On the security of iterated message authentication codes

Author

Preneel, Bart ; Van Oorschot, Paul C.

Author_Institution

ESAT, Katholieke Univ., Leuven, Heverlee, Belgium

Volume

45

Issue

1

fYear

1999

fDate

1/1/1999 12:00:00 AM

Firstpage

188

Lastpage

199

Abstract

The security of iterated message authentication code (MAC) algorithms is considered, and in particular, those constructed from unkeyed hash functions. A new MAC forgery attack applicable to all deterministic iterated MAC algorithms is presented, which requires on the order of 2^n/2 known text-MAC pairs for algorithms with n bits of internal memory, as compared to the best previous general attack which required exhaustive key search. A related key-recovery attack is also given which applies to a large class of MAC algorithms including a strengthened version of CBC-MAC found in ANSI X9.19 and ISO/IEC 9797, and envelope MAC techniques such as “keyed MD5”. The security of several related existing MACs based directly on unkeyed hash functions, including the secret prefix and secret suffix methods, is also examined

Keywords

ANSI standards; IEC standards; ISO standards; codes; cryptography; iterative methods; message authentication; ANSI X9.19; CBC-MAC; ISO/IEC 9797; MAC algorithms; MAC forgery attack; deterministic iterated MAC algorithms; envelope MAC techniques; internal memory; iterated message authentication codes; key-recovery attack; keyed MD5; secret prefix; secret suffix; unkeyed hash functions; Banking; Cryptography; Data security; Digital signatures; Feedback; Forgery; IEC standards; ISO standards; Message authentication; Proposals;

fLanguage

English

Journal_Title

Information Theory, IEEE Transactions on

Publisher

ieee

ISSN

0018-9448

Type

jour

DOI

10.1109/18.746787

Filename

746787