size of AES, the extension forgery is
impractical. It would be more flexible to specify RMAC as having an
optional salt, with the size determined by the implementer as
appropriate for their scenario.
So
