Cryptanalysis of message authentication codes

  • B. Preneel
Invited Lecture
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1396)


This paper gives a survey of attacks on Message Authentication Codes (MACS). First it defines the required security properties. Next it describes generic forgery and key recovery attacks on MACS. Subsequently an overview is presented of most MAC constructions and on attacks on these algorithms. The MACS described include CBC-MAC and its variants, the MAC algorithms derived from cryptographic hash functions, and the ISO banking standard Message Authenticator Algorithm, also known as MAA.


Hash Function Block Cipher Message Authentication Code Message Authentication Compression Function 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    ANSI X9.9 (revised), “Financial Institution Message Authentication (Wholesale),” American Bankers Association, April 7, 1986.Google Scholar
  2. 2.
    ANSI X9.19 “Financial Institution Retail Message Authentication,” American Bankers Association, August 13, 1986.Google Scholar
  3. 3.
    R. Atkinson, “Security architecture for the Internet Protocol,” Internet Request for Comments 1825, August 1995.Google Scholar
  4. 4.
    S. Bakhtiari, R. Safavi-Naini, J. Pieprzyk, “Keyed hash functions,” Cryptography: Policy and Algorithms, LNCS 1029, E. Dawson and J. Golić, Eds., Springer-Verlag, 1996, pp. 201–214.Google Scholar
  5. 5.
    M. Bellare, R. Canetti, H. Krawczyk, “Pseudorandom functions revisited: The cascade construction and its concrete security,” Proc. 37th Annual Symposium on the Foundations of Computer Science, IEEE, 1996, pp. 514–523. Full version via Scholar
  6. 6.
    M. Bellare, R. Canetti, H. Krawczyk, “Keying hash functions for message authentication, ” Advances in Cryptology, Proceedings Crypto'96, LNCS 1109, N. Koblitz, Ed., Springer-Verlag, 1996, pp. 1–15. Full version: http:// Scholar
  7. 7.
    M. Bellare, R. Guérin, P. Rogaway, “XOR MACs: new methods for message authentication using block ciphers,” Advances in Cryptology, Proceedings Crypto'95, LNCS 963, D. Coppersmith, Ed., Springer-Verlag, 1995, pp. 15–28.Google Scholar
  8. 8.
    M. Bellare, J. Kilian, P. Rogaway, “The security of cipher block chaining,” Advances in Cryptology, Proceedings Crypto'94, LNCS 839, Y. Desmedt, Ed., Springer-Verlag, 1994, pp. 341–358.Google Scholar
  9. 9.
    M. Blaze, W. Diffie, R.L. Rivest, B. Schneier, T. Shimomura, E. Thompson, M. Wiener, “Minimal key lengths for symmetric ciphers to provide adequate commercial security. A Report by an Ad Hoc Group of Cryptographers and Computer Scientists,” January 1996.Google Scholar
  10. 10.
    F. Cohen, “A cryptographic checksum for integrity protection,” Computers & Security, Vol. 6, No. 5, 1987, pp. 505–510.Google Scholar
  11. 11.
    F. Cohen, “The ASP integrity toolkit. Version 3.5,” ASP Press, Pittsburgh (PA), 1991.Google Scholar
  12. 12.
    D. Davies, “A message authenticator algorithm suitable for a mainframe computer,” Advances in Cryptology, Proceedings Crypto'84, LNCS 196, G.R. Blakley and D. Chaum, Eds., Springer-Verlag, 1985, pp. 393–400.Google Scholar
  13. 13.
    D. Davies, D.O. Clayden, “The message authenticator algorithm (MAA) and its implementation,” NPL Report DITC 109/88, Feb. 1988.Google Scholar
  14. 14.
    D. Davies, W. Price, Security for Computer Networks, 2nd ed., Wiley, 1989.Google Scholar
  15. 15.
    W. Diffie, M.E. Hellman, “New directions in cryptography,” IEEE Trans. on Information Theory, Vol. IT-22, No. 6, 1976, pp. 644–654.Google Scholar
  16. 16.
    H. Dobbertin, A. Bosselaers, B. Preneel, “RIPEMD-160: a strengthened version of RIPEMD,” Fast Software Encryption, LNCS 1039, D. Gollmann, Ed., SpringerVerlag, 1996, pp. 78–82.Google Scholar
  17. 17.
    FIPS 46, Data encryption standard, NBS, U.S. Department of Commerce, Washington D.C., Jan. 1977.Google Scholar
  18. 18.
    FIPS 180-1, Secure hash standard, NIST, US Department of Commerce, Washington D.C., April 1995.Google Scholar
  19. 19.
    S. Halevi, H. Krawczyk, “MMH: Software message authentication in the Gbit/second rates,” Fast Software Encryption, LNCS 1267, E. Biham, Ed., Springer-Verlag, 1997, pp. 172–189.Google Scholar
  20. 20.
    F. Heider, D. Kraus, M. Welschenbach, “Some preliminary remarks on the Decimal Shift and Add algorithm (DSA),” Abstracts Eurocrypt'86, May 20–22, 1986, Linköping, Sweden, p. 1.2. (Full paper available from the authors.)Google Scholar
  21. 21.
    Y.J. Huang, F. Cohen, “Some weak points of one fast cryptographic checksum algorithm and its improvement,” Computers & Security, Vol. 7, No. 5, 1988, pp. 503–505.Google Scholar
  22. 22.
    ISO 8731:1987, Banking — approved algorithms for message authentication, Part 1, DEA, Part 2, Message Authentication Algorithm (MAA).Google Scholar
  23. 23.
    ISO/IEC 9797:1994, Information technology — Data cryptographic techniques — Data integrity mechanisms using a cryptographic check function employing a block cipher algorithm.Google Scholar
  24. 24.
    T. Johansson, “Bucket hashing with a small key size,” Advances in Cryptology, Proceedings Eurocrypt'97, LNCS 1233, W. Fumy, Ed., Springer-Verlag, 1997, pp. 149–162.Google Scholar
  25. 25.
    T. Johansson, G. Kabatianskii, B. Smeets, “On the relation between A-codes and codes correcting independent errors,” Advances in Cryptology, Proceedings Eurocrypt'93, LNCS 765, T. Helleseth, Ed., Springer-Verlag, 1994, pp. 1–11.Google Scholar
  26. 26.
    B. Kaliski, M. Robshaw, “Message authentication with MD5,” CryptoBytes (RSA Laboratories Technical Newsletter), Vol. 1, No. 1, Spring 1995, pp. 5–8.Google Scholar
  27. 27.
    S. Kent, “Security architecture for the Internet Protocol,” Internet Draft, July 1997.Google Scholar
  28. 28.
    L. Knudsen, “Chosen-text attack on CBC-MAC,” Electronics Letters, Vol. 33, No. 1, 1997, pp. 48–49.Google Scholar
  29. 29.
    H. Krawczyk, “New hash functions for message authentication,” Advances in Cryptology,Proceedings Eurocrypt'95, LNCS 921, L.C. Guillou and J. J. Quisquater, Eds., Springer-Verlag, 1995, pp. 301–310.Google Scholar
  30. 30.
    C. Linden, H. Block, “Sealing electronic money in Sweden,” Computers & Security, Vol. 1, No. 3, 1982, p. 226–230.Google Scholar
  31. 31.
    P. Metzger, W. Simpson, “IP Authentication using Keyed MD5“, Internet Request for Comments 1828, August 1995.Google Scholar
  32. 32.
    K. Ohta, M. Matsui, “Differential attack on message authentication codes,” Advances in Cryptology, Proceedings Crypto'93, LNCS 773, D. Stinson, Ed., Springer-Verlag, 1994, pp. 200–211.Google Scholar
  33. 33.
    B. Preneel, “Analysis and design of cryptographic hash functions,” Doctoral Dissertation, Katholieke Universiteit Leuven, 1993.Google Scholar
  34. 34.
    B. Preneel, A. Bosselaers, R. Govaerts, J. Vandewalle, “Cryptanalysis of a fast cryptographic checksum algorithm,” Computers & Security, Vol. 9, No. 3, 1990, pp. 257–262.Google Scholar
  35. 35.
    B. Preneel, M. Nuttin, V. Rijmen, J. Buelens, “Cryptanalysis of the CFB mode of the DES with a reduced number of rounds,” Advances in Cryptology, Proceedings Crypto'93, LNCS 773, D. Stinson, Ed., Springer-Verlag, 1994, pp. 212–223.Google Scholar
  36. 36.
    B. Preneel, V. Rijmen, P.C. van Oorschot, “A security analysis of the Message Authenticator Algorithm (MAA),” European Transactions on Telecommunications, Vol. 8, No. 5, 1997, pp. 455–470.Google Scholar
  37. 37.
    B. Preneel, P.C. van Oorschot, “MDx-MAC and building fast MACs from hash functions,” Advances in Cryptology, Proceedings Crypto'95, LNCS 963, D. Coppersmith, Ed., Springer-Verlag, 1995, pp. 1–14.Google Scholar
  38. 38.
    B. Preneel, P.C. van Oorschot, “On the security of two MAC algorithms,”Advances in Cryptology, Proceedings Eurocrypt'96, LNCS 1070, U. Maurer, Ed., Springer-Verlag, 1996, pp. 19–32.Google Scholar
  39. 39.
    B. Preneel, P.C. van Oorschot, “A key recovery attack on the ANSI X9.19 retail MAC,” Electronics Letters, Vol. 32, No. 17, 1996, pp. 1568–1569.Google Scholar
  40. 40.
    B. Preneel, P.C. van Oorschot, “On the security of iterated Message Authentication Codes,” submitted.Google Scholar
  41. 41.
    RIPE, “Integrity Primitives for Secure Information Systems. Final Report of RACE Integrity Primitives Evaluation (RIPE-RACE 1040),” LNCS 1007, A. Bosselaers and B. Preneel, Eds., Springer-Verlag, 1995.Google Scholar
  42. 42.
    R.L. Rivest, “The MD4 message digest algorithm,” Advances in Cryptology, Proceedings Crypto'90, LNCS 537, S. Vanstone, Ed., Springer-Verlag, 1991, pp. 303–311.Google Scholar
  43. 43.
    R.L. Rivest, “The MD5 message-digest algorithm,” Request for Comments 1321, Internet Activities Board, Internet Privacy Task Force, April 1992.Google Scholar
  44. 44.
    R.L. Rivest, A. Shamir, L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” Communications of the ACM, Vol. 21, No. 2, 1978, pp. 120–126.Google Scholar
  45. 45.
    P. Rogaway, “Bucket hashing and its application to fast message authentication,” Advances in Cryptology, Proceedings Crypto'95, LNCS 963, D. Coppersmith, Ed., Springer-Verlag, 1995, pp. 29–42.Google Scholar
  46. 46.
    G.J. Simmons, “A survey of information authentication,” in “Contemporary Cryptology: The Science of Information Integrity,” G.J. Simmons, Ed., IEEE Press, 1991, pp. 381–419.Google Scholar
  47. 47.
    M.N. Wegman, J.L. Carter, “New hash functions and their use in authentication and set equality,” Journal of Computer and System Sciences, Vol. 22, No. 3, 1981, pp. 265–279.Google Scholar
  48. 48.
    M.J. Wiener, “Efficient DES key search,” Technical Report TR-244, School of Computer Science, Carleton University, Ottawa, Canada, May 1994. Presented at the rump session of Crypto'93.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1998

Authors and Affiliations

  • B. Preneel
    • 1
  1. 1.Department Electrical Engineering-ESAT/COSICKatholieke Universiteit LeuvenHeverleeBelgium

Personalised recommendations