论文信息 - On the Security of Two MAC Algorithms

On the Security of Two MAC Algorithms

The security of two message authentication code (MAC) algorithms is considered: the MD5-based envelope method (RFC 1828), and the banking standard MAA (ISO 8731-2). Customization of a general MAC forgery attack allows improvements in both cases. For the envelope method, the forgery attack is extended to allow key recovery; for example, a 128-bit key can be recovered using 267 known text-MAC pairs and time plus 213 chosen texts. For MAA, internal collisions are feud with fewer and shorter messages than previously by exploiting the algorithm's internal structure; consequently, the number of chosen texts (each 256 Kbyte long) for a forgery can be reduced by two orders of magnitude, e.g. from 224 to 217. This attack can be extended to one requiring only short messages (224 messages shorter than 1 Kbyte) to circumvent the special MAA mode for long messages. Moreover, certain internal collisions allow key recovery, and weak keys for MAA are identified.

Bart Preneel | Paul C. van Oorschot | B. Preneel | P. V. Oorschot

[1] Donald W. Davies,et al. Security for computer networks - an introduction to data security in teleprocessing and electronic funds transfer (2. ed.) , 1989, Wiley series in communication and distributed systems.

[2] Bart Preneel,et al. MDx-MAC and Building Fast MACs from Hash Functions , 1995, CRYPTO.

[3] Ronald L. Rivest,et al. The MD5 Message-Digest Algorithm , 1992, RFC.

[4] Donald W. Davies,et al. A Message Authenticator Algorithm Suitable for A Mainframe Computer , 1985, CRYPTO.

[5] Gene Tsudik. Message authentication with one-way hash functions , 1992, CCRV.

[6] Hugo Krawczyk,et al. Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[7] Mihir Bellare,et al. The Security of Cipher Block Chaining , 1994, CRYPTO.

[8] Perry Metzger,et al. IP Authentication using Keyed MD5 , 1995, RFC.

[9] Mitsuru Matsui,et al. The First Experimental Cryptanalysis of the Data Encryption Standard , 1994, CRYPTO.

[10] Mihir Bellare,et al. XOR MACs: New Methods for Message Authentication Using Finite Pseudorandom Functions , 1995, CRYPTO.

[11] Eli Biham,et al. Differential Cryptanalysis of the Data Encryption Standard , 1993, Springer New York.