Message Authentication Code (MAC) algorithm

Concepts

MAC

MAC is used as a proof in symmetric key cryptography, which then is added to the end of the cryto messgae. At the receiver point, the receiver decrypt the message, generate a MAC from it and compare with the received MAC one. The integrity of the message can be guarrated practically in the case of the same recieved and computed MACs. A good illustration:

MAC description.

Based on the name, the MAC is used for authentication. Moreover, it is used to check the integrity and to become sure regarding non-repudiation of the message. Some important notes:

• MAC has a lower length in comparison with the plaintext. Thus, it is not unique like hash function. In other words, two different plaintexts may have the same MAC values. However, the likelihood of this occurrence is very low and thus it can be used for authentication and integrity.
• In comparison with checksum, a private key is used to generate MAC. So it can not be regenerated by an imaginary intruder, who has an oracle who decrypts the crypt massage.
• A good comparion between cryptography hash functions and MAC:

Comparion of hash, MAC and digital signature.

• The non-repudiation is still is a open question for me. I think the above table is correct in the sense that the length of MAC is lower than the length of the plaintext, but it is inpractical.!

Block cipher

In cryptography, a block cipher is a deterministic algorithm operating on fixed-length groups of bits, called a block, with an unvarying transformation that is specified by a symmetric key.

MAC in ISO 8583

According to ISO-8583:2003 the MAC code should be in accordance with ISO 9807 code:

The MAC field in Table 3 of ISO 8583:2003.

Thus I started to search for ISO 9807. The last version of ISO 9807 was published in 1991 according to the ISO site, which then revised by ISO16609:2004 and then ISO16609:2012 (to Buy and another site).

Since the ISO-8583 standard is not changed yet, and in addition the version of year 1991 is mandatory by the CBI, I do not follow the new standard in a detail way.

According to this C# implementation of ANSI X9.19 and this Spanish JAVA implementation of ANSI X9.19:

The calculation of a MAC as described in ANSI X9.19 and ISO 9807 is a specific case of ISO / IEC 9797 when block size 64, MAC length 32, with MAC algorithm 1 or MAC algorithm 3 (both with padding method 1 ) [ wikipedia.], and block encryption is DEA (“Data Encryption Algorithm”), as it is sometimes also referred to as DES. [ incits.org ]

Moreover:

The signature MAC ANSI X9.19 is a banking standard made in USA. It’s an evolution from X9.9 and it is also known as Retail-MAC. It’s a cipher based in DES-CBC, here are the links to the wiki for DES that means “Data Encryption Standard” and CBC that means”Cipher Block Chaining”. An international norm exists, that is very similar but a little more permisive called ISO 9807, it allows to use another cipher algorithms. ANSI X9.19 is a subset of ISO 9797, when the cipher block is 64 bits, MAC length is 32 and DES is used.

ISO/IEC 9797

The standard is well described in its wikipedia page. Only the MAC algorithm 1 is studied in this post.

MAC algorithm 1

This algorithm uses initial transformation 1 and output transformation 1. Only one key is required, K. (When the block cipher is DES, this is equivalent to the algorithm specified in FIPS PUB 113 Computer Data Authentication.[2]) Algorithm 1 is commonly known as CBC-MAC.[3]

Steps

1. Padding of the data to a multiple of the cipher block size
2. Splitting of the data into blocks
3. Initial transformation of the first block of data
4. Iteration through the remaining blocks of data
5. Output transformation of the result of the last iteration
6. Truncation of the result to the required length

Padding method 1

If necessary, add bits with value 0 to the end of the data until the padded data is a multiple of n. (If the original data was already a multiple of n, no bits are added.)

Splitting

The padded data D is split into q blocks D1, D2, … Dq, each of length n, suitable for the block cipher.

Initial transformation

A cryptographic operation is performed on the first block (D1), to create an intermediate block H1.

Initial transformation 1

D1 is encrypted with the key K: H1 = eK(D1)

Iteration

Blocks H2 … Hq are calculated by encrypting, with the key K, the bitwise exclusive-or of the corresponding data block and the previous H block.

for i = 2 to q: Hi = eK(Di ⊕ H(i-1))

If there is only one data block (q=1), this step is omitted.

Output transformation

A cryptographic operation is (optionally) performed on the last iteration output block Hq to produce the block G.

Output transformation 1

Hq is used unchanged: G = Hq

Implementation

Handy

The best found handy implementation: Orlin Grabbe.

C#

C# implementation of ANSI X9.19

Java

Spanish JAVA implementation of ANSI X9.19:

Links in this post:

What are the differences between a digital signature, a MAC and a hash?

Block cipher — Wikipedia

ISO 9807:1991 — Banking and related financial services — Requirements for message authentication…

http://www.terastandard.com/shop/standards/iso-16609-258

دانلود BS ISO 16609:2012

ISO 16609:2004 — Banking — Requirements for message authentication using symmetric techniques

ISO 16609:2012 — Financial services — Requirements for message authentication using symmetric…

Post: MAC ANSI X9.19 — ISO 9807 — ISO/IEC 9797 signature

Cifrado MAC ANSI X9.19 / ISO 9807 / ISO/IEC 9797 …

ISO/IEC 9797–1 — Wikipedia

CBC-MAC — Wikipedia

The DES Algorithm Illustrated