BS ISO IEC 9797-2-2011 Information technology Security techniques Message authentication codes (MACs) Mechanisms using a dedicated hashfunction《信息技术 安全技术 电文鉴别代码(MACs) 专用散列函数的机械结构》.pdf

1、BSI Standards PublicationBS ISO/IEC 9797-2:2011Incorporating corrigendum September 2015Information technology Security techniques Message Authentication Codes (MACs)Part 2: Mechanisms using a dedicated hash- functionBS ISO/IEC 9797-2:2011 BRITISH STANDARDNational forewordThis British Standard is the

2、 UK implementation of ISO/IEC 9797-2:2011. It supersedes BS ISO/IEC 9797-2:2002 which is withdrawn.The UK participation in its preparation was entrusted to Technical Committee IST/33, IT - Security techniques.A list of organizations represented on this committee can be obtained on request to its sec

3、retary.This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2015. Published by BSI Standards Limited 2015ISBN 978 0 580 91701 1ICS 35.040Compliance with a British Standard cannot

4、confer immunity from legal obligations.This British Standard was published under the authority of the Standards Policy and Strategy Committee on 31 May 2011.Amendments/corrigenda issued since publicationDate Text affected30 September 2015 Implementation of ISO corrected text 15 June 2011: correction

5、s to subclauses 3.14, 6.3, 6.3.5 and 6.3.6Reference numberISO/IEC 9797-2:2011(E)ISO/IEC 2011INTERNATIONAL STANDARD ISO/IEC9797-2Second edition2011-05-01Corrected version2011-06-15Information technology Security techniques Message Authentication Codes (MACs) Part 2: Mechanisms using a dedicated hash-

6、function Technologies de linformation Techniques de scurit Codes dauthentification de message (MAC) Partie 2: Mcanismes utilisant une fonction de hachage ddie BS ISO/IEC 9797-2:2011ISO/IEC 9797-2:2011(E) COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2011 All rights reserved. Unless otherwise specified, no pa

7、rt of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale

8、56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzerland ii ISO/IEC 2011 All rights reservedBS ISO/IEC 9797-2:2011ISO/IEC 9797-2:2011(E) ISO/IEC 2011 All rights reserved iiiContents Page Foreword iv Introduction.v 1 Scope1 2 N

9、ormative references1 3 Terms and definitions .2 4 Symbols and notation.4 5 Requirements.5 6 MAC Algorithm 1 .6 6.1 Description of MAC Algorithm 1 7 6.1.1 Step 1 (key expansion)7 6.1.2 Step 2 (modification of the constants and the IV)7 6.1.3 Step 3 (hashing operation) .7 6.1.4 Step 4 (output transfor

10、mation).8 6.1.5 Step 5 (truncation).8 6.2 Efficiency8 6.3 Computation of the constants8 6.3.1 Dedicated Hash-Function 1 (RIPEMD-160) .9 6.3.2 Dedicated Hash-Function 2 (RIPEMD-128) .9 6.3.3 Dedicated Hash-Function 3 (SHA-1)10 6.3.4 Dedicated Hash-Function 4 (SHA-256)10 6.3.5 Dedicated Hash-Function

11、5 (SHA-512)10 6.3.6 Dedicated Hash-Function 6 (SHA-384)11 6.3.7 Dedicated Hash-Function 8 (SHA-224)11 7 MAC Algorithm 2 .12 7.1 Description of MAC Algorithm 2 12 7.1.1 Step 1 (key expansion)12 7.1.2 Step 2 (hashing operation) .12 7.1.3 Step 3 (output transformation).12 7.1.4 Step 4 (truncation).13 7

12、.2 Efficiency13 8 MAC Algorithm 3 .13 8.1 Description of MAC Algorithm 3 13 8.1.1 Step 1 (key expansion)13 8.1.2 Step 2 (modification of the constants and the IV)14 8.1.3 Step 3 (padding) 14 8.1.4 Step 4 (application of the round-function)14 8.1.5 Step 5 (truncation).15 8.2 Efficiency15 Annex A (nor

13、mative) ASN.1 Module .16 Annex B (informative) Examples .17 Annex C (informative) A security analysis of the MAC algorithms37 Bibliography39 BS ISO/IEC 9797-2:2011ISO/IEC 9797-2:2011(E) iv ISO/IEC 2011 All rights reservedForeword ISO (the International Organization for Standardization) and IEC (the

14、International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particul

15、ar fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have establis

16、hed a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical

17、 committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. ISO/IEC 9797-2 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security

18、techniques. This second edition cancels and replaces the first edition (ISO/IEC 9797-2:2002), which has been technically revised by including MAC algorithms based on Dedicated Hash-Functions 4 7 of ISO/IEC 10118-3:2004 and Dedicated Hash-Function 8 of ISO/IEC 10118-3/Amd.1:2006. ISO/IEC 9797 consist

19、s of the following parts, under the general title Information technology Security techniques Message Authentication Codes (MACs): Part 1: Mechanisms using a block cipher Part 2: Mechanisms using a dedicated hash-function Part 3: Mechanisms using a universal hash-function Further parts may follow. Th

20、is corrected version of ISO/IEC 9797-2:2011 incorporates corrections to subclauses 3.14, 6.3, 6.3.5 and 6.3.6. BS ISO/IEC 9797-2:2011ISO/IEC 9797-2:2011(E) ISO/IEC 2011 All rights reserved vIntroduction The International Organization for Standardization (ISO) and International Electrotechnical Commi

21、ssion (IEC) draw attention to the fact that it is claimed that compliance with this document may involve the use of a patent concerning MAC Algorithm 1 (MDx-MAC) given in Clause 6. ISO and IEC take no position concerning the evidence, validity and scope of this patent right. The holder of this paten

22、t right has assured ISO and IEC that he is willing to negotiate licenses under reasonable and non-discriminatory terms and conditions with applicants throughout the world. In this respect, the statement of the holder of this patent right is registered with ISO and IEC. Information may be obtained fr

23、om: Entrust Technologies, Technology Licensing Dept., 1000 Innovation Drive, Ottawa, Ontario, Canada K2K 3E7. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights other than those identified above. ISO and IEC shall not be held responsi

24、ble for identifying any or all such patent rights. BS ISO/IEC 9797-2:2011BS ISO/IEC 9797-2:2011INTERNATIONAL STANDARD ISO/IEC 9797-2:2011(E) ISO/IEC 2011 All rights reserved 1Information technology Security techniques Message Authentication Codes (MACs) Part 2: Mechanisms using a dedicated hash-func

25、tion 1 Scope This part of ISO/IEC 9797 specifies three MAC algorithms that use a secret key and a hash-function (or its round-function) with an n-bit result to calculate an m-bit MAC. These mechanisms can be used as data integrity mechanisms to verify that data has not been altered in an unauthorize

26、d manner. They can also be used as message authentication mechanisms to provide assurance that a message has been originated by an entity in possession of the secret key. The strength of the data integrity and message authentication mechanisms is dependent on the entropy and secrecy of the key, on t

27、he length (in bits) n of a hash-code produced by the hash-function, on the strength of the hash-function, on the length (in bits) m of the MAC, and on the specific mechanism. The three mechanisms specified in this part of ISO/IEC 9797 are based on the dedicated hash-functions specified in ISO/IEC 10

28、118-3. The first mechanism is commonly known as MDx-MAC. It calls the hash-function once, but it makes a small modification to the round-function in the hash-function by adding a key to the additive constants in the round-function. The second mechanism is commonly known as HMAC. It calls the hash-fu

29、nction twice. The third mechanism is a variant of MDx-MAC that takes as input only short strings (at most 256 bits). It offers higher performance for applications that work with short input data strings only. This part of ISO/IEC 9797 can be applied to the security services of any security architect

30、ure, process, or application. NOTE A general framework for the provision of integrity services is specified in ISO/IEC 10181-6 5. 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. Fo

31、r undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 10118-3:2004, Information technology Security techniques Hash-functions Part 3: Dedicated hash-functions ISO/IEC 10118-3:2004/Amd.1:2006, Information technology Security techniques Hash-fu

32、nctions Part 3: Dedicated hash-functions Amendment 1: Dedicated Hash-Function 8 (SHA-224) BS ISO/IEC 9797-2:2011ISO/IEC 9797-2:2011(E) 2 ISO/IEC 2011 All rights reserved3 Terms and definitions For the purposes of this document, the following terms and definitions apply. 3.1 block bit-string of lengt

33、h L1, i.e. the length of the first input to the round-function ISO/IEC 10118-3 3.2 collision-resistant hash-function hash-function satisfying the following property: - it is computationally infeasible to find any two distinct inputs which map to the same output ISO/IEC 10118-1 3.3 entropy total amou

34、nt of information yielded by a set of bits, representative of the work effort required for an adversary to be able to reproduce the same set of bits ISO/IEC 18032 3.4 input data string string of bits which is the input to a hash-function 3.5 hash-code string of bits which is the output of a hash-fun

35、ction ISO/IEC 10118-1 3.6 hash-function function which maps strings of bits to fixed-length strings of bits, satisfying the following two properties: - for a given output, it is computationally infeasible to find an input which maps to this output; - for a given input, it is computationally infeasib

36、le to find a second input which maps to the same output ISO/IEC 10118-1 3.7 initializing value value used in defining the starting point of a hash-function ISO/IEC 10118-1 3.8 MAC algorithm key key that controls the operation of a MAC algorithm ISO/IEC 9797-1 BS ISO/IEC 9797-2:2011ISO/IEC 9797-2:201

37、1(E) ISO/IEC 2011 All rights reserved 33.9 Message Authentication Code (MAC) string of bits which is the output of a MAC algorithm NOTE A MAC is sometimes called a cryptographic check value (see for example ISO 7498-2 1). ISO/IEC 9797-1 3.10 Message Authentication Code (MAC) algorithm algorithm for

38、computing a function which maps strings of bits and a secret key to fixed-length strings of bits, satisfying the following two properties: - for any key and any input string, the function can be computed efficiently; - for any fixed key, and given no prior knowledge of the key, it is computationally

39、 infeasible to compute the function value on any new input string, even given knowledge of the set of input strings and corresponding function values, where the value of the ith input string may have been chosen after observing the value of the first i-1 function values (for integer i 1) NOTE 1 A MA

40、C algorithm is sometimes called a cryptographic check function (see for example ISO 7498-2 1). NOTE 2 Computational feasibility depends on the users specific security requirements and environment. ISO/IEC 9797-1 3.11 output transformation function that is applied at the end of the MAC algorithm, bef

41、ore the truncation operation ISO/IEC 9797-1 3.12 padding appending extra bits to a data string ISO/IEC 10118-1 3.13 round-function function that transforms two binary strings of lengths L1and L2to a binary string of length L2NOTE 1 It is used iteratively as part of a hash-function, where it combines

42、 a data string of length L1with the previous output of length L2. ISO/IEC 10118-1 NOTE 2 This function is also referred to as compression function in a certain hash-function text. 3.14 security strength a number associated with the amount of work (i.e. the number of operations) that is required to b

43、reak a cryptographic algorithm or system NOTE Security strength is specified in bits, and is a specific value from the set 80, 112, 128, 192, 256. A security strength of b bits means that of the order of 2boperations are required to break the system. 3.15 word string of 32 bits used in Dedicated Has

44、h-Functions 1, 2, 3, 4 and 8, or a string of 64 bits used in Dedicated Hash-Functions 5 and 6 of ISO/IEC 10118-3 ISO/IEC 10118-3 BS ISO/IEC 9797-2:2011ISO/IEC 9797-2:2011(E) 4 ISO/IEC 2011 All rights reserved4 Symbols and notation This part of ISO/IEC 9797 makes use of the following symbols and nota

45、tion defined in ISO/IEC 9797-1 3: D the input data string, i.e. the data string to be input to the MAC algorithm. m the length (in bits) of the MAC. q the number of blocks in the input data string D after the padding and splitting process. j X the string obtained from the string X by taking the left

46、most j bits of X. X Y bitwise exclusive-or of bit-strings X and Y. X | Y concatenation of bit-strings X and Y (in that order). := a symbol denoting the set equal to operation used in the procedural specifications of MAC algorithms, where it indicates that the value of the string on the left side of

47、the symbol shall be made equal to the value of the expression on the right side of the symbol. For the purposes of this part of ISO/IEC 9797, the following symbols and notation apply: D padded data string. h hash-function. h the hash-function h with modified constants and modified IV. h simplified h

48、ash-function h without the padding and length appending, and without truncating the round-function output (L2bits) to its left-most LHbits. NOTE 1 h shall only be applied to input strings with a length that is a positive integer multiple of L1. NOTE 2 The output of h should be L2bits rather than LHb

49、its; in particular, in Dedicated Hash-Functions 6 and 8 defined in ISO/IEC 10118-3, LHis always smaller than L2. H, H strings of L2bits which are used in the MAC algorithm computation to store an intermediate result. IV, IV1, IV2initializing values. k length (in bits) of the MAC algorithm key. K secret MAC algorithm key. K,21210, KKKKKK secret MAC algorithm derived keys. KT the first input string of the function used in the output transforma