On the Security of Two MAC Algorithms
- 2.8k Downloads
The security of two message authentication code (MAC) al- gorithms is considered: the MD5-based envelope method (RFC 1828), and the banking standard MAA (ISO 8731-2). Customization of a general MAC forgery attack allows improvements in both cases. For the envelope method, the forgery attack is extended to allow key recovery; for example, a 128-bit key can be recovered using 267 known text-MAC pairs and time plus 213 chosen texts. For MAA, internal collisions are found with fewer and shorter messages than previously by exploiting the algorithm’s internal structure; consequently, the number of chosen texts (each 256 Kbyte long) for a forgery can be reduced by two orders of mag- nitude, e.g. from 224 to 217. This attack can be extended to one requiring only short messages (224 messages shorter than 1 Kbyte) to circumvent the special MAA mode for long messages. Moreover, certain internal collisions allow key recovery, and weak keys for MAA are identified.
KeywordsHash Function Block Cipher Compression Function Envelope Method Forgery Attack
- 1.M. Bellare, J. Kilian, P. Rogaway, “The security of cipher block chaining,” Proc. Crypto’94, LNCS 839, Springer-Verlag, 1994, pp. 341–358.Google Scholar
- 2.M. Bellare, R. Guérin, P. Rogaway, “XOR MACs: new methods for message authentication using block ciphers,” Proc. Crypto’95, LNCS 963, Springer-Verlag, 1995, pp. 15–28.Google Scholar
- 3.M. Bellare, R. Canetti, H. Krawczyk, “How to key Merkle-Cascaded pseudo-randomness and its concrete security”, 10 November 1995, http://www.research.ibm.com/security/.
- 4.M. Bellare, R. Canetti, H. Krawczyk, “Keying hash functions for message authentication,” 25 January 1996, http://www.research.ibm.com/security/.
- 5.E. Biham, A. Shamir, Differential Cryptanalysis of the Data Encryption Standard, Springer-Verlag, 1993.Google Scholar
- 6.H. Block, “File authentication: A rule for constructing algorithms,” SÄKdata Report, October 12, 1983.Google Scholar
- 7.D. Davies, “A message authenticator algorithm suitable for a mainframe computer,” Proc. Crypto’84, LNCS 196, Springer-Verlag, 1985, pp. 393–400.Google Scholar
- 8.D. Davies, D.O. Clayden, “The message authenticator algorithm (MAA) and its implementation,” NPL Report DITC 109/88, Feb. 1988.Google Scholar
- 9.D. Davies, W. Price, Security for Computer Networks, 2nd ed., Wiley, 1989.Google Scholar
- 10.ISO 8731:1987, Banking — approved algorithms for message authentication, Part 1, DEA, IS 8731-1, Part 2, Message Authentication Algorithm (MAA), IS 8731-2.Google Scholar
- 11.ISO/IEC 9797:1993, Information technology — Data cryptographic techniques — Data integrity mechanisms using a cryptographic check function employing a block cipher algorithm.Google Scholar
- 12.B. Kaliski, M. Robshaw, “Message authentication with MD5,” CryptoBytes (RSA Laboratories Technical Newsletter), Vol. 1, No. 1, Spring 1995, pp. 5–8.Google Scholar
- 13.M. Matsui, “The first experimental cryptanalysis of the Data Encryption Standard,” Proc. Crypto’94, LNCS 839, Springer-Verlag, 1994, pp. 1–11.Google Scholar
- 14.B. Preneel, P.C. van Oorschot, “MDx-MAC and building fast MACs from hash functions”, Proc. Crypto’95, LNCS 963, Springer-Verlag, 1995, pp. 1–14.Google Scholar
- 15.R.L. Rivest, “The MD5 message-digest algorithm,” Request for Comments (RFC) 1321, Internet Activities Board, Internet Privacy Task Force, April 1992.Google Scholar
- 16.P. Rogaway, “Bucket hashing and its application to fast message authentication”, Proc. Crypto’95, LNCS 963, Springer-Verlag, 1995, pp. 29–42.Google Scholar
- 17.P. Metzger, W. Simpson, “IP Authentication using Keyed MD5”, Internet Request for Comments 1828, August 1995.Google Scholar