1、Reference numberISO/IEC 9797-1:1999(E)ISO/IEC 1999INTERNATIONALSTANDARDISO/IEC9797-1First edition1999-12-15Information technology Securitytechniques Message AuthenticationCodes (MACs) Part 1:Mechanisms using a block cipherTechnologies de linformation Techniques de scurit Codesdauthentification de me
2、ssage (MACs) Partie 1: Mcanismes utilisant un cryptogramme blocAdopted by INCITS (InterNational Committee for Information Technology Standards) as an American National Standard.Date of ANSI Approval: 12/13/00Published by American National Standards Institute,25 West 43rd Street, New York, New York 1
3、0036Copyright 2002 by Information Technology Industry Council (ITI).All rights reserved.These materials are subject to copyright claims of International Standardization Organization (ISO), InternationalElectrotechnical Commission (IEC), American National Standards Institute (ANSI), and Information T
4、echnology Industry Council(ITI). Not for resale. No part of this publication may be reproduced in any form, including an electronic retrieval system, withoutthe prior written permission of ITI. All requests pertaining to this standard should be submitted to ITI, 1250 Eye Street NW,Washington, DC 200
5、05.Printed in the United States of AmericaISO/IEC 9797-1:1999(E)PDF disclaimerThis PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall notbe edited unless the typefaces which are embedded are licensed to and installed on t
6、he computer performing the editing. In downloading thisfile, parties accept therein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in thisarea.Adobe is a trademark of Adobe Systems Incorporated.Details of the software products used to c
7、reate this PDF file can be found in the General Info relative to the file; the PDF-creation parameterswere optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely eventthat a problem relating to it is found, please inform th
8、e Central Secretariat at the address given below. ISO/IEC 1999All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronicor mechanical, including photocopying and microfilm, without permission in writing from eith
9、er ISO at the address below or ISOs member bodyin the country of the requester.ISO copyright officeCase postale 56 Gb7 CH-1211 Geneva 20Tel. + 41 22 749 01 11Fax + 41 22 734 10 79E-mail copyrightiso.chWeb www.iso.chPrinted in Switzerlandii ISO/IEC 1999 All rights reservedISO/IEC 9797-1:1999(E) ISO/I
10、EC 1999 All rights reserved iiiForewordISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission)form the specialized system for worldwide standardization. National bodies that are members of ISO or IECparticipate in the development of Internatio
11、nal Standards through technical committees established by therespective organization to deal with particular fields of technical activity. ISO and IEC technical committeescollaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, inliaison with IS
12、O and IEC, also take part in the work.International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 3.In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.Draft International Standards adopted by the
13、joint technical committee are circulated to national bodies for voting.Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote.Attention is drawn to the possibility that some of the elements of this part of ISO/IEC 9797 may be the subject ofp
14、atent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.International Standard ISO/IEC 9797-1 was prepared by Joint Technical Committee ISO/IEC JTC 1, Informationtechnology, Subcommittee SC 27, IT Security techniques.This first edition of ISO/IEC 9797-1,
15、 together with the subsequent parts of ISO/IEC 9797, cancels and replacesISO/IEC 9797:1994, which has been revised and extended to a multi-part standard. Note, however, thatimplementations which comply with ISO/IEC 9797:1994 will be compliant with this edition of ISO/IEC 9797-1.ISO/IEC 9797 consists
16、 of the following parts, under the general title Information technology Securitytechniques Message Authentication Codes (MACs):Gbe Part 1: Mechanisms using a block cipherGbe Part 2: Mechanisms using a hash-functionFurther parts may follow.Annexes A and B of this part of ISO/IEC 9797 are for informat
17、ion only.INTERNATIONAL STANDARD ISO#2FIEC ISO#2FIEC 9797-1:1999#28E#29Information technology | Security techniques |Message Authentication Codes #28MACs#29 |Part 1:Mechanisms using a block cipher1 ScopeThispart ofISO#2FIEC 9797speci#0Ces six MAC algorithmsthat use a secret key and an n-bit block cip
18、her to calcu-late an m-bit MAC. These mechanisms can be used asdata integritymechanisms to verify that data has notbeen altered in an unauthorised manner. They can alsobe used as message authentication mechanisms to pro-vide assurance that a message has been originated byan entity in possession of t
19、he secret key. The strengthof the data integritymechanism and message authenti-cation mechanism is dependent on the length #28in bits#29k?and secrecy of the key,ontheblock length #28in bits#29 nand strength of the block cipher, on the length #28in bits#29m of the MAC, and on the speci#0Cc mechanism.
20、The #0Crst three mechanisms speci#0Ced in this part ofISO#2FIEC 9797 are commonly known as CBC-MAC#28CBC is the abbreviation of Cipher Block Chaining#29.The calculation of a MAC as described in ISO 8731-1 and ANSI X9.9 is a speci#0Cc case of this part ofISO#2FIEC 9797 when n = 64, m =32,MAC Algorith
21、m1and Padding Method 1 are used, and the block cipheris DEA #28ANSI X3.92: 1981#29. The calculation of a MACas described in ANSI X9.19 and ISO 9807 is a speci#0Cccase of this part of ISO#2FIEC 9797 when n =64,m =32,either MAC Algorithm 1 or MAC Algorithm 3 is used#28both with Padding Method 1#29, an
22、d the block cipher isDEA #28ANSI X3.92: 1981#29.The fourth mechanism is a variant of CBC-MAC witha special initial transformation. It is recommended forapplications which require that the key length of theMAC algorithm is twice that of the block cipher.NOTES1For example, in the case of DEA #28ANSI X
23、3.92: 1981#29,the block cipher key length is 56 bits, while the MACalgorithm key length is 112 bits.2 When used with DEA #28whichisalsoknown as DES#29,this algorithm is called MacDES #5B12#5D.The #0Cfth and sixth mechanismuse two parallelinstancesof the #0Crst and fourth mechanismrespectively, and c
24、om-bine the two results with a bitwise exclusive-or opera-tion. They are recommended for applications whichre-quire an increased security level against forgery attacks#28cf. Annex B#29. The #0Cfth mechanism uses a single lengthMAC algorithmkey, while the sixth mechanismdoublesthe MAC algorithm key l
25、ength.This part of ISO#2FIEC 9797 can be applied to the se-curity services of any securityarchitecture, process, orapplication.2 Normative referencesThe following standards contain provisions which,through reference in this text, constitute provisions ofthis part of ISO#2FIEC 9797. At the time of pu
26、blication,the editions indicated were valid. All standards are sub-ject to revision, and parties to agreements based on thispart of ISO#2FIEC 9797 are encouraged to investigate thepossibility of applying the most recent editions of thestandards indicated below. Members of IEC and ISOmaintain registe
27、rs of currently valid International Stan-dards.ISO 7498-2: 1989, Information processing systems |Open Systems Interconnection | Basic ReferenceModel|Part2:Security Architecture.ISO#2FIEC 9798-1: 1997, Information technology | Se-curity techniques | Entity authentication | Part 1:General.ISO#2FIEC 10
28、116: 1997, Information technology|Secu-rity techniques | Modes of operation for an n-bit blockcipher.3 De#0Cnitions3.1 This part of ISO#2FIEC 9797 makes use of the follow-ing general security-related term de#0Cned in ISO 7498-2.1ISO#2FIEC 9797-1:1999#28E#29 c#0D ISO#2FIEC3.1.1 data integrity: the pr
29、operty that data has notbeen altered or destroyed in an unauthorized man-ner.3.2 For the purposes of this part of ISO#2FIEC 9797, thefollowing de#0Cnitions apply.3.2.1 block: a bit-string of length n.3.2.2 block cipher key: akey that controls the oper-ation of a block cipher.3.2.3 initial transforma
30、tion: a function that is ap-plied at the beginning of the MAC algorithm.3.2.4 MAC algorithm key: akey that controls theoperation of a MAC algorithm.3.2.5 Message Authentication Code #28MAC#29: thestring of bits which is the output of a MAC algo-rithm.NOTE | A MAC is sometimes called a crypto-graphic
31、 checkvalue #28see for example ISO 7498-2#29.3.2.6 Message Authentication Code #28MAC#29 al-gorithm: an algorithm for computing a functionwhich maps strings of bits and a secret key to #0Cxed-length strings of bits, satisfying the following twoproperties:- for anykey and any input string the functio
32、ncan be computed e#0Eciently;- forany #0Cxed key, and givenno prior knowledgeof the key, it is computationally infeasible tocompute the function value on any new inputstring, even given knowledge of the set of in-put strings and corresponding function values,where the value of the ith input string m
33、ayhave been chosen after observing the value ofthe #0Crst i,1 function values.NOTES1AMAC algorithm is sometimes called a crypto-graphic check function #28see for example ISO 7498-2#29.2 Computational feasibility depends on the usersspeci#0Cc security requirements and environment.3.2.7 output transfo
34、rmation: a function that is ap-plied at the end of the MAC algorithm, before thetruncation operation.3.3 This part of ISO#2FIEC 9797 makes use of thefollowing general security-related terms de#0Cned inISO#2FIEC 9798-1.3.3.1 ciphertext: data which has been transformed tohide its information content.3
35、.3.2 decipherment: the reversal of a correspondingencipherment.3.3.3 encipherment: the #28reversible#29 transformationof data by a cryptographic algorithm to produceciphertext, i.e., to hide the information contentofthe data.3.3.4 key: a sequence of symbols that controls theoperation of a cryptograp
36、hic transformation #28e.g.,encipherment, decipherment, cryptographic checkfunction computation, signature generation, or sig-nature veri#0Ccation#29.3.3.5 plaintext: unenciphered information.3.4 This part of ISO#2FIEC 9797 makes use of thefollowing general security-related term de#0Cned inISO#2FIEC
37、10116.3.4.1 n-bit block cipher: a block cipher with theproperty that plaintext blocks and ciphertextblocks are n bits in length.4 Symbols and notationThroughout this part of ISO#2FIEC 9797 the followingsymbols and notation are used:D data string to be input to the MAC algorithm.Djablock derived from
38、 the data string D after thepadding process.dK#28C#29 decipherment of the ciphertext C with the blockcipher e using the key K.eK#28P#29 encipherment of the plaintext P with the blockcipher e using the key K.g output transformation,that mapsthe block Hqto theblock G.G the block that is the result of
39、the output transforma-tion.Hja blockwhich is used in the MAC algorithmto storean intermediate result.I initial transformation.k the length #28in bits#29 of the block cipher key.k?the length #28in bits#29 of the MAC algorithm key.K, K0, K00, K000, K1, K2, K01, K02, K001, K002secretblock cipher keys.L
40、 the length block, whichisusedinPadding Method 3.2c#0D ISO#2FIEC ISO#2FIEC 9797-1:1999#28E#29LDthe length #28in bits#29 of the data string D.m the length #28in bits#29 of the MAC.n the block length #28in bits#29 of the block cipher.q the number of blocks in the data string D after thepadding and spl
41、itting process.j #18 X the string obtained from the string X by takingthe leftmost j bits of X.X #08Y exclusive-or of bit-strings X and Y.XkY concatenation of bit-strings X and Y #28in that or-der#29.:= a symbol denoting the set equal to operation usedinthe procedural speci#0Ccations of MAC algorith
42、ms,where it indicates that the value of the string onthe left side of the symbol shall be made equal tothe value of the expression on the right side of thesymbol.5 RequirementsUsers who wish to employaMAC algorithm from thispart of ISO#2FIEC 9797 shall select:#0F a block cipher e;#0F a padding metho
43、d from amongst those speci#0Ced inClause 6.1;#0F aMAC algorithm from amongst those speci#0Ced inClause 7;#0F the length #28in bits#29 m of the MAC; and#0F a common key derivation method if MAC algo-rithms 4, 5, and 6 are used; a common key deriva-tion method may also be required for MAC algo-rithm 2
44、.Agreement on these choices amongst the users is essen-tialfor the purpose of the operation of the data integritymechanism.The length m of the MAC shall be a positiveinteger lessthan or equal to the block length n.If Padding Method 3 is used, the length in bits of thedata string D shall be less than
45、 2n.The selection of a speci#0Cc block cipher e, paddingmethod, MAC algorithm, value for m, and key deriva-tion method #28if any#29 are beyond the scope of this partof ISO#2FIEC 9797.NOTE | These choices a#0Bect the securitylevel of theMAC algorithm. For a detailed discussion, see An-nex B.The same
46、key shall be used for calculating and verifyingthe MAC. If the data string is also being enciphered,the key used for the calculation of the MACshallbedi#0Berent from that used for encipherment.NOTE | It is considered to be good cryptographicpractice to have independentkeys for con#0Cdentialityand fo
47、r data integrity.6 Model for MAC algorithmsThe application of the MAC algorithm requires the fol-lowing six steps: padding, splitting, initial transforma-tion, iterative application of the block cipher, outputtransformation, and truncation. Steps 3 through 6 areillustrated in Figure 1.?D1Ie,#01K-g+?
48、-D2H2.e,#01K-g+?-DqHqHq,1g?Gtruncation?MACFigure 1: Applicationof Step 3, 4, 5 and 6 of theMAC algorithm.6.1 Step 1 #28padding#29This step involves pre#0Cxing and#2For post#0Cxing the datastring D with additional padding bits such that thepadded version of the data string will always be a mul-tiple
49、of n bits in length. The padding bits that areadded to the original data string, according to the cho-sen padding method, are only used for calculating theMAC. Consequently, these padding bits #28if any#29 neednot be stored or transmitted with the data. The veri#0Cershall know whether or not the padding bits havebeen3ISO#2FIEC 9797-1:1999#28E#29 c#0D ISO#2FIECstored or transmitted, and which padding method is inuse.This part of ISO#2FIEC 9797 speci#0Ces three paddingmethods. Any of these three methods can be chosenfor the six MAC algorithms speci#0Ced
