1、BSI Standards Publication BS ISO/IEC 9797-2:2011 Incorporating corrigendum September 2015 Information technology Security techniques Message Authentication Codes (MACs) Part 2: Mechanisms using a dedicated hash- functionBS ISO/IEC 9797-2:2011 BRITISH STANDARD National foreword This British Standard
2、is the UK implementation of ISO/IEC 9797-2:2011. It supersedes BS ISO/IEC 9797-2:2002 which is withdrawn. The UK participation in its preparation was entrusted to Technical Committee IST/33, IT - Security techniques. A list of organizations represented on this committee can be obtained on request to
3、 its secretary. This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2015. Published by BSI Standards Limited 2015 ISBN 978 0 580 91701 1 ICS 35.040 Compliance with a British Stan
4、dard cannot confer immunity from legal obligations. This British Standard was published under the authority of the Standards Policy and Strategy Committee on 31 May 2011. Amendments/corrigenda issued since publication Date Text affected 30 September 2015 Implementation of ISO corrected text 15 June
5、2011: corrections to subclauses 3.14, 6.3, 6.3.5 and 6.3.6 Reference number ISO/IEC 9797-2:2011(E) ISO/IEC 2011INTERNATIONAL STANDARD ISO/IEC 9797-2 Second edition 2011-05-01 Corrected version 2011-06-15Information technology Security techniques Message Authentication Codes (MACs) Part 2: Mechanisms
6、 using a dedicated hash-function Technologies de linformation Techniques de scurit Codes dauthentification de message (MAC) Partie 2: Mcanismes utilisant une fonction de hachage ddie BS ISO/IEC 9797-2:2011ISO/IEC 9797-2:2011(E) COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2011 All rights reserved. Unless ot
7、herwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISOs member body in the country of the requester. ISO copyri
8、ght office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzerland ii ISO/IEC 2011 All rights reservedBS ISO/IEC 9797-2:2011ISO/IEC 9797-2:2011(E) ISO/IEC 2011 All rights reserved iiiContents Page Foreword iv Int
9、roduction.v 1 Scope1 2 Normative references1 3 Terms and definitions .2 4 Symbols and notation.4 5 Requirements.5 6 MAC Algorithm 1 .6 6.1 Description of MAC Algorithm 1 7 6.1.1 Step 1 (key expansion)7 6.1.2 Step 2 (modification of the constants and the IV)7 6.1.3 Step 3 (hashing operation) .7 6.1.4
10、 Step 4 (output transformation).8 6.1.5 Step 5 (truncation).8 6.2 Efficiency8 6.3 Computation of the constants8 6.3.1 Dedicated Hash-Function 1 (RIPEMD-160) .9 6.3.2 Dedicated Hash-Function 2 (RIPEMD-128) .9 6.3.3 Dedicated Hash-Function 3 (SHA-1)10 6.3.4 Dedicated Hash-Function 4 (SHA-256)10 6.3.5
11、Dedicated Hash-Function 5 (SHA-512)10 6.3.6 Dedicated Hash-Function 6 (SHA-384)11 6.3.7 Dedicated Hash-Function 8 (SHA-224)11 7 MAC Algorithm 2 .12 7.1 Description of MAC Algorithm 2 12 7.1.1 Step 1 (key expansion)12 7.1.2 Step 2 (hashing operation) .12 7.1.3 Step 3 (output transformation).12 7.1.4
12、Step 4 (truncation).13 7.2 Efficiency13 8 MAC Algorithm 3 .13 8.1 Description of MAC Algorithm 3 13 8.1.1 Step 1 (key expansion)13 8.1.2 Step 2 (modification of the constants and the IV)14 8.1.3 Step 3 (padding) 14 8.1.4 Step 4 (application of the round-function)14 8.1.5 Step 5 (truncation).15 8.2 E
13、fficiency15 Annex A (normative) ASN.1 Module .16 Annex B (informative) Examples .17 Annex C (informative) A security analysis of the MAC algorithms37 Bibliography39 BS ISO/IEC 9797-2:2011ISO/IEC 9797-2:2011(E) iv ISO/IEC 2011 All rights reservedForeword ISO (the International Organization for Standa
14、rdization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organizati
15、on to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, I
16、SO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopte
17、d by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. ISO/IEC 9797-2 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommi
18、ttee SC 27, IT Security techniques. This second edition cancels and replaces the first edition (ISO/IEC 9797-2:2002), which has been technically revised by including MAC algorithms based on Dedicated Hash-Functions 4 7 of ISO/IEC 10118-3:2004 and Dedicated Hash-Function 8 of ISO/IEC 10118-3/Amd.1:20
19、06. ISO/IEC 9797 consists of the following parts, under the general title Information technology Security techniques Message Authentication Codes (MACs): Part 1: Mechanisms using a block cipher Part 2: Mechanisms using a dedicated hash-function Part 3: Mechanisms using a universal hash-function Furt
20、her parts may follow. This corrected version of ISO/IEC 9797-2:2011 incorporates corrections to subclauses 3.14, 6.3, 6.3.5 and 6.3.6. BS ISO/IEC 9797-2:2011ISO/IEC 9797-2:2011(E) ISO/IEC 2011 All rights reserved vIntroduction The International Organization for Standardization (ISO) and Internationa
21、l Electrotechnical Commission (IEC) draw attention to the fact that it is claimed that compliance with this document may involve the use of a patent concerning MAC Algorithm 1 (MDx-MAC) given in Clause 6. ISO and IEC take no position concerning the evidence, validity and scope of this patent right.
22、The holder of this patent right has assured ISO and IEC that he is willing to negotiate licenses under reasonable and non-discriminatory terms and conditions with applicants throughout the world. In this respect, the statement of the holder of this patent right is registered with ISO and IEC. Inform
23、ation may be obtained from: Entrust Technologies, Technology Licensing Dept., 1000 Innovation Drive, Ottawa, Ontario, Canada K2K 3E7. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights other than those identified above. ISO and IEC sh
24、all not be held responsible for identifying any or all such patent rights. BS ISO/IEC 9797-2:2011BS ISO/IEC 9797-2:2011INTERNATIONAL STANDARD ISO/IEC 9797-2:2011(E) ISO/IEC 2011 All rights reserved 1Information technology Security techniques Message Authentication Codes (MACs) Part 2: Mechanisms usi
25、ng a dedicated hash-function 1 Scope This part of ISO/IEC 9797 specifies three MAC algorithms that use a secret key and a hash-function (or its round-function) with an n-bit result to calculate an m-bit MAC. These mechanisms can be used as data integrity mechanisms to verify that data has not been a
26、ltered in an unauthorized manner. They can also be used as message authentication mechanisms to provide assurance that a message has been originated by an entity in possession of the secret key. The strength of the data integrity and message authentication mechanisms is dependent on the entropy and
27、secrecy of the key, on the length (in bits) n of a hash-code produced by the hash-function, on the strength of the hash-function, on the length (in bits) m of the MAC, and on the specific mechanism. The three mechanisms specified in this part of ISO/IEC 9797 are based on the dedicated hash-functions
28、 specified in ISO/IEC 10118-3. The first mechanism is commonly known as MDx-MAC. It calls the hash- function once, but it makes a small modification to the round-function in the hash-function by adding a key to the additive constants in the round-function. The second mechanism is commonly known as H
29、MAC. It calls the hash-function twice. The third mechanism is a variant of MDx-MAC that takes as input only short strings (at most 256 bits). It offers higher performance for applications that work with short input data strings only. This part of ISO/IEC 9797 can be applied to the security services
30、of any security architecture, process, or application. NOTE A general framework for the provision of integrity services is specified in ISO/IEC 10181-6 5. 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the
31、edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 10118-3:2004, Information technology Security techniques Hash-functions Part 3: Dedicated hash-functions ISO/IEC 10118-3:2004/Amd.1:2006, Information technology Se
32、curity techniques Hash-functions Part 3: Dedicated hash-functions Amendment 1: Dedicated Hash-Function 8 (SHA-224) BS ISO/IEC 9797-2:2011ISO/IEC 9797-2:2011(E) 2 ISO/IEC 2011 All rights reserved3 Terms and definitions For the purposes of this document, the following terms and definitions apply. 3.1
33、block bit-string of length L 1 , i.e. the length of the first input to the round-function ISO/IEC 10118-3 3.2 collision-resistant hash-function hash-function satisfying the following property: - it is computationally infeasible to find any two distinct inputs which map to the same output ISO/IEC 101
34、18-1 3.3 entropy total amount of information yielded by a set of bits, representative of the work effort required for an adversary to be able to reproduce the same set of bits ISO/IEC 18032 3.4 input data string string of bits which is the input to a hash-function 3.5 hash-code string of bits which
35、is the output of a hash-function ISO/IEC 10118-1 3.6 hash-function function which maps strings of bits to fixed-length strings of bits, satisfying the following two properties: - for a given output, it is computationally infeasible to find an input which maps to this output; - for a given input, it
36、is computationally infeasible to find a second input which maps to the same output ISO/IEC 10118-1 3.7 initializing value value used in defining the starting point of a hash-function ISO/IEC 10118-1 3.8 MAC algorithm key key that controls the operation of a MAC algorithm ISO/IEC 9797-1 BS ISO/IEC 97
37、97-2:2011ISO/IEC 9797-2:2011(E) ISO/IEC 2011 All rights reserved 33.9 Message Authentication Code (MAC) string of bits which is the output of a MAC algorithm NOTE A MAC is sometimes called a cryptographic check value (see for example ISO 7498-2 1). ISO/IEC 9797-1 3.10 Message Authentication Code (MA
38、C) algorithm algorithm for computing a function which maps strings of bits and a secret key to fixed-length strings of bits, satisfying the following two properties: - for any key and any input string, the function can be computed efficiently; - for any fixed key, and given no prior knowledge of the
39、 key, it is computationally infeasible to compute the function value on any new input string, even given knowledge of the set of input strings and corresponding function values, where the value of the ith input string may have been chosen after observing the value of the first i-1 function values (f
40、or integer i 1) NOTE 1 A MAC algorithm is sometimes called a cryptographic check function (see for example ISO 7498-2 1). NOTE 2 Computational feasibility depends on the users specific security requirements and environment. ISO/IEC 9797-1 3.11 output transformation function that is applied at the en
41、d of the MAC algorithm, before the truncation operation ISO/IEC 9797-1 3.12 padding appending extra bits to a data string ISO/IEC 10118-1 3.13 round-function function that transforms two binary strings of lengths L 1and L 2to a binary string of length L 2NOTE 1 It is used iteratively as part of a ha
42、sh-function, where it combines a data string of length L 1with the previous output of length L 2 . ISO/IEC 10118-1 NOTE 2 This function is also referred to as compression function in a certain hash-function text. 3.14 security strength a number associated with the amount of work (i.e. the number of
43、operations) that is required to break a cryptographic algorithm or system NOTE Security strength is specified in bits, and is a specific value from the set 80, 112, 128, 192, 256. A security strength of b bits means that of the order of 2 boperations are required to break the system. 3.15 word strin
44、g of 32 bits used in Dedicated Hash-Functions 1, 2, 3, 4 and 8, or a string of 64 bits used in Dedicated Hash-Functions 5 and 6 of ISO/IEC 10118-3 ISO/IEC 10118-3 BS ISO/IEC 9797-2:2011ISO/IEC 9797-2:2011(E) 4 ISO/IEC 2011 All rights reserved4 Symbols and notation This part of ISO/IEC 9797 makes use
45、 of the following symbols and notation defined in ISO/IEC 9797-1 3: D the input data string, i.e. the data string to be input to the MAC algorithm. m the length (in bits) of the MAC. q the number of blocks in the input data string D after the padding and splitting process. j X the string obtained fr
46、om the string X by taking the leftmost j bits of X. X Y bitwise exclusive-or of bit-strings X and Y. X | Y concatenation of bit-strings X and Y (in that order). := a symbol denoting the set equal to operation used in the procedural specifications of MAC algorithms, where it indicates that the value
47、of the string on the left side of the symbol shall be made equal to the value of the expression on the right side of the symbol. For the purposes of this part of ISO/IEC 9797, the following symbols and notation apply: D padded data string. h hash-function. h the hash-function h with modified constan
48、ts and modified IV. h simplified hash-function h without the padding and length appending, and without truncating the round-function output (L 2bits) to its left-most L Hbits. NOTE 1 h shall only be applied to input strings with a length that is a positive integer multiple of L 1. NOTE 2 The output
49、of h should be L 2 bits rather than L H bits; in particular, in Dedicated Hash-Functions 6 and 8 defined in ISO/IEC 10118-3, L H is always smaller than L 2. H, H strings of L 2bits which are used in the MAC algorithm computation to store an intermediate result. IV, IV 1 , IV 2initializing values. k length (in bits) of the MAC algorithm key. K secret MAC algorithm key. K, 2 1 2 1 0 , , , , , K K K K K K secret MAC algorithm derived keys. KT the first
