Online Browsing Platform (OBP)
?Language
?Help
Search
 
ISO/IEC 9797-1:2011(en)
Information technology ? Security techniques ? Message Authentication Codes (MACs) ? Part 1: Mechanisms using a block cipher
Buy
Follow
Table of contents
Foreword
Introduction
1 Scope
2 Normative references
3 Terms and definitions
4 Symbols and notation
5 Requirements
6 Model for MAC algorithms
6.1 General
6.2 Step 1 (key derivation)
6.3 Step 2 (padding)
6.4 Step 3 (splitting)
6.5 Step 4 (iteration)
6.6 Step 5 (final iteration)
6.7 Step 6 (output transformation)
6.8 Step 7 (truncation)
7 MAC algorithms
7.1 General
7.2 MAC Algorithm 1
7.3 MAC Algorithm 2
7.4 MAC Algorithm 3
7.5 MAC Algorithm 4
7.6 MAC Algorithm 5
7.7 MAC Algorithm 6
Annex A Object identifiers
Annex B Examples
B.1 General
B.2 MAC Algorithm 1
B.3 MAC Algorithm 2
B.4 MAC Algorithm 3
B.5 MAC Algorithm 4
B.6 MAC Algorithm 5
B.7 MAC Algorithm 6
Annex C A security analysis of the MAC algorithms
C.1 General
C.2 Rationale
Annex D A comparison with previous MAC algorithm standards
Bibliography
Figures
Tables
Parts

Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 9797-1 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques.
This second edition cancels and replaces the first edition (ISO/IEC 9797-1:1999), which has been technically revised. MAC Algorithms 5 and 6 of ISO/IEC 9797-1:1999, which consisted of two single CBC-MAC computations, have been replaced by two other MAC algorithms, which perform single CBC-MAC computations and which offer improved efficiency. Annex A on object identifiers has been added. The security analysis in Annex C has been updated and Annex D on the relationship to previous standards has been added.
ISO/IEC 9797 consists of the following parts, under the general title Information technology ? Security techniques ? Message Authentication Codes (MACs):
  • ? Part 1: Mechanisms using a block cipher
  • ? Part 2: Mechanisms using a dedicated hash-function
  • ? Part 3: Mechanisms using a universal hash-function
Further parts may follow.

Introduction

In an IT environment, it is often required that one can verify that electronic data has not been altered in an unauthorized manner and that one can provide assurance that a message has been originated by an entity in possession of the secret key. A MAC (Message Authentication Code) algorithm is a commonly used data integrity mechanism that can satisfy these requirements.
This part of ISO/IEC 9797 specifies six MAC algorithms that are based on an n-bit block cipher. They compute a short string as a function of a secret key and a message of variable length.
The strength of the data integrity mechanism and message authentication mechanism is dependent on the length (in bits) k* and secrecy of the key, on the block length (in bits) n and strength of the block cipher, on the length (in bits) m of the MAC, and on the specific mechanism.
The first mechanism specified in this part of ISO/IEC 9797 is commonly known as CBC-MAC (CBC is an abbreviation of Cipher Block Chaining).
The other five mechanisms are variants of CBC-MAC. MAC Algorithms 2, 3, 5 and 6 apply a special transformation at the end of the processing. MAC Algorithm 6 is an optimized variant of MAC Algorithm 2. MAC Algorithm 5 uses the minimum number of encryptions. MAC Algorithm 5 requires only a single block cipher key setup but it needs a longer internal key. MAC Algorithm 4 applies a special transformation at both the beginning and the end of the processing; this algorithm is recommended for use in applications which require that the key length of the MAC algorithm be twice that of the block cipher.

1   Scope

This part of ISO/IEC 9797 specifies six MAC algorithms that use a secret key and an n-bit block cipher to calculate an m-bit MAC.
This part of ISO/IEC 9797 can be applied to the security services of any security architecture, process, or application.
Key management mechanisms are outside the scope of this part of ISO/IEC 9797.
This part of ISO/IEC 9797 specifies object identifiers that can be used to identify each mechanism in accordance with ISO/IEC 8825-1. Numerical examples and a security analysis of each of the six specified algorithms are provided, and the relationship of this part of ISO/IEC 9797 to previous standards is explained.

2   Normative references

The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
  • ISO/IEC 18033-3, Information technology ? Security techniques ? Encryption algorithms ? Part 3: Block ciphers

3   Terms and definitions

For the purposes of this document, the following terms and definitions apply.
3.1
block
bit string of length n
3.2
block cipher key
key that controls the operation of a block cipher
3.3
ciphertext
data which has been transformed to hide its information content
[SOURCE: ISO/IEC 9798-1:2010]
3.4
data integrity
property that data has not been altered or destroyed in an unauthorized manner
[SOURCE: ISO 7498-2]
3.5
decryption
reversal of a corresponding encryption
[SOURCE: ISO/IEC 9798-1:2010]
3.6
encryption
reversible operation by a cryptographic algorithm converting data into ciphertext so as to hide the information content of the data
[SOURCE: ISO/IEC 9798-1:2010]
3.7
key
sequence of symbols that controls the operation of a cryptographic transformation
Note 1 to entry: Examples are encryption, decryption, cryptographic check function computation, signature generation, or signature verification.
[SOURCE: ISO/IEC 9798-1:2010]
3.8
MAC algorithm key
key that controls the operation of a MAC algorithm
3.9
Message Authentication Code
MAC
string of bits which is the output of a MAC algorithm
Note 1 to entry: A MAC is sometimes called a cryptographic check value (see for example ISO 7498-2[1]).
3.10
Message Authentication Code algorithm
MAC algorithm
algorithm for computing a function which maps strings of bits and a secret key to fixed-length strings of bits, satisfying the following two properties:
  • ? for any key and any input string, the function can be computed efficiently;
  • ? for any fixed key, and given no prior knowledge of the key, it is computationally infeasible to compute the function value on any new input string, even given knowledge of a set of input strings and corresponding function values, where the value of the ith input string might have been chosen after observing the value of the first i -1 function values (for integers i > 1)
Note 1 to entry: A MAC algorithm is sometimes called a cryptographic check function (see for example ISO 7498-2[1]).
Note 2 to entry: Computational feasibility depends on the user's specific security requirements and environment.
3.11
n-bit block cipher
block cipher with the property that plaintext blocks and ciphertext blocks are n bits in length
[SOURCE: ISO/IEC 10116]
3.12
output transformation
function that is applied at the end of the MAC algorithm, before the truncation operation
3.13
plaintext
unencrypted information
Note 1 to entry: Adapted from ISO/IEC 9798-1:2010.
Only informative sections of standards are publicly available. To view the full content, you will need to purchase the standard by clicking on the "Buy" button.

Bibliography

[1]ISO 7498-2:1989, Information processing systems ? Open Systems Interconnection ? Basic Reference Model ? Part 2: Security Architecture
[2]ISO 8731-1:19871), Banking ? Approved algorithms for message authentication ? Part 1: DEA
[3]ISO 8732:19882), Banking ? Key management (wholesale)
[4]ISO/IEC 8825-1:20023), Information technology ? ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)
[5]ISO/IEC 9798-1:2010, Information technology ? Security techniques ? Entity authentication ? Part 1: General
[6]ISO 9807:19914), Banking and related financial services ? Requirements for message authentication (retail)
[7]ISO/IEC 10116:2006, Information technology ? Security techniques ? Modes of operation for an n-bit block cipher
[8]ISO/IEC 11770 (all parts), Information technology ? Security techniques ? Key management
[9]ISO 11568 (all parts), Banking ? Key management (retail)
[10]ANSI X3.92:1981, Data Encryption Algorithm
[11]ANSI X9.9:19862), Financial Institution Message Authentication (Wholesale)
[12]ANSI X9.19:1986, Financial Institution Retail Message Authentication
[13]ANSI X9.24-1:20045), Retail Financial Services Symmetric Key Management ? Part 1: Using Symmetric Techniques
[14]NIST Special Publication 800-38B: 2005, Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication, May 2005
[15]M. Bellare, J. Kilian, and P. Rogaway, ?The security of cipher block chaining?, Advances in Cryptology, Proceedings Crypto'94, LNCS 839, Y. Desmedt, Ed., Springer-Verlag, 1994, pp. 341-358
[16]K. Brincat and C.J. Mitchell, ?New CBC-MAC forgery attacks?, Information Security and Privacy, ACISP 2001, LNCS 2119, V. Varadharajan and Y. Mu, Eds., Springer-Verlag, 2001, pp. 3-14
[17]D. Coppersmith, L.R. Knudsen, and C.J. Mitchell, ?Key recovery and forgery attacks on the MacDES MAC algorithm?, Advances in Cryptology, Proceedings Crypto 2000, LNCS 1880, M. Bellare, Ed., Springer-Verlag, 2000, pp. 184-196
[18]D. Coppersmith and C.J. Mitchell, ?Attacks on MacDES MAC algorithm?, Electronics Letters, Vol. 35, No. 19, 1999, pp. 1626-1627
[19]T. Iwata and K. Kurosawa, ?OMAC: One-key CBC MAC?, Proceedings Fast Software Encryption 2003, LNCS 2887, T. Johansson, Ed., Springer-Verlag, 2003, pp. 129-153
[20]L. Knudsen, ?Chosen-text attack on CBC-MAC?, Electronics Letters, Vol. 33, No. 1, 1997, pp. 48-49
[21]L. Knudsen and B. Preneel, ?MacDES: MAC algorithm based on DES?, Electronics Letters, Vol. 34, No. 9, 1998, pp. 871-873
[22]C.J. Mitchell, ?Key recovery attack on ANSI retail MAC?, Electronics Letters, Vol. 39, 2003, pp. 361-362
[23]C.J. Mitchell, ?Partial key recovery attack on XCBC, TMAC and OMAC?, Cryptography and Coding: Proceedings 10th IMA International Conference, LNCS 3796, N. Smart, Ed., Springer-Verlag, 2005, pp. 155-167 (See also: Royal Holloway, University of London, Mathematics Department Technical Report RHUL-MA-2003-4, August 2003, 15 pages)
[24]E. Petrank and C. Rackoff, ?CBC MAC for real-time data sources?, Journal of Cryptology, Vol. 13, No. 3, 2000, pp. 315-338
[25]B. Preneel and P.C. van Oorschot, ?MDx-MAC and building fast MACs from hash functions?, Advances in Cryptology, Proceedings Crypto'95, LNCS 963, D. Coppersmith, Ed., Springer-Verlag, 1995, pp. 1-14
[26]B. Preneel and P.C. van Oorschot, ?A key recovery attack on the ANSI X9.19 retail MAC?, Electronics Letters, Vol. 32, No. 17, 1996, pp. 1568-1569
[27]B. Preneel and P.C. van Oorschot, ?On the security of iterated Message Authentication Codes?, IEEE Transactions on Information Theory, Vol. 45, No. 1, January 1999, pp. 188-199

1) Withdrawn. ISO 8731-1:1987 has been cancelled and replaced by ISO 16609:2004.
2) Withdrawn.
3) Withdrawn. ISO/IEC 8825-1:2002 has been cancelled and replaced by ISO/IEC 8825-1:2008.
4) Withdrawn. ISO 9807:1991 has been cancelled and replaced by ISO 16609:2004.
5) Withdrawn. ANSI X9.24-1:2004 has been cancelled and replaced by ANSI X9.24-1:2009.