ISO/IEC 9797-1Information technology – Security techniques – Message Authentication Codes (MACs) – Part 1: Mechanisms using a block cipher[1] is aninternational standard that defines methods for calculating amessage authentication code (MAC) over data.
Rather than defining one specific algorithm, the standard defines a general model from which a variety of specific algorithms can be constructed. The model is based on ablock cipher with a secretsymmetric key.
Because the standard describes a model rather than a specific algorithm, users of the standard mustspecify all of the particular options and parameter to be used, to ensure unambiguous MAC calculation.
The model for MAC generation comprises six steps:
For most steps, the standard provides several options from which to choose, and/or allows some configurability.
The input data must be padded to a multiple of the cipher block size, so that each subsequent cryptographic operation will have a complete block of data. Three padding methods are defined. In each casen is the block length (inbits):
If necessary, add bits with value 0 to the end of the data until the padded data is a multiple ofn. (If the original data was already a multiple ofn, no bits are added.)
Add a single bit with value 1 to the end of the data. Then if necessary add bits with value 0 to the end of the data until the padded data is a multiple ofn.
The padded data comprises (in this order):
It is not necessary to transmit or store the padding bits, because the recipient can regenerate them, knowing the length of the unpadded data and the padding method used.
The padded dataD is split intoq blocksD1,D2, ...Dq, each of lengthn, suitable for the block cipher.
A cryptographic operation is performed on the first block (D1), to create an intermediate blockH1. Two initial transformations are defined:
D1 is encrypted with the keyK:
D1 is encrypted with the keyK, and then by a second keyK′′:
BlocksH2 ...Hq are calculated by encrypting, with the keyK, thebitwiseexclusive-or of the corresponding data block and the previousH block.
If there is only one data block (q=1), this step is omitted.
A cryptographic operation is (optionally) performed on the last iteration output blockHq to produce the blockG. Three output transformations are defined:
Hq is used unchanged:
Hq is encrypted with the keyK′:
Hq is decrypted with the keyK′ and the result encrypted with the keyK:
The MAC is obtained by truncating the blockG (keeping the leftmost bits, discarding the rightmost bits), to the required length.
The general model nominally allows for any combination of options for each of the padding, initial transformation, output transformation, and truncation steps. However, the standard defines four particular combinations of initial and output transformation and (where appropriate) key derivation, and two further combinations based on duplicate parallel calculations. The combinations are denoted by the standard as "MAC Algorithm 1" through "MAC Algorithm 6".
This algorithm uses initial transformation 1 and output transformation 1.
Only one key is required,K.
(When the block cipher isDES, this is equivalent to the algorithm specified inFIPS PUB 113Computer Data Authentication.[2])
Algorithm 1 is commonly known asCBC-MAC.[3]
This algorithm uses initial transformation 1 and output transformation 2.
Two keys are required,K andK′, butK′ may be derived fromK.
This algorithm uses initial transformation 1 and output transformation 3.
Two independent keys are required,K andK′.
Algorithm 3 is also known asRetail MAC.[4]
This algorithm uses initial transformation 2 and output transformation 2.
Two independent keys are required,K andK′, with a third keyK′′ derived fromK′.
MAC algorithm 5 comprises two parallel instances of MAC algorithm 1. The first instance operates on the original input data. The second instance operates on two key variants generated from the original key via multiplication in aGalois field. The final MAC is computed by the bitwiseexclusive-or of the MACs generated by each instance of algorithm 1.[5]
Algorithm 5 is also known asCMAC.[6]
 | This section needs to beupdated. Please help update this article to reflect recent events or newly available information.(May 2016) |
This algorithm comprises two parallel instances of MAC algorithm 4. The final MAC is the bitwise exclusive-or of the MACs generated by each instance of algorithm 4.[7]
Each instance of algorithm 4 uses a different key pair (K andK′) but those four keys are derived from two independent base keys.
MAC algorithms 2 (optionally), 4, 5 and 6 require deriving one or more keys from another key. The standard does not mandate any particular method of key derivation, although it does generally mandate that derived keys be different from each other.
The standard gives some examples of key derivation methods, such as "complement alternate substrings of four bits ofK commencing with the first four bits." This is equivalent to bitwise exclusive-oring eachbyte of the key with F0 (hex).
To completely and unambiguously define the MAC calculation, a user of ISO/IEC 9797-1 must select and specify:
Annex B of the standard is a security analysis of the MAC algorithms. It describes various cryptographic attacks on the algorithms – includingkey-recovery attack,brute force key recovery, andbirthday attack – and analyses the resistance of each algorithm to those attacks.
