ISO/IEC 9797-1 Information technology – Security techniques – Message Authentication Codes (MACs) – Part 1: Mechanisms using a block cipher[1] is an international standard that defines methods for calculating a message authentication code (MAC) over data.
Rather than defining one specific algorithm, the standard defines a general model from which a variety of specific algorithms can be constructed. The model is based on a block cipher with a secret symmetric key.
Because the standard describes a model rather than a specific algorithm, users of the standard must specify all of the particular options and parameter to be used, to ensure unambiguous MAC calculation.
The model for MAC generation comprises six steps:
For most steps, the standard provides several options from which to choose, and/or allows some configurability.
The input data must be padded to a multiple of the cipher block size, so that each subsequent cryptographic operation will have a complete block of data. Three padding methods are defined. In each case n is the block length (in bits):
If necessary, add bits with value 0 to the end of the data until the padded data is a multiple of n. (If the original data was already a multiple of n, no bits are added.)
Add a single bit with value 1 to the end of the data. Then if necessary add bits with value 0 to the end of the data until the padded data is a multiple of n.
The padded data comprises (in this order):
It is not necessary to transmit or store the padding bits, because the recipient can regenerate them, knowing the length of the unpadded data and the padding method used.
The padded data D is split into q blocks D1, D2, ... Dq, each of length n, suitable for the block cipher.
A cryptographic operation is performed on the first block (D1), to create an intermediate block H1. Two initial transformations are defined:
D1 is encrypted with the key K:
H1 = eK(D1)
D1 is encrypted with the key K, and then by a second key K′′:
H1 = eK′′(eK(D1))
Blocks H2 ... Hq are calculated by encrypting, with the key K, the bitwise exclusive-or of the corresponding data block and the previous H block.
for i = 2 to q
Hi = eK(Di ⊕ Hi-1)If there is only one data block (q=1), this step is omitted.
A cryptographic operation is (optionally) performed on the last iteration output block Hq to produce the block G. Three output transformations are defined:
Hq is used unchanged:
G = Hq
Hq is encrypted with the key K′:
G = eK′(Hq)
Hq is decrypted with the key K′ and the result encrypted with the key K:
G = eK(dK′(Hq))
The MAC is obtained by truncating the block G (keeping the leftmost bits, discarding the rightmost bits), to the required length.
The general model nominally allows for any combination of options for each of the padding, initial transformation, output transformation, and truncation steps. However, the standard defines four particular combinations of initial and output transformation and (where appropriate) key derivation, and two further combinations based on duplicate parallel calculations. The combinations are denoted by the standard as "MAC Algorithm 1" through "MAC Algorithm 6".
This algorithm uses initial transformation 1 and output transformation 1.
Only one key is required, K.
(When the block cipher is DES, this is equivalent to the algorithm specified in FIPS PUB 113 Computer Data Authentication.[2])
Algorithm 1 is commonly known as CBC-MAC.[3]
This algorithm uses initial transformation 1 and output transformation 2.
Two keys are required, K and K′, but K′ may be derived from K.
This algorithm uses initial transformation 1 and output transformation 3.
Two independent keys are required, K and K′.
Algorithm 3 is also known as Retail MAC.[4]
This algorithm uses initial transformation 2 and output transformation 2.
Two independent keys are required, K and K′, with a third key K′′ derived from K′.
MAC algorithm 5 comprises two parallel instances of MAC algorithm 1. The first instance operates on the original input data. The second instance operates on two key variants generated from the original key via multiplication in a Galois field. The final MAC is computed by the bitwise exclusive-or of the MACs generated by each instance of algorithm 1.[5]
Algorithm 5 is also known as CMAC.[6]
This algorithm comprises two parallel instances of MAC algorithm 4. The final MAC is the bitwise exclusive-or of the MACs generated by each instance of algorithm 4.[7]
Each instance of algorithm 4 uses a different key pair (K and K′) but those four keys are derived from two independent base keys.
MAC algorithms 2 (optionally), 4, 5 and 6 require deriving one or more keys from another key. The standard does not mandate any particular method of key derivation, although it does generally mandate that derived keys be different from each other.
The standard gives some examples of key derivation methods, such as "complement alternate substrings of four bits of K commencing with the first four bits." This is equivalent to bitwise exclusive-oring each byte of the key with F0 (hex).
To completely and unambiguously define the MAC calculation, a user of ISO/IEC 9797-1 must select and specify:
Annex B of the standard is a security analysis of the MAC algorithms. It describes various cryptographic attacks on the algorithms – including key-recovery attack, brute force key recovery, and birthday attack – and analyses the resistance of each algorithm to those attacks.