1、BRITISH STANDARD BS ISO/IEC 9797:1994 Implementation of ISO/IEC 9797:1994 Information technology Security techniques Data integrity mechanism using a cryptographic check function employing a block cipher algorithm UDC 681.3.04:003.26BSISO/IEC9797:1994 This British Standard, having been prepared unde
2、r the directionof the Information Systems Technology StandardsPolicy Committee, waspublished under the authorityof the Standards Boardand comes into effect on 15November1994 BSI 04-2000 First published October 1990 Second edition November 1994 The following BSI references relate to the work on this
3、standard: Committee reference IST/33 Draft for comment 93/640639 DC ISBN 0 580 23505 X Committees responsible for this British Standard The preparation of this British Standard was entrusted by the Information Systems Technology Standards Policy Committee (IST/-) to Technical Committee IST/33, upon
4、which the following bodies were represented: Association for Payment Clearing Services CCTA (the Government Centre for Information Systems) Department of Trade and Industry It Standards Unit (Itd6a) GCHQ GCHQ (CESG) IBM United Kingdom Ltd. International Computers Limited Ministry of Defence Rank Xer
5、ox Ltd. Amendments issued since publication Amd. No. Date CommentsBSISO/IEC9797:1994 BSI 04-2000 i Contents Page Committees responsible Inside front cover National foreword ii Foreword iii Text of ISO/IEC 9797 1BSISO/IEC9797:1994 ii BSI 04-2000 National foreword This British Standard reproduces verb
6、atim ISO/IEC9797:1994 and implements it as the UK national standard. This revision supersedes BS ISO/IEC9797:1990, which is now withdrawn. This British Standard is published under the direction of the Information Systems Technology Standards Policy Committee whose Technical Committee IST/33 has the
7、responsibility to: aid enquirers to understand the text; present to the responsible international committee any enquiries on interpretation, or proposals for change, and keep UK interests informed; monitor related international and European developments and promulgate them in the UK. NOTEInternation
8、al and European Standards, as well as overseas standards, are available from Customer Services, Sales Department, BSI,389 Chiswick High Road, London W4 4AL. A British Standard does not purport to include all the necessary provisions of a contract. Users of British Standards are responsible for their
9、 correct application. Compliance with a British Standard does not of itself confer immunity from legal obligations. Summary of pages This document comprises a front cover, an inside front cover, pages i and ii, theISO/IEC title page, pages ii to iv, pages 1 to 8 and a backcover. This standard has be
10、en updated (see copyright date) and may have had amendments incorporated. This will be indicated in the amendment table on the inside front cover.ISO/IEC9797:1994 (E) ii BSI 04-2000 Contents Page Foreword iii Introduction 1 1 Scope 1 2 Normative references 1 3 Definitions and notation 1 4 Requiremen
11、ts 1 5 MAC calculation 1 Annex A (normative) Optional Processes 4 Annex B (informative) Examples 6 Annex C (informative) Bibliography 8 Figure 1 The MAC calculation 3 Figure A.1 Optional process 1 4 Figure A.2 Optional process 2 5ISO/IEC9797:1994(E) BSI 04-2000 iii Foreword ISO (the International Or
12、ganization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the
13、respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of info
14、rmation technology, ISO and IEC have established a joint technical committee, ISO/IECJTC1. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least75% of the national bo
15、dies casting a vote. International Standard ISO/IEC9797 was prepared by Joint Technical Committee ISO/IEC JTC1, Information technology, Sub-Committee SC27, IT Security techniques. This second edition cancels and replaces the first edition (ISO/IEC9797:1989) which has been revised and extended to inc
16、lude an additional padding method, an additional method for the optional process as well as a new annex containing examples. Annex A forms an integral part of this International Standard. Annex B andAnnex C are for information only.iv blankISO/IEC9797:1994(E) BSI 04-2000 1 Introduction The mechanism
17、 specified in this International Standard is similar to that used in ISO8731-1, ISO9807 and in the ANSI X9.9 standard, except that it is defined in terms of an algorithm using n-bit data blocks and an m-bit check value, and that an additional padding method is specified. The calculation of cryptogra
18、phic check values as described in ISO8731-1, ANSI X9.9 and ANSI X9.19 is a specific case of this International Standard when n = 64 and m = 32, when padding method1 specified in5.1 is used, and when DEA (see ANSIX3.92:1981) is used. 1 Scope This International Standard specifies a method of using a k
19、ey and an n-bit block cipher algorithm to calculate an m-bit cryptographic check value. This method can be used as a data integrity mechanism to detect that data has not been altered in an unauthorised manner. The strength of the data integrity mechanism is dependent on the key length and its secrec
20、y, on the nature of the cryptographic algorithm, and on m, the length of the check value. This International Standard can be applied to the security services of any security architecture, process, or application. 2 Normative references The following standards contain provisions which, through refere
21、nce in this text, constitute provisions of this International Standard. At the time of publication, the editions indicated were valid. All standards are subject to revision, and parties to agreements based on this International Standard are encouraged to investigate the possibility of applying the m
22、ost recent editions of the standards indicated below. Members of IEC and ISO maintain registers of currently valid International Standards. ISO 7498-2:1989, Information processing systems Open Systems Interconnection Basic Reference Model Part 2: Security Architecture. ISO/IEC 10116:1991, Informatio
23、n technology Modes of operation for an n-bit block cipher algorithm. 3 Definitions and notation 3.1 Definitions This International Standard makes use of the following terms defined in ISO7498-2 and ISO/IEC10116. 3.1.1 cryptographic check value information which is derived by performing a cryptograph
24、ic transformation on the data unit 3.1.2 data integrity the property that data has not been altered or destroyed in an unauthorized manner 3.1.3 n-bit block cipher algorithm a block cipher algorithm with the property that plaintext blocks and ciphertext blocks are n bits in length 3.2 Notation This
25、International Standard refers to the cryptographic check value as a Message Authentication Code (MAC). In contexts where the terms “most significant bit/byte” and “least significant bit/byte” have a meaning, e.g., where strings of bits are treated as numerical values, then the leftmost bits of a blo
26、ck shall be the most significant. 4 Requirements The length (m) of the MAC will be less than or equal to the block length (n). The result of the calculation and of any optional process is an information block of length n. The m leftmost bits of the final n-bit block form the MAC. 5 MAC calculation 5
27、.1 Padding and blocking The generation of a MAC requires the selection of one of two padding methods. The way in which the selection is made is beyond the scope of this International Standard. Method 1 The data for which the MAC is to be calculated shall be appended with as few (possibly none) “0” b
28、its as necessary to obtain a data string whose length (in bits) is an integer multiple of n.ISO/IEC9797:1994(E) 2 BSI 04-2000 Method 2 The data for which the MAC is to be calculated shall be appended with a single “1” bit. The resulting datashall then be appended with as few (possibly none) “0” bits
29、 as necessary to obtain a data string whose length (in bits) is an integer multiple of n. NOTEIf the length of data is not known by a verifier then padding method 2 should be used, since it permits a verifier to detect the addition or deletion of trailing “0” bits. The resulting data is divided into
30、 n-bit blocks (D 1 , D 2 ,., D q ). The bits which are padded to the original data, according to the chosen padding method, are only used for calculating and verifying the MAC. Consequently, the padding bits (if any) need not be stored or transmitted with the data. The verifier shall know whether or
31、 not the padding bits have been stored or transmitted, and which padding method is in use. 5.2 The cryptographic key The key should be randomly or pseudo-randomly generated. If the same algorithm is used for encipherment of the message, the key used for the calculation of the MAC should be different
32、 from that used for encipherment. 5.3 The initial stage The MAC is calculated as illustrated in Figure 1. The input register is initialized with the first block (D 1 ). This input data (I 1 ) is passed through the algorithm (A), which uses a key (K) to produce n bits in the output register (O 1 ). 5
33、.4 Subsequent stages The next n bits of data (D 2 ) are bitwise exclusive ored with the n bits of the output register (O 1 ) and the result is loaded into the input register of the next stage (I 2 ). The contents of the input register (I 2 ) is passed through the algorithm (A), which uses the key (K
34、) to produce n bits in the output register (O 2 ). This operation continues until all blocks have been processed. The result will be the final output block(O q ). 5.5 Optional Process The final output block (O q ) may be subjected to optional processing to increase the strength of the MAC. The optio
35、nal process (if used) shall be selected from those specified in normative Annex A. 5.6 The MAC The m leftmost bits of the final n-bit block form the MAC. NOTEUse of the optional process specified inA.1 ofAnnex A reduces the threat of exhaustive search attacks. In particular, this optional process is
36、 recommended when m = n.ISO/IEC9797:1994(E) BSI 04-2000 3 Figure 1 The MAC calculationISO/IEC9797:1994(E) 4 BSI 04-2000 Annex A (normative) Optional Processes A.1 Optional process 1 The following procedure specifies an optional process (see5.5) which may be used in accordance with a predefined agree
37、ment between sender and receiver. This optional process increases the strength of the MAC with respect to exhaustive key search and chosen plaintext attacks. In this optional process two cryptographic keys are used, which are denoted by (K) and (K 1 ). The n-bit block (O q ) is first generated using
38、 key (K) in the procedure specified in5.3 and5.4. Two additional steps shall then be performed (seeFigure A.1): a) decipher the output (O q ) using key (K 1 ) to obtain ; a) encipher using key (K) to obtain . This completes the optional process. The MAC is obtained as specified in5.6. A.2 Optional p
39、rocess 2 The following procedure specifies an optional process (see 5.5) which may be used in accordance with a predefined agreement between sender and receiver. This optional process increases the strength of the MAC with respect to chosen plaintext attacks. In this optional process two cryptograph
40、ic keys are used, which are denoted by (K) and (K 1 ), where (K 1 ) may be derived from (K). NOTEAn example of how to derive (K 1 ) from (K) is to complement alternate blocks of four bits of (K) commencing with the first four bits. The n-bit block (O q ) is first generated using key (K) in the proce
41、dure specified in5.3 and5.4. Figure A.1 Optional process 1 O q () O q () O q ()ISO/IEC9797:1994(E) BSI 04-2000 5 An additional step shall then be performed (seeFigure A.2): encipher the output (O q ) using key (K 1 ) to obtain (). This completes the optional process. The MAC is obtained as specified
42、 in5.6. Figure A.2 Optional process 2 O q ISO/IEC9797:1994(E) 6 BSI 04-2000 Annex B (informative) Examples This annex presents examples of the generation of a MAC employing the DEA (seeANSIX3.92) for padding methods1 and2 as well as optional processes1 and2. The plaintexts are the7-bit ASCII codes (
43、no parity) for “NowEisEtheEtimeEforEall” and “NowEisEtheEtimeEforEit”, where “E” denotes a blank. The first plaintext does not require any padding if padding method1 is chosen. The key (K) is0123456789ABCDEF. The key (K 1 ) in optional process1 was chosen to be FEDCBA9876543210, while the key (K 1 )
44、 in optional process2 was derived according to the note inA.2. B.1 Padding method1 Example 1: NowEisEtheEtimeEforEallE If no optional process is used the MAC consists of the m leftmost bits of(O 3 ). Optional process1 The MAC consists of them leftmost bits of (). Optional process 2 The MAC consists
45、of them leftmost bits of (). Example 2: NowEisEtheEtimeEforEit If no optional process is used the MAC consists of the m leftmost bits of(O 3 ). key (K) 01 23 45 67 89 AB CD EF D 1 4E 6F 77 20 69 73 20 74 D 2 68 65 20 74 69 6D 65 20 D 3 66 6F 72 20 61 6C 6C 20 I 1= D 1 4E 6F 77 20 69 73 20 74 O 1 3F
46、A4 0E 8A 98 4D 48 15 I 2= O 1 _ D 2 57 C1 2E FE F1 20 2D 35 O 2 0B 2E 73 F8 8D C5 85 6A I 3= O 2 _ D 3 6D 41 01 D8 EC A9 E9 4A O 3 70 A3 06 40 CC 76 DD 8B key (K 1 ) FE DC BA 1 76 54 32 10 B4 8D 36 EC 7A D5 69 4F A1 C7 2E 74 EA 3F A9 B6 O 3 O 3 O 3 key (K 1 ) F1 D3 B5 97 79 5B 3D 1F 10 F9 BC 67 A0 3
47、C D5 D8 key (K) 01 23 45 67 89 AB CD EF D 1 4E 6F 77 20 69 73 20 74 D 2 68 65 20 74 69 6D 65 20 D 3 66 6F 72 20 69 74 00 00 I 1= D 1 4E 6F 77 20 69 73 20 74 O 1 3F A4 0E 8A 98 4D 48 15 I 2= O 1 _ D 2 57 C1 2E FE F1 20 2D 35 O 2 0B 2E 73 F8 8D C5 85 6A I 3= O 2 _ D 3 6D 41 01 D8 E4 B1 85 6A O 3 E4 5B
48、 3A D2 B7 CC 08 56 O 3 O 3 ISO/IEC9797:1994(E) BSI 04-2000 7 Optional process1 The MAC consists of them leftmost bits of (). Optional process 2 The MAC consists of them leftmost bits of (). B.2 Padding method2 Example 1: NowEisEtheEtimeEforEallE If no optional process is used the MAC consists of the
49、 m leftmost bits of (O 4 ). Optional process1 The MAC consists of them leftmost bits of (). Optional process 2 The MAC consists of them leftmost bits of (). key (K 1 ) FE DC BA 98 76 54 32 10 32 8A C7 8B A1 CA 0B 3F 2E 2B 14 28 CC 78 25 4F key (K 1 ) F1 D3 B5 97 79 5B 3D 1F 21 5E 9C E6 D9 1B C7 FB key (K) 01 23 45 67 89 AB CD EF D 1 4E 6F 77 20 69 73 20 74 D 2 68 65 20 74 69 6D 65 20 D 3 66 6F 72 20 61 6C 6C 20 D 4 80 00 00 00 00 00 00 00 I 1= D 1 4E 6F 77 20 69 73 20 74 O 1 3F A4 0E 8A 98 4D 48 15 I 2= O 1 _ D 2 57 C1 2E