ISO/IEC 9797-1

ISO/IEC 9797-1 Information technology – Security techniques – Message Authentication Codes (MACs) – Part 1: Mechanisms using a block cipher[1] is an international standard that defines methods for calculating a message authentication code (MAC) over data.

Rather than defining one specific algorithm, the standard defines a general model from which a variety of specific algorithms can be constructed. The model is based around a block cipher with a secret symmetric key.

Because the standard describes a model rather than a specific algorithm, users of the standard must specify all of the particular options and parameter to be used, to ensure unambiguous MAC calculation.

Model

The model for MAC generation comprises six steps:

  1. Padding of the data to a multiple of the cipher block size
  2. Splitting of the data into blocks
  3. Initial transformation of the first block of data
  4. Iteration through the remaining blocks of data
  5. Output transformation of the result of the last iteration
  6. Truncation of the result to the required length

For most steps, the standard provides several options from which to choose, and/or allows some configurability.

Padding

The input data must be padded to a multiple of the cipher block size, so that each subsequent cryptographic operation will have a complete block of data. Three padding methods are defined. In each case n is the block length (in bits):

Padding method 1

If necessary, add bits with value 0 to the end of the data until the padded data is a multiple of n. (If the original data was already a multiple of n, no bits are added.)

Padding method 2

Add a single bit with value 1 to the end of the data. Then if necessary add bits with value 0 to the end of the data until the padded data is a multiple of n.

Padding method 3

The padded data comprises (in this order):

  • The length of the unpadded data (in bits) expressed in big-endian binary in n bits (i.e. one cipher block)
  • The unpadded data
  • As many (possibly none) bits with value 0 as are required to bring the total length to a multiple of n bits

It is not necessary to transmit or store the padding bits, because the recipient can regenerate them, knowing the length of the unpadded data and the padding method used.

Splitting

The padded data D is split into q blocks D1, D2, ... Dq, each of length n, suitable for the block cipher.

Initial transformation

A cryptographic operation is performed on the first block (D1), to create an intermediate block H1. Two initial transformations are defined:

Initial transformation 1

D1 is encrypted with the key K:

H1 = eK(D1)

Initial transformation 2

D1 is encrypted with the key K, and then by a second key K′′:

H1 = eK′′(eK(D1))

Iteration

Blocks H2 ... Hq are calculated by encrypting, with the key K, the bitwise exclusive-or of the corresponding data block and the previous H block.

for i = 2 to q
Hi = eK(DiHi-1)

If there is only one data block (q=1), this step is omitted.

Output transformation

A cryptographic operation is (optionally) performed on the last iteration output block Hq to produce the block G. Three output transformations are defined:

Output transformation 1

Hq is used unchanged:

G = Hq

Output transformation 2

Hq is encrypted with the key K′:

G = eK(Hq)

Output transformation 3

Hq is decrypted with the key K′ and the result encrypted with the key K:

G = eK(dK(Hq))

Truncation

The MAC is obtained by truncating the block G (keeping the leftmost bits, discarding the rightmost bits), to the required length.

Specific algorithms

The general model nominally allows for any combination of options for each of the padding, initial transformation, output transformation, and truncation steps. However, the standard defines four particular combinations of initial and output transformation and (where appropriate) key derivation, and two further combinations based on duplicate parallel calculations. The combinations are denoted by the standard as "MAC Algorithm 1" through "MAC Algorithm 6".

MAC algorithm 1

This algorithm uses initial transformation 1 and output transformation 1.

Only one key is required, K.

(When the block cipher is DES, this is equivalent to the algorithm specified in FIPS PUB 113 Computer Data Authentication.[2])

Algorithm 1 is commonly known as CBC-MAC.[3]

MAC algorithm 2

This algorithm uses initial transformation 1 and output transformation 2.

Two keys are required, K and K′, but K′ may be derived from K.

MAC algorithm 3

This algorithm uses initial transformation 1 and output transformation 3.

Two independent keys are required, K and K′.

Algorithm 3 is also known as Retail MAC.[4]

MAC algorithm 4

This algorithm uses initial transformation 2 and output transformation 2.

Two independent keys are required, K and K′, with a third key K′′ derived from K′.

MAC algorithm 5

MAC algorithm 5 comprises two parallel instances of MAC algorithm 1. The first instance operates on the original input data. The second instance operates on two key variants generated from the original key via multiplication in a Galois field. The final MAC is computed by the bitwise exclusive-or of the MACs generated by each instance of algorithm 1.[5]

Algorithm 5 is also known as CMAC.[6]

MAC algorithm 6

This algorithm comprises two parallel instances of MAC algorithm 4. The final MAC is the bitwise exclusive-or of the MACs generated by each instance of algorithm 4.[7]

Each instance of algorithm 4 uses a different key pair (K and K′) but those four keys are derived from two independent base keys.

Key derivation

MAC algorithms 2 (optionally), 4, 5 and 6 require deriving one or more keys from another key. The standard does not mandate any particular method of key derivation, although it does generally mandate that derived keys be different from each other.

The standard gives some examples of key derivation methods, such as "complement alternate substrings of four bits of K commencing with the first four bits." This is equivalent to bitwise exclusive-oring each byte of the key with F0 (hex).

Complete specification of the MAC calculation

To completely and unambiguously define the MAC calculation, a user of ISO/IEC 9797-1 must select and specify:

  • The block cipher algorithm e
  • The padding method (1 to 3)
  • The specific MAC algorithm (1 to 6)
  • The length of the MAC
  • The key derivation method(s) if necessary, for MAC algorithms 2, 4, 5 or 6

Security analysis of the algorithms

Annex B of the standard is a security analysis of the MAC algorithms. It describes various cryptographic attacks on the algorithms – including key-recovery attack, brute force key recovery, and birthday attack – and analyses the resistance of each algorithm to those attacks.

References

  1. ^ ISO/IEC 9797-1:2011 Information technology – Security techniques – Message Authentication Codes (MACs) – Part 1: Mechanisms using a block cipher
  2. ^ "FIPS PUB 113 - Computer Data Authentication". National Institute of Standards and Technology. Retrieved 2011-10-01.
  3. ^ ISO/IEC 9797-1:2011 Information technology – Security techniques – Message Authentication Codes (MACs) – Part 1: Mechanisms using a block cipher, Introduction
  4. ^ ISO/IEC 9797-1 Information technology – Security techniques – Message Authentication Codes (MACs) – Part 1: Mechanisms using a block cipher. International Organization for Standardization. 2011. p. 11.
  5. ^ ISO/IEC 9797-1 Information technology – Security techniques – Message Authentication Codes (MACs) – Part 1: Mechanisms using a block cipher. International Organization for Standardization. 2011. p. 12.
  6. ^ ISO/IEC 9797-1 Information technology – Security techniques – Message Authentication Codes (MACs) – Part 1: Mechanisms using a block cipher. International Organization for Standardization. 2011. p. 13.
  7. ^ ISO/IEC 9797-1:1999 Information technology -- Security techniques -- Message Authentication Codes (MACs) -- Part 1: Mechanisms using a block cipher — Superseded by ISO/IEC 9797-1:2011, which (according to the latter's Foreword) has a different algorithm 6.
Block cipher

In cryptography, a block cipher is a deterministic algorithm operating on fixed-length groups of bits, called a block, with an unvarying transformation that is specified by a symmetric key. Block ciphers operate as important elementary components in the design of many cryptographic protocols, and are widely used to implement encryption of bulk data.

The modern design of block ciphers is based on the concept of an iterated product cipher. In his seminal 1949 publication, Communication Theory of Secrecy Systems, Claude Shannon analyzed product ciphers and suggested them as a means of effectively improving security by combining simple operations such as substitutions and permutations. Iterated product ciphers carry out encryption in multiple rounds, each of which uses a different subkey derived from the original key. One widespread implementation of such ciphers, named a Feistel network after Horst Feistel, is notably implemented in the DES cipher. Many other realizations of block ciphers, such as the AES, are classified as substitution–permutation networks.The publication of the DES cipher by the United States National Bureau of Standards (subsequently the U.S. National Institute of Standards and Technology, NIST) in 1977 was fundamental in the public understanding of modern block cipher design. It also influenced the academic development of cryptanalytic attacks. Both differential and linear cryptanalysis arose out of studies on the DES design. As of 2016 there is a palette of attack techniques against which a block cipher must be secure, in addition to being robust against brute-force attacks.

Even a secure block cipher is suitable only for the encryption of a single block under a fixed key. A multitude of modes of operation have been designed to allow their repeated use in a secure way, commonly to achieve the security goals of confidentiality and authenticity. However, block ciphers may also feature as building blocks in other cryptographic protocols, such as universal hash functions and pseudo-random number generators.

CRYPTREC

CRYPTREC is the Cryptography Research and Evaluation Committees set up by the Japanese Government to evaluate and recommend cryptographic techniques for government and industrial use. It is comparable in many respects to the European Union's NESSIE project and to the Advanced Encryption Standard process run by NIST in the U.S..

Data Authentication Algorithm

The Data Authentication Algorithm (DAA) is a former U.S. government standard for producing cryptographic message authentication codes. DAA is defined in FIPS PUB 113, which was withdrawn on September 1, 2008. The algorithm is not considered secure by today's standards.

According to the standard, a code produced by the DAA is called a Data Authentication Code (DAC). The algorithm chain encrypts the data, with the last cipher block truncated and used as the DAC.

The DAA is equivalent to ISO/IEC 9797-1 MAC algorithm 1, or CBC-MAC, with DES as the underlying cipher, truncated to between 24 and 56 bits (inclusive).

List of International Organization for Standardization standards, 9000-9999

This is a list of published International Organization for Standardization (ISO) standards and other deliverables. For a complete and up-to-date list of all the ISO standards, see the ISO catalogue.The standards are protected by copyright and most of them must be purchased. However, about 300 of the standards produced by ISO and IEC's Joint Technical Committee 1 (JTC1) have been made freely and publicly available.

Message authentication code

In cryptography, a message authentication code (MAC), sometimes known as a tag, is a short piece of information used to authenticate a message—in other words, to confirm that the message came from the stated sender (its authenticity) and has not been changed. The MAC value protects both a message's data integrity as well as its authenticity, by allowing verifiers (who also possess the secret key) to detect any changes to the message content.

NESSIE

NESSIE (New European Schemes for Signatures, Integrity and Encryption) was a European research project funded from 2000 to 2003 to identify secure cryptographic primitives. The project was comparable to the NIST AES process and the Japanese Government-sponsored CRYPTREC project, but with notable differences from both. In particular, there is both overlap and disagreement between the selections and recommendations from NESSIE and CRYPTREC (as of the August 2003 draft report). The NESSIE participants include some of the foremost active cryptographers in the world, as does the CRYPTREC project.

NESSIE was intended to identify and evaluate quality cryptographic designs in several categories, and to that end issued a public call for submissions in March 2000. Forty-two were received, and in February 2003 twelve of the submissions were selected. In addition, five algorithms already publicly known, but not explicitly submitted to the project, were chosen as "selectees". The project has publicly announced that "no weaknesses were found in the selected designs".

Outline of cryptography

The following outline is provided as an overview of and topical guide to cryptography:

Cryptography (or cryptology) – practice and study of hiding information. Modern cryptography intersects the disciplines of mathematics, computer science, and engineering. Applications of cryptography include ATM cards, computer passwords, and electronic commerce.

Padding (cryptography)

In cryptography, padding refers to a number of distinct practices which all include adding data to the beginning, middle, or end of a message prior to encryption. In classical cryptography, padding may include adding nonsense phrases to a message to obscure the fact that many messages end in predictable ways, e.g. sincerely yours.

ISO standards by standard number
1–9999
10000–19999
20000+

This page is based on a Wikipedia article written by authors (here).
Text is available under the CC BY-SA 3.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.