<4D F736F F D20838A B F955C8E8682A982E796DA8E9F914F5F A815B FD B A5F E646F63>

2008 年度版リストガイド ( メッセージ認証コード ) 平成 21 年 3 月 独立行政法人情報通信研究機構独立行政法人情報処理推進機構

1 1 1.1............................. 1 1.1.1............................ 1 1.1.2....................... 1 1.1.3........................... 1 1.2.................................... 1 1.2.1.............................. 1 1.2.2..................... 3 1.3.................................. 3 1.3.1...................... 3 1.3.2......................... 3 1.3.3.......................... 4 1.4.................................. 6 1.4.1 HMAC........................... 6 1.4.2 CBC-MAC........................ 8 1.4.3 CMAC........................... 9 1.4.4 MAC......................... 11 1.4.5 MAC...... 12 13 i

1 1.1 1.1.1 MAC (Message Authentication Code) HMAC CBC-MAC CMAC 1.1.2 1.1.3 2.2 2.3 2.4 HMAC, CBC-MAC, CMAC 1.2 1.2.1 (MAC) 1

2 0 1 0 1 (64 128 ) AES Advanced Encryption Standard ANSI American National Standards Institute CBC Cipher Block Chainig CMAC Cipher-based MAC FIPS Federal Information Processing Standard HMAC Hash function-based MAC IEC International Electrotechnical Commission ISO International Organization for Standardization MAC Message Authentication Code NIST National Institute of Standards and Technology PRF Pseudo Random Function PRP Pseudo Random Permutation RFC Request for Comments SP Special Publication TDEA Triple Data Encryption Algorithm 2

1.2.2 0x : 16 x : x : : Enc K (X) : Enc K X LSB s (X) : X s MSB s (X) : X s X 1 : X 1 0 lg(x) : x 2 0 s : s 0 1.3 1.3.1 (MAC) 2 2 1 MAC ( )A MAC ( )B K MAC M K T = MAC(K, M) M T (M, T ) M K MAC T = MAC(K, M ) T = T T = T VALID, INVALID ( ) K A ( M, T ) B VALID / INVALID T MAC(K, M) T MAC(K, M) T = T? 1: 1.3.2 MAC MAC 3

MAC MAC M K T MAC MAC M K VALID INVALID( ) MAC MAC MAC MAC MAC MAC MAC 1 MAC 1.3.3 HMAC, CBC-MAC, CMAC HMAC HMAC SHA-2 (keyed hash function) HMAC 2 MAC HMAC HMAC (PRF) HMAC (PRF) Bellare [B06] (PRF) MD5 HMAC (HMAC-MD5 ) HMAC 2 1 HMAC TLS key generation (RFC2246) IPsec IKE (Internet Key Exchange) key derivation (RFC2409) AES CMAC IPsec IKE2 (Internet Key Exchange version 2) (RFC4306) (RFC4615) 2 HMAC-SHA-1 SSH (RFC4253) 4

M 1 M 2 M 3 M n-1 M n Enc K Enc K Enc K Enc K Enc K T 2: CBC-MAC M 1 M 2 M 3 Enc K Enc K Enc K T M 1 M 2 M 3 M 1 T M 2 M 3 Enc K Enc K Enc K Enc K Enc K Enc K T T 3: CBC-MAC CBC-MAC CBC-MAC AES CBC-MAC IV = 0 CBC MAC ( 2 ) CBC-MAC (PRP) CBC-MAC (PRF) MAC [BKR94] MAC [MOV96] 3 CBC-MAC (M 1 M 2 M 3 ) 3 K MAC T 6 (M 1 M 2 M 3 (M 1 T ) M 2 M3) MAC (= T ) CBC-MAC CBC-MAC FIPS 113 [FIPS113] 2008 CBC-MAC ISO 16609 [ISO16609] TDEA CBC-MAC 5

CMAC CMAC CBC-MAC CBC-MAC ISO/IEC 9797-1 [ISO/IEC 9797-1] 6 CBC-MAC MAC CMAC NIST SP800-38B [SP800-38B] CMAC CBC-MAC 128 64 64 1.4.4 1.4.5 HMAC, CBC-MAC, CMAC 1 1: HMAC CBC-MAC CMAC 2 + 1.. /2 MAC FIPS 198 (2002) FIPS 113 (2008 ) NIST SP 800-38B (2005) ISO/IEC 9797-2 (2002) ISO/IEC 9797-1 (1999) ISO/IEC 9797-1 ( ) RFC 2104 (1997) ISO 16609 (2004) RFC 4493 (2006) ANS X9.71 (2000) ISO/TR 19038 (2005) ANS X9.19 (1998) 1.4 1.4.1 HMAC HMAC HMAC B : ( ) H : HMAC ipad : 1 0x36 B K : K 0 : K B L : ( ) opad : 1 0x5c B T : MAC T len : MAC ( ) M : MAC. M () Mlen 0 Mlen < 2 B 8B 6

HMAC K L/2 HMAC SHA-256 L = 256/8 = 32 HMAC 128 B ISO/IEC 9797-2 HMAC (L ) (B ) HMAC HMAC (truncation) MAC MAC HMAC (truncation) T len MAC MAC T len 32 T len 8L MAC T len 4L HMAC HMAC M MAC HMAC(K, M, T len) = H((K 0 opad) H((K 0 ipad) M)) HMAC(K, M, T len) H: K: HMAC M: T len: MAC T : T len MAC 1. K B K 0 = K 4. 2. K B K (B L) 0 B K 0 4. K 0 = H(K) 00...00 3. K B K 0 B K 0 4. 4. K 0 ipad K 0 ipad 5. 4. M (K 0 ipad) M 6. 5. H((K 0 ipad) M) 7. K 0 opad K 0 opad 8. 7. 6. (K 0 opad) H((K 0 ipad) M) 7

9. 8. H((K 0 opad) H((K 0 ipad) M)) 10. 9. T len MAC T HMAC HMAC-VER(K, M, T ) H: HMAC MAC K: M: T : MAC VALID INVALID 1. 1.4.1 HMAC M MAC T 2. T = T VALID INVALID 1.4.2 CBC-MAC CBC-MAC CBC-MAC b : ( ) K : M : M i : i Mn : Mlen : ( ) n : T : MAC T len : MAC ( ) CBC-MAC CBC-MAC(K, M, T len) Enc: b CBC-MAC M MAC K: M: Mlen T len: MAC T : T len MAC 1. n = Mlen/b n = Mlen/b n = n + 1 2. M b M = M 1 M 2... M n 1 M n 8

3. M n = M n 10 j j = nb Mlen 1 4. C 0 = 0 b 5. i = 1 n C i = Enc K (C i 1 M i ) 6. T = MSB T len (C n ) 7. T CBC-MAC CBC-MAC-VER(K, M, T ) Enc: b K: M: T : MAC VALID INVALID CBC-MAC MAC 1. 1.4.2 CBC-MAC M MAC T 2. T = T VALID INVALID 1.4.3 CMAC CMAC CMAC b : ( ) R b : R 128 = 0 120 10000111, R 64 = 0 59 11011. K : K1, K2 : K 2 M : M i : i Mn : Mlen : ( ) n : T : MAC T len : MAC ( ) CMAC CMAC CMAC 9

CMAC CMAC K 2 K1, K2 (b ) Enc K (0 b ) 3 CMAC K K1, K2 SUBK(K) Enc: b K: CMAC K1, K2: 1. Enc K (0 b ) L 2. L 0 K1 = L 1 L 1 K1 = (L 1) R b 3. K1 0 K2 = K1 1 K1 1 K2 = (K1 1) R b 4. K1, K2 2, 3 GF(2 b ) 2 (=0 b 2 10) R b GF(2 b ) R 128 u 128 + u 7 + u 2 + u + 1, R 64 u 64 + u 4 + u 3 + u + 1 CMAC CMAC M MAC K CMAC MAC T len CMAC(K, M, T len) Enc: b K: M: Mlen T len: MAC T : T len MAC 1. 1.4.3 K K1, K2 2. Mlen = 0 n = 1 Mlen 0 n = Mlen/b 3. M b M = M 1 M 2... M n 1 M n 3 ANS X9.24 Annex C Enc K (0 b ) ( Enc DES b = 64) 16 24 ID (KCV, Key Check Value) KCV KCV CMAC CBC-MAC MAC 10

* M 1 M 2 M n * M 1 M 2 M n 10...0 K1 K2 Enc K Enc K Enc K Enc K Enc K Enc K MSB Tlen MSB Tlen T T 4: CMAC 4. M n M n = K1 M n M n M n = K2 (M n 10 j ) j = nb Mlen 1 5. C 0 = 0 b 6. i = 1 n C i = Enc K (C i 1 M i ) 7. T = MSB T len (C n ) 8. T 3, 4 CBC 1 CMAC CMAC-VER(K, M, T ) CMAC MAC Enc: b K: M: T : MAC VALID INVALID 1. 1.4.3 CMAC M MAC T 2. T = T VALID INVALID 1.4.4 MAC MAC T len MAC T len [SP800-38B] Appendix A MAC K M MAC (guessing attack) MAC MAC T len 1/2 T len T len MAC 11

MAC T len 64 64 MAC (truncation) MAC MAC 32 MAC T len 2 Risk: MaxInvalids: INVALID ( ) T len T len lg(m axinvalids/risk) 1.4.5 MAC MAC [SP800-38B] Appendix B MAC T len 2 T len/2 MAC (collision ) collision MAC MAC 128 CMAC MAC 2 48 64 CMAC 2 21 128 CMAC collision 10 1 64 CMAC collision 100 1 128 CMAC MAC 2 48 (2 48 Gbyte) 64 CMAC 2 21 (16 Mbyte) 12

[B06] M. Bellare, New proofs for NMAC and HMAC: Security without collisionresistance, Advances in Cryptology CRYPTO 06, 26th Annual International Cryptology Conference, Santa Barbara, California, USA, August 20 24, 2006. Proceedings, ed. C. Dwork, pp. 602 619, Lecture Notes in Computer Science vol. 4117, Springer-Verlag, 2006. [BKR94] M. Bellare, J. Kilian, and P. Rogaway, The Security of Cipher Block Chaining, Advances in Cryptology CRYPTO 94, 14th Annual International Cryptology Conference, Santa Barbara, California, USA, August 1994. Proceedings, ed. Y.G. Desmedt, pp. 341 358, Lecture Notes in Computer Science vol. 839, Springer-Verlag, 1994. [FIPS113] Federal Information Processing Standards Publication 113, Computer Data Authentication, National Institute of Standards and Technology. [FIPS198] Federal Information Processing Standards Publication 198, The Keyed- Hash Message Authentication Code (HMAC), National Institute of Standards and Technology, March 6, 2002. [FIPS198-1] Federal Information Processing Standards Publication 198-1, The Keyed-Hash Message Authentication Code (HMAC), National Institute of Standards and Technology, July, 2008. [ISO16609] ISO 16609: 2004, Banking Requirements for message authentication using symmetric techniques. [ISO/IEC 9797-1] ISO/IEC 9797-1: 1999, Information technology Security techniques Message Authentication Codes (MACs) Part 1:Mechanisms using a block cipher. [MOV96] A.J. Menezes, P.C. van Oorschot, and S.A. Vanstone, Handbook of Applied Cryptography, CRC Press, 1996. [SP800-38B] NIST Special Publication 800-38B, Morris Dworkin, Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication, National Institute of Standards and Technology, May, 2005. 13

不許複製禁無断転載 発行日 2009 年 5 月 14 日第 1 版第 1 刷発行者 184-8795 東京都小金井市貫井北四丁目 2 番 1 号独立行政法人情報通信研究機構 ( 情報通信セキュリティ研究センターセキュリティ基盤グループ ) NATIONAL INSTITUTE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY 4-2-1 NUKUI-KITAMACHI,KOGANEI TOKYO,184-8795 JAPAN 113-6591 東京都文京区本駒込二丁目 28 番 8 号独立行政法人情報処理推進機構 ( セキュリティセンター暗号グループ ) INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN 2-28-8 HONKOMAGOME,BUNKYO-KU TOKYO,113-6591 JAPAN