# ISO/IEC 9797-1

**ISO/IEC 9797-1** *Information technology – Security techniques – Message Authentication Codes (MACs) – Part 1: Mechanisms using a block cipher*[1] is an international standard that defines methods for calculating a message authentication code (MAC) over data.

Rather than defining one specific algorithm, the standard defines a general model from which a variety of specific algorithms can be constructed. The model is based on a block cipher with a secret symmetric key.

Because the standard describes a model rather than a specific algorithm, users of the standard must specify all of the particular options and parameter to be used, to ensure unambiguous MAC calculation.

## Model

The model for MAC generation comprises six steps:

*Padding*of the data to a multiple of the cipher block size*Splitting*of the data into blocks*Initial transformation*of the first block of data*Iteration*through the remaining blocks of data*Output transformation*of the result of the last iteration*Truncation*of the result to the required length

For most steps, the standard provides several options from which to choose, and/or allows some configurability.

### Padding

The input data must be padded to a multiple of the cipher block size, so that each subsequent cryptographic operation will have a complete block of data. Three padding methods are defined. In each case *n* is the block length (in bits):

#### Padding method 1

If necessary, add bits with value 0 to the end of the data until the padded data is a multiple of *n*. (If the original data was already a multiple of *n*, no bits are added.)

#### Padding method 2

Add a single bit with value 1 to the end of the data. Then if necessary add bits with value 0 to the end of the data until the padded data is a multiple of *n*.

#### Padding method 3

The padded data comprises (in this order):

- The length of the unpadded data (in bits) expressed in big-endian binary in
*n*bits (i.e. one cipher block) - The unpadded data
- As many (possibly none) bits with value 0 as are required to bring the total length to a multiple of
*n*bits

It is not necessary to transmit or store the padding bits, because the recipient can regenerate them, knowing the length of the unpadded data and the padding method used.

### Splitting

The padded data *D* is split into *q* blocks *D*_{1}, *D*_{2}, ... *D*_{q}, each of length *n*, suitable for the block cipher.

### Initial transformation

A cryptographic operation is performed on the first block (*D*_{1}), to create an intermediate block *H*_{1}. Two initial transformations are defined:

#### Initial transformation 1

*D*_{1} is encrypted with the key *K*:

*H*_{1}= e_{K}(*D*_{1})

#### Initial transformation 2

*D*_{1} is encrypted with the key *K*, and then by a second key *K*′′:

*H*_{1}= e_{K′′}(e_{K}(*D*_{1}))

### Iteration

Blocks *H*_{2} ... *H*_{q} are calculated by encrypting, with the key *K*, the bitwise exclusive-or of the corresponding data block and the previous *H* block.

- for
*i*= 2 to*q**H*_{i}= e_{K}(*D*⊕_{i}*H*_{i-1})

If there is only one data block (*q*=1), this step is omitted.

### Output transformation

A cryptographic operation is (optionally) performed on the last iteration output block *H _{q}* to produce the block

*G*. Three output transformations are defined:

#### Output transformation 1

*H _{q}* is used unchanged:

*G*=*H*_{q}

#### Output transformation 2

*H _{q}* is encrypted with the key

*K*′:

*G*= e_{K′}(*H*)_{q}

#### Output transformation 3

*H _{q}* is decrypted with the key

*K*′ and the result encrypted with the key

*K*:

*G*= e_{K}(d_{K′}(*H*))_{q}

### Truncation

The MAC is obtained by truncating the block *G* (keeping the leftmost bits, discarding the rightmost bits), to the required length.

## Specific algorithms

The general model nominally allows for any combination of options for each of the padding, initial transformation, output transformation, and truncation steps. However, the standard defines four particular combinations of initial and output transformation and (where appropriate) key derivation, and two further combinations based on duplicate parallel calculations. The combinations are denoted by the standard as "MAC Algorithm 1" through "MAC Algorithm 6".

### MAC algorithm 1

This algorithm uses initial transformation 1 and output transformation 1.

Only one key is required, *K*.

(When the block cipher is DES, this is equivalent to the algorithm specified in FIPS PUB 113 *Computer Data Authentication*.[2])

### MAC algorithm 2

This algorithm uses initial transformation 1 and output transformation 2.

Two keys are required, *K* and *K*′, but *K*′ may be derived from *K*.

### MAC algorithm 3

This algorithm uses initial transformation 1 and output transformation 3.

Two independent keys are required, *K* and *K*′.

Algorithm 3 is also known as Retail MAC.[4]

### MAC algorithm 4

This algorithm uses initial transformation 2 and output transformation 2.

Two independent keys are required, *K* and *K*′, with a third key *K*′′ derived from *K*′.

### MAC algorithm 5

MAC algorithm 5 comprises two parallel instances of MAC algorithm 1. The first instance operates on the original input data. The second instance operates on two key variants generated from the original key via multiplication in a Galois field. The final MAC is computed by the bitwise exclusive-or of the MACs generated by each instance of algorithm 1.[5]

### MAC algorithm 6

This algorithm comprises two parallel instances of MAC algorithm 4. The final MAC is the bitwise exclusive-or of the MACs generated by each instance of algorithm 4.[7]

Each instance of algorithm 4 uses a different key pair (*K* and *K*′) but those four keys are derived from two independent base keys.

## Key derivation

MAC algorithms 2 (optionally), 4, 5 and 6 require deriving one or more keys from another key. The standard does not mandate any particular method of key derivation, although it does generally mandate that derived keys be different from each other.

The standard gives some examples of key derivation methods, such as "complement alternate substrings of four bits of *K* commencing with the first four bits." This is equivalent to bitwise exclusive-oring each byte of the key with F0 (hex).

## Complete specification of the MAC calculation

To completely and unambiguously define the MAC calculation, a user of ISO/IEC 9797-1 must select and specify:

- The block cipher algorithm
*e* - The padding method (1 to 3)
- The specific MAC algorithm (1 to 6)
- The length of the MAC
- The key derivation method(s) if necessary, for MAC algorithms 2, 4, 5 or 6

## Security analysis of the algorithms

Annex B of the standard is a security analysis of the MAC algorithms. It describes various cryptographic attacks on the algorithms – including key-recovery attack, brute force key recovery, and birthday attack – and analyses the resistance of each algorithm to those attacks.

## References

- ISO/IEC 9797-1:2011 Information technology – Security techniques – Message Authentication Codes (MACs) – Part 1: Mechanisms using a block cipher
- "FIPS PUB 113 - Computer Data Authentication". National Institute of Standards and Technology. Retrieved 2011-10-01.
- ISO/IEC 9797-1:2011
*Information technology – Security techniques – Message Authentication Codes (MACs) – Part 1: Mechanisms using a block cipher*, Introduction -
*ISO/IEC 9797-1 Information technology – Security techniques – Message Authentication Codes (MACs) – Part 1: Mechanisms using a block cipher*. International Organization for Standardization. 2011. p. 11. -
*ISO/IEC 9797-1 Information technology – Security techniques – Message Authentication Codes (MACs) – Part 1: Mechanisms using a block cipher*. International Organization for Standardization. 2011. p. 12. -
*ISO/IEC 9797-1 Information technology – Security techniques – Message Authentication Codes (MACs) – Part 1: Mechanisms using a block cipher*. International Organization for Standardization. 2011. p. 13. - ISO/IEC 9797-1:1999
*Information technology -- Security techniques -- Message Authentication Codes (MACs) -- Part 1: Mechanisms using a block cipher*— Superseded by ISO/IEC 9797-1:2011, which (according to the latter's Foreword) has a different algorithm 6.