On the Security of Two MAC Algorithms

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1070)


The security of two message authentication code (MAC) al- gorithms is considered: the MD5-based envelope method (RFC 1828), and the banking standard MAA (ISO 8731-2). Customization of a general MAC forgery attack allows improvements in both cases. For the envelope method, the forgery attack is extended to allow key recovery; for example, a 128-bit key can be recovered using 267 known text-MAC pairs and time plus 213 chosen texts. For MAA, internal collisions are found with fewer and shorter messages than previously by exploiting the algorithm’s internal structure; consequently, the number of chosen texts (each 256 Kbyte long) for a forgery can be reduced by two orders of mag- nitude, e.g. from 224 to 217. This attack can be extended to one requiring only short messages (224 messages shorter than 1 Kbyte) to circumvent the special MAA mode for long messages. Moreover, certain internal collisions allow key recovery, and weak keys for MAA are identified.


Hash Function Block Cipher Compression Function Envelope Method Forgery Attack 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    M. Bellare, J. Kilian, P. Rogaway, “The security of cipher block chaining,” Proc. Crypto’94, LNCS 839, Springer-Verlag, 1994, pp. 341–358.Google Scholar
  2. 2.
    M. Bellare, R. Guérin, P. Rogaway, “XOR MACs: new methods for message authentication using block ciphers,” Proc. Crypto’95, LNCS 963, Springer-Verlag, 1995, pp. 15–28.Google Scholar
  3. 3.
    M. Bellare, R. Canetti, H. Krawczyk, “How to key Merkle-Cascaded pseudo-randomness and its concrete security”, 10 November 1995,
  4. 4.
    M. Bellare, R. Canetti, H. Krawczyk, “Keying hash functions for message authentication,” 25 January 1996,
  5. 5.
    E. Biham, A. Shamir, Differential Cryptanalysis of the Data Encryption Standard, Springer-Verlag, 1993.Google Scholar
  6. 6.
    H. Block, “File authentication: A rule for constructing algorithms,” SÄKdata Report, October 12, 1983.Google Scholar
  7. 7.
    D. Davies, “A message authenticator algorithm suitable for a mainframe computer,” Proc. Crypto’84, LNCS 196, Springer-Verlag, 1985, pp. 393–400.Google Scholar
  8. 8.
    D. Davies, D.O. Clayden, “The message authenticator algorithm (MAA) and its implementation,” NPL Report DITC 109/88, Feb. 1988.Google Scholar
  9. 9.
    D. Davies, W. Price, Security for Computer Networks, 2nd ed., Wiley, 1989.Google Scholar
  10. 10.
    ISO 8731:1987, Banking — approved algorithms for message authentication, Part 1, DEA, IS 8731-1, Part 2, Message Authentication Algorithm (MAA), IS 8731-2.Google Scholar
  11. 11.
    ISO/IEC 9797:1993, Information technology — Data cryptographic techniques — Data integrity mechanisms using a cryptographic check function employing a block cipher algorithm.Google Scholar
  12. 12.
    B. Kaliski, M. Robshaw, “Message authentication with MD5,” CryptoBytes (RSA Laboratories Technical Newsletter), Vol. 1, No. 1, Spring 1995, pp. 5–8.Google Scholar
  13. 13.
    M. Matsui, “The first experimental cryptanalysis of the Data Encryption Standard,” Proc. Crypto’94, LNCS 839, Springer-Verlag, 1994, pp. 1–11.Google Scholar
  14. 14.
    B. Preneel, P.C. van Oorschot, “MDx-MAC and building fast MACs from hash functions”, Proc. Crypto’95, LNCS 963, Springer-Verlag, 1995, pp. 1–14.Google Scholar
  15. 15.
    R.L. Rivest, “The MD5 message-digest algorithm,” Request for Comments (RFC) 1321, Internet Activities Board, Internet Privacy Task Force, April 1992.Google Scholar
  16. 16.
    P. Rogaway, “Bucket hashing and its application to fast message authentication”, Proc. Crypto’95, LNCS 963, Springer-Verlag, 1995, pp. 29–42.Google Scholar
  17. 17.
    P. Metzger, W. Simpson, “IP Authentication using Keyed MD5”, Internet Request for Comments 1828, August 1995.Google Scholar
  18. 18.
    G. Tsudik, “Message authentication with one-way hash functions,” ACM Computer Communications Review, Vol. 22, No. 5, 1992, pp. 29–38.CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1996

Authors and Affiliations

  1. 1.Dept. Electrical Engineering-ESATKatholieke Universiteit LeuvenHeverleeBelgium
  2. 2.Bell-Northern ResearchOttawaCanada

Personalised recommendations