ISO/IEC 9797-2:2002
(Main)Information technology — Security techniques — Message Authentication Codes (MACs) — Part 2: Mechanisms using a dedicated hash-function
Information technology — Security techniques — Message Authentication Codes (MACs) — Part 2: Mechanisms using a dedicated hash-function
ISO/IEC 9797-2:2002 specifies three MAC algorithms that use a secret key and a hash-function (or its round-function) with an n-bit result to calculate an m-bit MAC. These mechanisms can be used as data integrity mechanisms to verify that data has not been altered in an unauthorised manner. They can also be used as message authentication mechanisms to provide assurance that a message has been originated by an entity in possession of the secret key. The strength of the data integrity mechanism and message authentication mechanism is dependent on the length (in bits) k and secrecy of the key, on the length (in bits) n of a hash-code produced by the hash-function, on the strength of the hash-function, on the length (in bits) m of the MAC, and on the specific mechanism. The three mechanisms specified in ISO/IEC 9797-2:2002 are based on the dedicated hash-functions specified in ISO/IEC 10118-3. The first mechanism specified in ISO/IEC 9797-2:2002 is commonly known as MDx-MAC. It calls the complete hash-function once, but it makes a small modification to the round-function by adding a key to the additive constants in the round-function. The second mechanism specified in ISO/IEC 9797-2:2002 is commonly known as HMAC. It calls the complete hash-function twice. The third mechanism specified in ISO/IEC 9797-2:2002 is a variant of MDx-MAC that takes as input only short strings (at most 256 bits). It offers a higher performance for applications that work with short input strings only. ISO/IEC 9797-2:2002 can be applied to the security services of any security architecture, process, or application.
Technologies de l'information — Techniques de sécurité — Codes d'authentification de message (MAC) — Partie 2: Mécanismes utilisant une fonction de hachage
General Information
Relations
Standards Content (Sample)
INTERNATIONAL ISO/IEC
STANDARD 9797-2
First edition
2002-06-01
Information technology — Security
techniques — Message Authentication
Codes (MACs) —
Part 2:
Mechanisms using a dedicated
hash-function
Technologies de l'information — Techniques de sécurité — Codes
d'authentification de message (MAC) —
Partie 2: Mécanismes utilisant une fonction de hachage
Reference number
ISO/IEC 9797-2:2002(E)
©
ISO/IEC 2002
---------------------- Page: 1 ----------------------
ISO/IEC 9797-2:2002(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but shall not
be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this
file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat accepts no liability in this
area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters
were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event
that a problem relating to it is found, please inform the Central Secretariat at the address given below.
© ISO/IEC 2002
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic
or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISO's member body
in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.ch
Web www.iso.ch
Printed in Switzerland
ii © ISO/IEC 2002 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 9797-2:2002(E)
Contents
1 Scope 1
2 Normative references 1
3 Terms and definitions 1
4 Symbols and notation 2
5 Requirements 3
6 MAC Algorithm 1 3
6.1 Description of MAC Algorithm 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
6.1.1 Step 1 (key expansion) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
6.1.2 Step 2 (modification of the constants and the IV) . . . . . . . . . . . . . . . . . . . . . . . . . 4
6.1.3 Step 3 (hashing operation) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
6.1.4 Step 4 (output transformation) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
6.1.5 Step 5 (truncation) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
6.2 Efficiency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
6.3 Computation of the constants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
6.3.1 Dedicated Hash-Function 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
6.3.2 Dedicated Hash-Function 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
6.3.3 Dedicated Hash-Function 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
7 MAC Algorithm 2 5
7.1 Description of MAC Algorithm 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
7.1.1 Step 1 (key expansion) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
7.1.2 Step 2 (hashing operation) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
7.1.3 Step 3 (output transformation) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
7.1.4 Step 4 (truncation) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
7.2 Efficiency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
8 MAC Algorithm 3 6
8.1 Description of MAC Algorithm 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
8.1.1 Step 1 (key expansion) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
8.1.2 Step 2 (modification of the constants and the IV) . . . . . . . . . . . . . . . . . . . . . . . . . 7
8.1.3 Step 3 (padding) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
8.1.4 Step 4 (application of the round-function) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
8.1.5 Step 5 (truncation) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
8.2 Efficiency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
© ISO/IEC 2002 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC 9797-2:2002(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission)
form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC
participate in the development of International Standards through technical committees established by the
respective organization to deal with particular fields of technical activity. ISO and IEC technical committees
collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in
liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have
established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 3.
The main task of the joint technical committee is to prepare International Standards. Draft International Standards
adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International
Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this part of ISO/IEC 9797 may be the subject of
patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 9797-2 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
ISO/IEC 9797 consists of the following parts, under the general title Information technology — Security
techniques — Message Authentication Codes (MACs):
Part 1: Mechanisms using a block cipher
Part 2: Mechanisms using a dedicated hash-function
Further parts may follow.
Annexes A and B of this part of ISO/IEC 9797 are for information only.
iv © ISO/IEC 2002 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 9797-2:2002(E)
Introduction
The International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) draw
attention to the fact that it is claimed that compliance with this part of ISO/IEC 9797 may involve the use of a patent
concerning MAC Algorithm 1 (MDx-MAC) given in Clause 6.
ISO and IEC take no position concerning the evidence, validity and scope of this patent right.
The holder of this patent right has assured the ISO and IEC that he is willing to negotiate licenses under reasonable
and non-discriminatory terms and conditions with applicants throughout the world. In this respect, the statement of
the holder of this patent right is registered with the ISO and IEC. Information may be obtained from
Entrust Technologies, Technology Licensing Dept., 750 Heron Road, Ottawa, Ontario, Canada K1V 1A7.
Attention is drawn to the possibility that some of the elements of this part of ISO/IEC 9797 may be the subject of
patent rights other than those identified above. ISO and IEC shall not be held responsible for identifying any or all
such patent rights.
© ISO/IEC 2002 – All rights reserved v
---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO/IEC 9797–2:2002(E)
Information technology — Security techniques —
Message Authentication Codes (MACs) —
Part 2:
Mechanisms using a dedicated hash-function
1 Scope ences, subsequent amendments to, or revisions of, any
of these publications do not apply. However, parties to
agreements based on this part of ISO/IEC 9797 are en-
This part of ISO/IEC 9797 specifies three MAC algo-
couraged to investigate the possibility of applying the
rithms that use a secret key and a hash-function (or
most recent editions of the normative documents indi-
its round-function) with an n-bit result to calculate an
cated below. For undated references, the latest edition
m-bit MAC. These mechanisms can be used as data
ofthenormativedocumentreferredtoapplies. Members
integrity mechanisms to verify that data has not been
of ISO and IEC maintain registers of currently valid In-
altered in an unauthorised manner. They can also be
ternational Standards.
used as message authentication mechanisms to provide
assurance that a message has been originated by an en-
ISO646:1991,Informationtechnology—ISO7-bitcoded
tity in possession of the secret key. The strength of the
character set for information interchange.
data integrity mechanism and message authentication
mechanism is dependent on the length (in bits) k and
ISO 7498-2:1989, Information processing systems —
secrecy of the key, on the length (in bits) n of a hash-
OpenSystemsInterconnection—BasicReferenceModel
code produced by the hash-function, on the strength of
— Part 2: Security Architecture.
thehash-function,onthelength(inbits)moftheMAC,
and on the specific mechanism.
ISO/IEC10118-1:2000,Informationtechnology—Secu-
rity techniques — Hash-functions — Part 1: General.
The three mechanisms specified in this part of
ISO/IEC 9797 are based on the dedicated hash-
ISO/IEC10118-3:1998,Informationtechnology—Secu-
functionsspecifiedinISO/IEC10118-3. Thefirstmech-
rity techniques — Hash-functions — Part 3: Dedicated
anism specified in this part of ISO/IEC 9797 is com-
hash-functions.
monlyknownasMDx-MAC. Itcallsthecompletehash-
function once, but it makes a small modification to the
3 Terms and definitions
round-functionbyaddingakeytotheadditiveconstants
in the round-function. The second mechanism specified
in this part of ISO/IEC 9797 is commonly known as 3.1 For the purposes of this part of ISO/IEC 9797, the
HMAC. It calls the complete hash-function twice. The following definitions from ISO/IEC 9797-1 apply.
third mechanism specified in this part of ISO/IEC 9797
is a variant of MDx-MAC that takes as input only short
3.1.1 MAC algorithm key: a key that controls the
strings(atmost256bits). Itoffersahigherperformance
operation of a MAC algorithm.
for applications that work with short input strings only.
3.1.2 Message Authentication Code (MAC): the
This part of ISO/IEC 9797 can be applied to the se-
string of bits which is the output of a MAC algo-
curity services of any security architecture, process, or rithm.
application.
NOTE — A MAC is sometimes called a crypto-
graphic check value (see for example ISO 7498-2).
2 Normative references
3.1.3 Message Authentication Code (MAC) al-
gorithm: an algorithm for computing a function
The following normative documents contain provisions
whichmapsstringsofbitsandasecretkeytofixed-
which, through reference in this text, constitute provi-
length strings of bits, satisfying the following two
sions of this part of ISO/IEC 9797. For dated refer-
properties:
c
� ISO/IEC 2002 – All rights reserved 1
---------------------- Page: 6 ----------------------
ISO/IEC 9797–2:2002(E)
- for any key and any input string the function 3.3.1 block: bit-string of length L , i.e., the length of
1
can be computed efficiently; the first input to the round-function.
- foranyfixedkey,andgivennopriorknowledge
3.3.2 round-function: functionφ(.,.)thattransforms
of the key, it is computationally infeasible to
two binary strings of lengthsL andL to a binary
1 2
compute the function value on any new input
string of length L .
2
string, even given knowledge of the set of in-
NOTE — It is used iteratively as part of a hash-
putstringsandcorrespondingfunctionvalues,
function, whereitcombinesadatastringoflength
where the value of the ith input string may
L with the previous output of lengthL .
1 2
have been chosen after observing the value of
the first i−1 function values.
3.3.3 word: string of 32 bits.
NOTES
4 Symbols and notation
1 A MAC algorithm is sometimes called a crypto-
graphic check function (see for example ISO 7498-
2).
This part of ISO/IEC 9797 makes use of the following
2 Computational feasibility depends on the user’s symbols and notation defined in ISO/IEC 9797-1:
specific security requirements and environment.
0
D, D data strings to be input to the MAC algorithm.
3.1.4 output transformation: a function that is ap-
plied at the end of the MAC algorithm, before the
m the length (in bits) of the MAC.
truncation operation.
q the number of blocks in the data string D after the
padding and splitting process.
3.2 This part of ISO/IEC 9797 makes use of the
following general security-related terms defined in
j∼X the string obtained from the stringX by taking
ISO/IEC 10118-1.
the leftmost j bits of X.
X⊕Y exclusive-or of bit-strings X and Y.
3.2.1 collision-resistant hash-function:
hash-function satisfying the following property:
XkY concatenation of bit-strings X and Y (in that or-
der).
- itiscomputationallyinfeasibletofindanytwo
distinctinputswhichmaptothesameoutput.
:= a symbol denoting the ‘set equal to’ operation used
intheproceduralspecificationsofMACalgorithms,
3.2.2 data string (data): string of bits which is the
where it indicates that the value of the string on
input to a hash-function.
the left side of the symbol shall be made equal to
the value of the expression on the right side of the
3.2.3 hash-code: string of bits which is the output of
symbol.
a hash-function.
3.2.4 hash-function: function which maps strings of
For the purposes of this part of ISO/IEC 9797, the fol-
bits to fixed-length strings of bits, satisfying the
lowing symbols and notation apply:
following two properties:
- for a given output, it is computationally in-
D padded data string.
feasible to find an input which maps to this
output; h hash-function.
- for a given input, it is computationally infea- 0
h hash-function h with modified constants and modi-
sible to find a second input which maps to the
fied IV.
same output.
h simplified hash-function h without the padding and
3.2.5 initializing value: value used in defining the
length appending.
starting point of a hash-function.
NOTE —h shall only be applied to input strings
with a length that is a positive integer multiple of
3.2.6 padding: appending extra bits to a data string.
L .
1
0 00
3.3 This part of ISO/IEC 9797 makes use of the
H , H strings of L bits which are used in the MAC
2
following general security-related terms defined in
algorithm computation to store an intermediate re-
ISO/IEC 10118-3.
sult.
c
2 � ISO/IEC 2002 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/IEC 9797–2:2002(E)
0
IV , IV , IV initializing values. 5 Requirements
1 2
k length (in bits) of the MAC algorithm key.
Users who wish to employ a MAC algorithm from this
part of ISO/IEC 9797 shall select:
K secret MAC algorithm key.
0
K , K , K , K , K, K , K secret MAC algorithm
0 1 2 1 2
• a MAC algorithm from amongst those specified in
derived keys.
Clauses 6, 7, and 8;
˜
L the bit string encoding the message length in MAC
• a dedicated hash-function from those functions
Algorithm 3.
specified in ISO/IEC 10118-3; and
OPAD, IPAD constant strings used in MAC Algo-
• the length (in bits) m of the MAC.
rithm 2.
R, S , S , S constantstringsusedinthecomputation
Agreement on these choices amongst the users is essen-
0 1 2
of the constants for MAC Algorithm 1 and MAC
tialforthepurposeoftheoperationofthedataintegrity
Algorithm 3.
mechanism.
T , T , T constant strings used in the key derivation
0 1 2 For MAC Algorithm 1 and 2, the length m of the MAC
for MAC Algorithm 1 and MAC Algorithm 3.
shallbeapositiveintegerlessthanorequaltothelength
of the hash-codeL . For MAC Algorithm 3, the length
H
U , U , U constant strings used in the key derivation
0 1 2
m of the MAC shall be less than or equal to half the
for MAC Algorithm 1 and MAC Algorithm 3.
length of the hash-code, i.e., m≤L /2.
H
0
φ round-function with modified constants.
The length in bits of the data string D shall be at most
64
2 −1 for MAC Algorithm 1 and 2, and shall be at
K [i] the ith word of the 128-bit string K , i.e.,
1 1
most 256 for MAC Algorithm 3.
K =K [0]kK [1]kK [2]kK [3].
1 1 1 1 1
The selection of a specific MAC algorithm, dedicated
hash-function, and value for m are beyond the scope of
This part of ISO/IEC 9797 makes use of the following
this part of ISO/IEC 9797.
symbols and notation defined in ISO/IEC 10118-1:
NOTE — These choices affect the security level of the
MAC algorithm. For a detailed discussion, see An-
H hash-code.
nex B.
IV initializing value.
The key used for calculating and verifying the MAC
L length (in bits) of a bit-string X.
X
shall be the same. If the data string is also being en-
ciphered, the key used for the calculation of the MAC
shall be different from that used for encipherment.
This part of ISO/IEC 9797 makes use of the following
symbols and notation defined in ISO/IEC 10118-3:
NOTE — It is considered to be good cryptographic
practice to have independent keys for confidentiality
0
C , C constant words used in the round-functions.
i
i
and for data integrity.
L the length (in bits) of the first of the two input
1
strings to the round-function φ.
6 MAC Algorithm 1
L the length (in bits) of the second of the two input
2
NOTE — This clause contains a description of
stringstotheround-functionφ,oftheoutputstring
MDx-MAC [5]. More specifically, with Dedi-
from the round-function φ, and of IV.
cated Hash-Function 1 this mechanism is also
φ a round-function, i.e., if X and Y are bit-strings of
known as RIPEMD-160-MAC, with Dedicated
lengthsL andL respectively, thenφ(X,Y) is the
1 2
Hash-Function 2 this mechanism is also known
string obtained by applying φ to X and Y.
as RIPEMD-128-MAC, and with Dedicated
Hash-Function 3 this mechanism is also known
32
] The modulo 2 addition operation, i.e., if A, B are
as SHA-1-MAC.
words then A]B is the word obtained by treating
A and B as the binary representations of integers
32
and computing their sum modulo 2 , where the MAC Algorithm 1 requires one application of the hash-
32
result is constrained to lie between 0 and 2 −1 functiontocomputeaMACvalue, butrequiresthatthe
inclusive. constants in the round-function are modified.
c
� ISO/IEC 2002 – All rights reserved 3
---------------------- Page: 8 ----------------------
ISO/IEC 9797–2:2002(E)
The hash-function shall be selected from Dedicated 6.1.3 Step 3 (hashing operation)
Hash-Function 1, 2 and 3 from ISO/IEC 10118-3:1998.
The string which is input to the modified hash-function
0
The key size k in bits shall be at most 128 bits. h is equal to the data string D, i.e.
0 0
H :=h (D).
6.1 Description of MAC Algorithm 1
MAC algorithm 1 requires the following five steps: key
6.1.4 Step 4 (output transformation)
expansion, modification of the constants and the IV,
0
hashing operation, output transformation, and trunca-
The modified round-function φ is applied one more
tion.
time,withasfirstinputthestringK k(K ⊕T )k(K ⊕
2 2 0 2
0
T )k(K ⊕T ), and as second input the string H (the
1 2 2
6.1.1 Step 1 (key expansion)
result of Step 3) i.e.
00 0 0
If K is shorter than 128 bits, concatenate K to itself a H :=φ (K k(K ⊕T )k(K ⊕T )k(K ⊕T ),H ).
2 2 0 2 1 2 2
sufficient number of times and select the leftmost 128
Here T , T , and T are 128-bit strings defined in
0 0 1 2
bits to form the 128-bit key K (if the length (in bits)
Clause 6.3 for each dedicated hash-function.
0
of K is equal to 128, K :=K):
0
NOTE — The output transformation corresponds to
K :=128∼(KkKk .kK).
processing an additional data block derived from K
2
after padding and appending of the length field.
Compute the subkeys K , K , and K as follows:
0 1 2
6.1.5 Step 5 (truncation)
0 0
K := h(K kU kK )
0 0
0 0
The MAC ofm bits is derived by taking the leftmostm
K := 128∼h(K kU kK )
1 1
00
bits of the string H , i.e.
0 0
K := 128∼h(K kU kK ).
2 2
00
MAC:=m∼H .
Here U , U , and U are 768-bit constants that are de-
0 1 2
fined in Clause 6.3, and h denotes the simplified hash-
functionh,i.e.,withoutthepaddingandlengthappend-
6.2 Efficiency
ing.
Assume that the padded data string (here the padding
NOTE — Padding and length appending can be omit-
algorithm is defined for a specific hash-function) con-
ted because in this case the length of the input string
tains q blocks; then MAC Algorithm 1 requires q + 7
is always 2L bits.
1
applications of the round-function.
This can be reduced to q+1 applications of the round-
ThederivedkeyK issplitintofourwordsdenotedK [i]
1 1
function by pre-computing the values K , K , and K .
(0≤i≤3), i.e.
0 1 2
0
and by replacing the initial value IV by IV in the ap-
K =K [0]kK [1]kK [2]kK [3].
1 1 1 1 1
plication of the hash-function.
For the conversion of a string into words, a byte order-
Itisrecommendedtomakethismodificationtothecode
ing convention is required. The byte ordering conven-
of the hash-function together with the mandatory mod-
tion for this conversion is that which is defined for each
ification required for Step 2.
dedicated hash-function in ISO/IEC 10118-3.
For long input strings, MAC Algorithm 1 has a perfor-
mance which is comparable to that of the hash-function
6.1.2 Step 2 (modification of the constants and
used.
the IV)
The additive constants used in the round-function are
6.3 Computation of the constants
32
modified by the addition mod 2 of one of the four
The constants described in this clause will be used in
words of K , e.g.,
1
bothMACAlgorithm1andMACAlgorithm3specified
C :=C ]K [0]. in Clause 8.
0 0 1
Clause 6.3 indicates which word of K is added to each The strings T and U are fixed elements of the descrip-
1 i i
constant. The initial value IV of the hash function is tion of the MAC algorithm. They are computed (only
0
replaced by IV := K . The resulting hash-function is once)usingthehash-function;theyaredifferentforeach
0
0 0
denoted by h , and its round-function is denoted by φ . of the three hash-functions.
c
4 � ISO/IEC 2002 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/IEC 9797–2:2002(E)
The 128-bit constants T and 768-bit constants U are Two sequences of constant words C ,C ,.,C and
i i 0 1 63
0 0 0
defined as follows. The definition ofT involves the 496- C ,C ,.,C are used in the round-function of Dedi-
i
0 1 63
bit constant R =“ab.yzAB.YZ01.89” and 16-bit cated Hash-Function 2. They are defined as follows:
constantsS ,S ,S ,whereS isthe16-bitstringformed
0 1 2 i
C = K [0]]00000000, (0≤i≤15),
i 1
byrepeatingtwicethe8-bitrepresentationofi(e.g., the
hexadecimalrepresentationofS is3131). Inbothcases C = K [1]]5A827999, (16≤i≤31),
1 i 1
ASCII coding is used; this is equivalent to coding using
C = K [2]]6ED9EBA1, (32≤i≤47),
i 1
ISO/IEC 646:1991.
C = K [3]]8F1BBCDC, (48≤i≤63),
i 1
for i:=0 to 2 T :=128∼h(S kR)
i i
0
C = K [0]]50A28BE6, (0≤i≤15),
for i:=0 to 2 U :=T kT kT kT kT kT
i i i+1 i+2 i i+1 i+2 1
i
0
C = K [1]]5C4DD124, (16≤i≤31),
1
i
where the subscripts in T are taken modulo 3.
i
0
C = K [2]]6D703EF3, (32≤i≤47),
1
i
0
0
For all constants C , C and all words K [i] the most
i 1 C = K [3]]00000000, (48≤i≤63).
i
1
i
significantbitcorrespondstotheleft-mostbit. Thecon-
0
stantsC andC arepresentedinhexadecimalrepresen-
i
i
6.3.3 Dedicated Hash-Function 3
tation.
The 128-bit constant strings T for Dedicated Hash-
i
6.3.1 Dedicated Hash-Function 1
Function 3 are defined as follows (in hexadecimal repre-
sentation):
The 128-bit constant strings T for Dedicated Hash-
i
Function 1 are defined as follows (in hexadecimal repre-
T = 1D4CA39FA40417E2AE5A77B49067BBCC
sentation): 0
T = 9318AFEF5D5A5B46EFCA6BEC0E138940
1
T = 4544209656E14F97005DAC76868E97A3
2
T = 1CC7086A046AFA22353AE88F3D3DACEB
0
T = E3FA02710E491D851151CC34E4718D41
1
A sequence of constant words C ,C ,.,C is used in
0 1 79
T = 93987557C07B8102BA592949EB638F37
2
round-functionofDedicatedHash-Function3. Theyare
defined as follows:
Two sequences of constant words C ,C ,.,C and
0 1 79
0 0 0
C ,C ,.,C are used in the round-function of Dedi-
0 1 79
C = K [0]]5A827999, (0≤i≤19),
i 1
cated Hash-Function 1. They are defined as follows:
C = K [1]]6ED9EBA1, (20≤i≤39),
i 1
C = K [0]]00000000, (0≤i≤15), C = K [2]]8F1BBCDC, (40≤i≤59),
i 1
i 1
C = K [1]]5A827999, (16≤i≤31), C = K [3]]CA62C1D6, (60≤i≤79).
i 1
i 1
C = K [2]]6ED9EBA1, (32≤i≤47),
i 1
C = K [3]]8F1BBCDC, (48≤i≤63),
i 1
C = K [0]]A953FD4E, (64≤i≤79),
i 1
7 MAC Algorithm 2
0
NOTE — This clause contains a description of
C = K [1]]50A28BE6, (0≤i≤15),
1
i
HMAC [3].
0
C = K [2]]5C4DD124, (16≤i≤31),
1
i
0
C = K [3]]6D703EF3, (32≤i≤47),
1
i
MAC Algorithm 2 requires two applications of a hash-
0
C = K [0]]7A6D76E9, (48≤i≤63),
1
i
function to compute a MAC value.
0
C = K [1]]00000000, (64≤i≤79).
1
i
The hash-function shall be selected from
ISO/IEC 10118-3, with the requirement that L is a
1
6.3.2 Dedicated Hash-Function 2
positive integer multiple of 8 and that L ≤L .
2 1
The 128-bit constant strings T for Dedicated Hash-
i
NOTE — Dedicated hash-functions 1, 2, and 3 in
Function 2 are defined as follows (in hexadecimal repre-
ISO/IEC 10118-3:1998 satisfy these conditions.
sentation):
ThekeysizekinbitsshallbeatleastL ,whereL isthe
2 2
T = FD7EC18964C36D53FC18C31B72112AAC size of the hash-code in bits, and at mostL bits, where
1
0
T = 2538B78EC0E273949EE4C4457A77525C L is the size of the data input of the round-function in
1
1
T = F5C93ED85BD65F609A7EB182A85BA181 bits, i.e., L ≤k≤L .
2 1
2
c
� ISO/IEC 2002 – All rights reserved 5
---------------------- Page: 10 ----------------------
ISO/IEC 9797–2:2002(E)
7.1 Description of MAC Algorithm 2 One can pre-compute the values IV := φ(K ,IV) and
1 1
IV :=φ(K ,IV)andreplacetheinitialvalueIV byIV
2 2 1
MAC algorithm 2 requires the following four steps: key
in the first application of the hash-function, and by IV
2
expansion, hashing operation, output transformation,
in the output transformation (the second application of
and truncation.
the hash-function). This also requires a modification of
the padding method: indeed, the actual input to the
7.1.1 Step 1 (key expansion)
hash-function is now L bits shorter; this means that
1
the value L has to be added to the value L .
1 D
Append (L −k) zero bits to the right of the keyK; the
1
resulting string of length L is denoted by K. For long input strings, MAC Algorithm 2 has a perfor-
1
mance comparable to that of the hash-function used.
The key K is expanded to two subkeys K and K :
1 2
8 MAC Algorithm 3
• Define the string IPAD as the concatenation of
L /8 times the hexadecimal value ‘36’ (or the bi-
1
NOTE — This clause contains a variant of
nary value ‘00110110’). Then compute the value
MAC Algorithm 1 that is optimized for short
K as the exclusive-or of K and the string IPAD,
1
inputs (at most 256 bits).
i.e.
K :=K⊕IPAD.
1
MACAlgorithm3requiressevenapplicationsofthesim-
• Define the string OPAD as the concatenation of
plifiedround-functiontocomputeaMACvalue,butthis
L /8 times the hexadecimal value ‘5C’ (or the bi-
1
can be reduced to a single application of this round-
nary value ‘01011100’). Then compute the value
function by some pre-computation.
K as the exclusive-or of K and the string OPAD,
2
The hash-function shall be selected from Dedicated
i.e.
Hash-Function 1, 2 and 3 from ISO/IEC 10118-3:1998.
K :=K⊕OPAD.
2
The key size k in bits shall be at most 128 bits, and the
7.1.2 Step 2 (hashing operation)
MAC length m in bits shall be at most L /2.
H
The string which is input to the hash-function is equal
8.1 Description of MAC Algorithm 3
to the concatenation of K and D, i.e.
1
MAC algorithm 3 requires the following five steps: key
0
H :=h(K kD).
1
expansion, modification of the constants of the round-
function, padding, application of the round-function,
and truncation.
7.1.3 Step 3 (output transformation)
The string which is input to the hash-function is equal
8.1.1 Step 1 (key expansion)
0
to the concatenation of K and H , i.e.
2
If K is shorter than 128 bits, concatenate K to itself a
00 0
H :=h(K kH ).
2 sufficient number of times and select the leftmost 128
0
bits to form the 128-bit key K (if the length (in bits)
0
of K is equal to 128, K :=K):
7.1.4 Step 4 (truncation)
0
K :=128∼(KkKk .kK).
The MAC ofm bits is derived by taking the leftmostm
00
bits of the string H , i.e.
Compute the subkeys K , K , and K as follows:
0 1 2
00
MAC:=m∼H .
0 0
K := h(K kU kK )
0 0
0 0
K := 128∼h(K kU kK )
1 1
7.2 Efficiency
0 0
K := 128∼h(K kU kK ).
2 2
Assume that the padded data string (here the padding
Here U , U and U are 768-bit constants that are de-
0 1 2
algorithm is defined for a specific hash-function) con-
fined in Clause 6.3, and h denotes the hash-function h
tains q blocks; then MAC Algorithm 2 requires q + 3
without the padding and length appending.
applications of the round-function.
NOTE — Padding and length appending can be omit-
This can be reduced to q+1 applications of the round-
ted because in this case the length of the input string
function by modifying the code for the hash-function.
is always 2L bits.
1
c
6 � ISO/IEC 2002 – All rights reserved
---------------------- Page: 11 ----------------------
ISO/IEC 9797–2:2002(E)
ThederivedkeyK issplitintofourwordsdenotedK [i] 8
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.