<4D F736F F D20838A B F955C8E8682A982E796DA8E9F914F5F A815B FD B A5F E646F63>

Size: px

Start display at page:

Download "<4D F736F F D20838A B F955C8E8682A982E796DA8E9F914F5F A815B FD B A5F E646F63>"

せぴあそめや
5 years ago
Views:

1 2008 年度版リストガイド ( メッセージ認証コード ) 平成 21 年 3 月独立行政法人情報通信研究機構独立行政法人情報処理推進機構

2 HMAC CBC-MAC CMAC MAC MAC i

3 MAC (Message Authentication Code) HMAC CBC-MAC CMAC HMAC, CBC-MAC, CMAC (MAC) 1

4 ( ) AES Advanced Encryption Standard ANSI American National Standards Institute CBC Cipher Block Chainig CMAC Cipher-based MAC FIPS Federal Information Processing Standard HMAC Hash function-based MAC IEC International Electrotechnical Commission ISO International Organization for Standardization MAC Message Authentication Code NIST National Institute of Standards and Technology PRF Pseudo Random Function PRP Pseudo Random Permutation RFC Request for Comments SP Special Publication TDEA Triple Data Encryption Algorithm 2

5 x : 16 x : x : : Enc K (X) : Enc K X LSB s (X) : X s MSB s (X) : X s X 1 : X 1 0 lg(x) : x 2 0 s : s (MAC) MAC ( )A MAC ( )B K MAC M K T = MAC(K, M) M T (M, T ) M K MAC T = MAC(K, M ) T = T T = T VALID, INVALID ( ) K A ( M, T ) B VALID / INVALID T MAC(K, M) T MAC(K, M) T = T? 1: MAC MAC 3

6 MAC MAC M K T MAC MAC M K VALID INVALID( ) MAC MAC MAC MAC MAC MAC MAC 1 MAC HMAC, CBC-MAC, CMAC HMAC HMAC SHA-2 (keyed hash function) HMAC 2 MAC HMAC HMAC (PRF) HMAC (PRF) Bellare [B06] (PRF) MD5 HMAC (HMAC-MD5 ) HMAC 2 1 HMAC TLS key generation (RFC2246) IPsec IKE (Internet Key Exchange) key derivation (RFC2409) AES CMAC IPsec IKE2 (Internet Key Exchange version 2) (RFC4306) (RFC4615) 2 HMAC-SHA-1 SSH (RFC4253) 4

7 M 1 M 2 M 3 M n-1 M n Enc K Enc K Enc K Enc K Enc K T 2: CBC-MAC M 1 M 2 M 3 Enc K Enc K Enc K T M 1 M 2 M 3 M 1 T M 2 M 3 Enc K Enc K Enc K Enc K Enc K Enc K T T 3: CBC-MAC CBC-MAC CBC-MAC AES CBC-MAC IV = 0 CBC MAC ( 2 ) CBC-MAC (PRP) CBC-MAC (PRF) MAC [BKR94] MAC [MOV96] 3 CBC-MAC (M 1 M 2 M 3 ) 3 K MAC T 6 (M 1 M 2 M 3 (M 1 T ) M 2 M3) MAC (= T ) CBC-MAC CBC-MAC FIPS 113 [FIPS113] 2008 CBC-MAC ISO [ISO16609] TDEA CBC-MAC 5

8 CMAC CMAC CBC-MAC CBC-MAC ISO/IEC [ISO/IEC ] 6 CBC-MAC MAC CMAC NIST SP800-38B [SP800-38B] CMAC CBC-MAC HMAC, CBC-MAC, CMAC 1 1: HMAC CBC-MAC CMAC /2 MAC FIPS 198 (2002) FIPS 113 (2008 ) NIST SP B (2005) ISO/IEC (2002) ISO/IEC (1999) ISO/IEC ( ) RFC 2104 (1997) ISO (2004) RFC 4493 (2006) ANS X9.71 (2000) ISO/TR (2005) ANS X9.19 (1998) HMAC HMAC HMAC B : ( ) H : HMAC ipad : 1 0x36 B K : K 0 : K B L : ( ) opad : 1 0x5c B T : MAC T len : MAC ( ) M : MAC. M () Mlen 0 Mlen < 2 B 8B 6

9 HMAC K L/2 HMAC SHA-256 L = 256/8 = 32 HMAC 128 B ISO/IEC HMAC (L ) (B ) HMAC HMAC (truncation) MAC MAC HMAC (truncation) T len MAC MAC T len 32 T len 8L MAC T len 4L HMAC HMAC M MAC HMAC(K, M, T len) = H((K 0 opad) H((K 0 ipad) M)) HMAC(K, M, T len) H: K: HMAC M: T len: MAC T : T len MAC 1. K B K 0 = K K B K (B L) 0 B K 0 4. K 0 = H(K) K B K 0 B K K 0 ipad K 0 ipad M (K 0 ipad) M H((K 0 ipad) M) 7. K 0 opad K 0 opad (K 0 opad) H((K 0 ipad) M) 7

10 9. 8. H((K 0 opad) H((K 0 ipad) M)) T len MAC T HMAC HMAC-VER(K, M, T ) H: HMAC MAC K: M: T : MAC VALID INVALID HMAC M MAC T 2. T = T VALID INVALID CBC-MAC CBC-MAC CBC-MAC b : ( ) K : M : M i : i Mn : Mlen : ( ) n : T : MAC T len : MAC ( ) CBC-MAC CBC-MAC(K, M, T len) Enc: b CBC-MAC M MAC K: M: Mlen T len: MAC T : T len MAC 1. n = Mlen/b n = Mlen/b n = n M b M = M 1 M 2... M n 1 M n 8

11 3. M n = M n 10 j j = nb Mlen 1 4. C 0 = 0 b 5. i = 1 n C i = Enc K (C i 1 M i ) 6. T = MSB T len (C n ) 7. T CBC-MAC CBC-MAC-VER(K, M, T ) Enc: b K: M: T : MAC VALID INVALID CBC-MAC MAC CBC-MAC M MAC T 2. T = T VALID INVALID CMAC CMAC CMAC b : ( ) R b : R 128 = , R 64 = K : K1, K2 : K 2 M : M i : i Mn : Mlen : ( ) n : T : MAC T len : MAC ( ) CMAC CMAC CMAC 9

12 CMAC CMAC K 2 K1, K2 (b ) Enc K (0 b ) 3 CMAC K K1, K2 SUBK(K) Enc: b K: CMAC K1, K2: 1. Enc K (0 b ) L 2. L 0 K1 = L 1 L 1 K1 = (L 1) R b 3. K1 0 K2 = K1 1 K1 1 K2 = (K1 1) R b 4. K1, K2 2, 3 GF(2 b ) 2 (=0 b 2 10) R b GF(2 b ) R 128 u u 7 + u 2 + u + 1, R 64 u 64 + u 4 + u 3 + u + 1 CMAC CMAC M MAC K CMAC MAC T len CMAC(K, M, T len) Enc: b K: M: Mlen T len: MAC T : T len MAC K K1, K2 2. Mlen = 0 n = 1 Mlen 0 n = Mlen/b 3. M b M = M 1 M 2... M n 1 M n 3 ANS X9.24 Annex C Enc K (0 b ) ( Enc DES b = 64) ID (KCV, Key Check Value) KCV KCV CMAC CBC-MAC MAC 10

13 * M 1 M 2 M n * M 1 M 2 M n K1 K2 Enc K Enc K Enc K Enc K Enc K Enc K MSB Tlen MSB Tlen T T 4: CMAC 4. M n M n = K1 M n M n M n = K2 (M n 10 j ) j = nb Mlen 1 5. C 0 = 0 b 6. i = 1 n C i = Enc K (C i 1 M i ) 7. T = MSB T len (C n ) 8. T 3, 4 CBC 1 CMAC CMAC-VER(K, M, T ) CMAC MAC Enc: b K: M: T : MAC VALID INVALID CMAC M MAC T 2. T = T VALID INVALID MAC MAC T len MAC T len [SP800-38B] Appendix A MAC K M MAC (guessing attack) MAC MAC T len 1/2 T len T len MAC 11

14 MAC T len MAC (truncation) MAC MAC 32 MAC T len 2 Risk: MaxInvalids: INVALID ( ) T len T len lg(m axinvalids/risk) MAC MAC [SP800-38B] Appendix B MAC T len 2 T len/2 MAC (collision ) collision MAC MAC 128 CMAC MAC CMAC CMAC collision CMAC collision CMAC MAC 2 48 (2 48 Gbyte) 64 CMAC 2 21 (16 Mbyte) 12

15 [B06] M. Bellare, New proofs for NMAC and HMAC: Security without collisionresistance, Advances in Cryptology CRYPTO 06, 26th Annual International Cryptology Conference, Santa Barbara, California, USA, August 20 24, Proceedings, ed. C. Dwork, pp , Lecture Notes in Computer Science vol. 4117, Springer-Verlag, [BKR94] M. Bellare, J. Kilian, and P. Rogaway, The Security of Cipher Block Chaining, Advances in Cryptology CRYPTO 94, 14th Annual International Cryptology Conference, Santa Barbara, California, USA, August Proceedings, ed. Y.G. Desmedt, pp , Lecture Notes in Computer Science vol. 839, Springer-Verlag, [FIPS113] Federal Information Processing Standards Publication 113, Computer Data Authentication, National Institute of Standards and Technology. [FIPS198] Federal Information Processing Standards Publication 198, The Keyed- Hash Message Authentication Code (HMAC), National Institute of Standards and Technology, March 6, [FIPS198-1] Federal Information Processing Standards Publication 198-1, The Keyed-Hash Message Authentication Code (HMAC), National Institute of Standards and Technology, July, [ISO16609] ISO 16609: 2004, Banking Requirements for message authentication using symmetric techniques. [ISO/IEC ] ISO/IEC : 1999, Information technology Security techniques Message Authentication Codes (MACs) Part 1:Mechanisms using a block cipher. [MOV96] A.J. Menezes, P.C. van Oorschot, and S.A. Vanstone, Handbook of Applied Cryptography, CRC Press, [SP800-38B] NIST Special Publication B, Morris Dworkin, Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication, National Institute of Standards and Technology, May,

16 不許複製禁無断転載発行日 2009 年 5 月 14 日第 1 版第 1 刷発行者東京都小金井市貫井北四丁目 2 番 1 号独立行政法人情報通信研究機構 ( 情報通信セキュリティ研究センターセキュリティ基盤グループ ) NATIONAL INSTITUTE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY NUKUI-KITAMACHI,KOGANEI TOKYO, JAPAN 東京都文京区本駒込二丁目 28 番 8 号独立行政法人情報処理推進機構 ( セキュリティセンター暗号グループ ) INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN HONKOMAGOME,BUNKYO-KU TOKYO, JAPAN

<4D F736F F D F81798E518D6C8E9197BF33817A88C38D868B5A8F70834B D31292E646F63>

<4D F736F F D F81798E518D6C8E9197BF33817A88C38D868B5A8F70834B D31292E646F63> 参考資料 3 CRYPTREC 暗号技術ガイドライン (SHA-1) 2014 年 3 月独立行政法人情報通信研究機構独立行政法人情報処理推進機構目次 1. 本書の位置付け... 1 1.1. 本書の目的... 1 1.2. 本書の構成... 1 1.3. 注意事項... 1 2. ハッシュ関数 SHA-1 の利用について... 2 2.1. 推奨されない利用範囲... 2 2.2. 許容される利用範囲...