SECURE ALGORITHMS Minding Your MAC Algorithms?

SECURE ALGORITHMS

Abstract In spite of the advantages of digital signatures, MAC algorithms are still widely used to authenticate data; common uses include authorization of financial transactions, mobile communications (GSM and 3GPP), and authentication of Internet communications with SSL/TLS and IPsec. While some MAC algorithms are part of ‘legacy’ implementa- tions, the success of MAC algorithms is mainly due to their much lower computa- tional and storage costs (compared to digital signatures). This article describes a list of common pitfalls that the authors have encountered when evaluating MAC algorithms deployed in commercial applications and pro- vides some recommendations for practitio- ners.

Minding Your Introduction MAC Algorithms? MAC algorithms compute a short string as a complex function of a message and a secret key. In a communications setting, the sender will ap- Helena Handschuh pend the MAC value to the message (see also Gemplus, France Figure 1). The recipient shares a secret key with the sender. On receipt of the message, he recom- putes the MAC value using the shared key and Bart Preneel verifies that it is the same as the MAC value sent K.U.Leuven, Belgium along with the message. If the MAC value is correct, he can be convinced that the message origi- nated from the particular sender and that it has not been tampered with during the transmission. Indeed, if an opponent modifies the message, the MAC value will no longer be correct. Moreover, the opponent does not know the secret key, so he is not able to predict how the MAC value should be modified.

The main security property of a MAC algorithm is that one should not be able to forge MAC values, that is, to predict values on new messages without knowing the secret key. A second re- quirement is that it should be computationally infeasible to recover the MAC key by exhaustive search, since an exhaustive key search allows for arbitrary forgeries.

Historically, the first commercial deployment of MAC algorithms was made by the financial sector (wholesale and retail banking, including electronic purses, debit and credit cards). On the Internet, MAC algorithms are used for authenticating data at the transport layer (TLS or Trans- port Layer Security, the successor to SSL) and at the network layer (IPsec, both in the AH and the ESP transforms). The GSM operators use a proprietary algorithm in the smart cards (SIMs or Subscriber Identification Modules) to authenticate the users. For 3rd generation systems (3GPP) the Milenage algorithm has been proposed as the example algorithm for user authentication; signal-

out, flaws are discovered One of the most important One of the most important which would have been identified immediately if functions of a cell is to functions of a cell is to the algorithms had been recruit other cells. One recruit other cells. One published before imple- member of each cell member of each cell mentation. This does not recruits a man outside, recruits a man outside, necessarily mean that all who will organise another who will organise another proprietary designs are cell, and so on. cell, and so on. flawed; numerous designs are based on sound pub- MAC MAC licly known building K K blocks such as AES or SHA-1, but security by ob- 21068204 21068204 scurity has rarely proven Identical? successful. As an example, 21068204 we consider two algorithms which leaked out Figure 1 - Using a MAC Algorithm for Data Authentication in the last years: alleged SecureID [5] and alleged Comp128 [9]. The first al- ling information is also authenticated using the gorithm is used for authenticating users to their KASUMI block cipher. corporate VPN. It computes a one-time pass- The most popular MAC algorithms are the vari- word as a MAC value on the current time using ants of CBC-MAC which are based on a block ci- a secret key. This MAC value is provided to the pher; in the past this has been mostly DES or tri- VPN server along with the username and pass- ple-DES. Currently AES is becoming more popu- word to open a secure session. The second algo- lar. Since the mid 1990s, constructions based on rithm is used in a challenge-response protocol to hash functions such as HMAC have been intro- authenticate a user to the GSM network. It de- duced on the Internet. All these algorithms have rives a MAC value from a random challenge pro- been included in a large number of standards vided by the network and a secret key stored in (IETF, FIPS, ANSI, ISO, ...); the most comprehen- the SIM card of the user. The MAC value is sent sive one is the 3-part standard IS 9797 published back to the network which verifies it before giv- by ISO/IEC [10]. ing access to the network. Both algorithms were cryptanalyzed immediately after publication; In the following, the key length in bits of a MAC they are both vulnerable to collision attacks. It algorithm is denoted with k and the length in takes a few hours only to recover the secret key bits of the MAC result is denoted with m. of a SIM card and a few months to find the key for a SecurID token. Therefore, secret designs should not be trusted unless sufficient independ- Common Pitfalls ent evaluation of the algorithms has been per- Throughout this paper, we analyze problems formed and documented. which we encountered while evaluating MAC algorithms. Several of these algorithms were Recommendation 2 flawed and as a result, we present simple recommendations on constructions that should be Don’t Use Short MAC Lengths avoided. The length in bits of a message authentication code is directly related to the number of trials Recommendation 1 that an adversary has to perform before a mes- Don’t Use Proprietary Algorithms Without sage (and its associated MAC value) is accepted. For a MAC value of bit-length m, the adversary Additional Evaluation has to perform on average 2m-1 random on-line Kerckhoffs’ principle, which dates back to the MAC verifications before his strategy succeeds. 19th century, states that the secrecy of a crypto- Therefore, MAC values of 16 bits require about graphic algorithm should only rely on the se- 32,000 trials, which is rather straightforward in a crecy of the key (and not on that of the algo- fully automated setting (for example over the rithm itself). Nevertheless, it is a common belief Internet). Hence, 16-bit MAC values should not in industry that cryptographic algorithms should be used. The minimum reasonable length for a be kept secret. While this might be the only solu- MAC is 32 bits; this corresponds to about 2 bil- tion for constrained environments in which lion or2x109 trials. For high value applications there are insufficient resources to deploy stan- 64 bits are more appropriate. dard cryptographic algorithms (for example not enough gates for hardware designs or memory Recommendation 3 cells for embedded devices), most secret designs are far less secure than published algorithms. Don’t Use Single DES Or Short Keys Many proprietary designs have not been sub- Another common pitfall is to use strong publicly jected to extensive cryptanalysis; when they leak known algorithms with too short keys. For ex-

Volume 9, Page 214 Information Security Bulletin, July 2004 Copyright ©2004 CHI Publishing Ltd - All rights reserved - Do not copy without written permission SECURE ALGORITHMS ample the use of truncated 40-bit keys or even where H0 represents a fixed public initial value single DES, which has a 56-bit key, are strongly and the hash value h(M)=Ht. If an iterated hash discouraged. Ten years ago a 56-bit key would function is used and the key K is prepended to have offered adequate protection for low-secu- the message M, i.e., the MAC value is given by rity applications. However, today it is vulnerable MAC = h(KyM) where y is the symbol for con- to straightforward exhaustive search attacks, in catenation, then it is straightforward to compute which an attacker simply tries out every possible the MAC of a different message MyM’ from value for the key and compares the computation MAC as follows: results to the valid MACs available to him. For a y y key of bit-length k,2k-1 trials on average are re- MAC’ = h(K M M’) = f(MAC,M’) quired to find the correct key. The current re- Note that one does not need to know the secret cord for exhaustive key search is less than a day key to perform this computation, which shows for a single 56-bit DES key on specialized hard- that this method is not secure. Truncating the ware combined with additional distributed com- MAC to fewer bits than the output length of the puting. With a US$1 million key search machine, hash function might help, but the security of this a DES key could be recovered in about 1 minute, scheme remains doubtful. It has been shown which means that the cost per key is about US$1 that even a construction which computes a MAC [22]. For this reason it is recommended that keys on message M with key K as h(KyMyK) may be of at least 80 bits should be used. An exhaustive 24 insecure [19, 20]; the attack does not violate the search for an 80-bit key would take 2 (about 16 security proof of [2], but illustrates its limitations million) times more effort, which in 2004 is out when key recovery attacks are considered. of range for a normal attacker. The recommended constructions for MACs It has often been claimed that keys of MAC algo- based on hash functions are HMAC [3] and rithms can be shorter than keys for encryption MDx-MAC [18]. The HMAC function is a generic transformation that is (roughly) computed as algorithms: in most cases authenticity is verified y y immediately, while confidentiality needs to be h(K h(K’ M)); MDx-MAC is more complex since protected for 5 to 10 years (or even more). How- it modifies the internals of the hash function. ever, it should be pointed out that in the case of a MAC algorithm, an opponent can keep search- Recommendation 5 ing for keys and restart the key search machine Don’t Use A Public Or Secret CRC every time a new text-MAC pair is observed. In some communication systems, a CRC (Cyclic Hence one should not consider the life time of a Redundancy Check) is appended to a message single MAC key, but the life time of the system, before it is sent over a noisy channel to allow for often close to 10 years as well. detection of transmission errors. However, these codes do not protect the integrity of a message Recommendation 4 or authenticate the origin of the message. They don’t withstand malicious attacks, as they can Don’t Use Unkeyed Hash Functions only spot errors which occur randomly on the As MAC Algorithms channel. Let us examine the binary case. Hash functions are functions which transform a A CRC consists of m bits that are appended to a variable-length message into a fixed-length message such that the resulting bit-string inter- scrambled image of it. In addition, they cannot preted as a polynomial is a multiple of the CRC be inverted (i.e., one cannot recover the message polynomial g of degree m. This shows that if one from the hash value) and it is very hard to find adds to a message with CRC a multiple of this two different messages which hash to the same polynomial (for example the polynomial g itself), value (this is called a collision). These functions this modification will not be detected. A CRC is are sometimes thought to have good properties usually implemented in the form of an LFSR for generating MACs. This may well be the case, (Linear Feedback Shift Register) of length m; the but they should never be used without a key. feedback coefficients of the LFSR correspond to Anybody can forge a new valid MAC on a new the coefficients of the polynomial g. Thus for a message by simply computing the hash value on given message, every bit of the resulting code is this message and appending it. a linear combination of bits of the original message. If the formula of the CRC is public, this lin- Now, let us examine what happens when the ear combination is known as well, because it hash function is used in combination with a se- does not depend on the message, only on the cret key. Most popular hash functions are based feedback polynomial g of the LFSR. If the CRC is on the simple iteration of a compression function secret, this combination is not known to the at- f that takes inputs of fixed size; they are known tacker. as iterated hash functions. These hash functions divide the message M into blocks M=M1, M2, ..., If the CRC is public, it is easy to compute the Mt and apply the following recursive formula to MAC for a given message by simply computing compute h(M): the associated CRC for it, as there is no secret involved here. An example of a system which used Hi = f(Hi-1,Mi) such a weak method for data integrity is the

M M M M message bits can be derived from 1 2 3 4 the previous ones. For a secret IV CRC, the linear combinations are Å Å Å Å not known to the attacker; however, they can be discovered using a randomly chosen message M of K K K K length l bits, a carefully chosen E E E E message M’ = My0...0 of length l+m bits, and their respective m-bit MACs. These two MACs can be concatenated to form a 2m-bit se- K’ quence from which the feedback G polynomial of the shift register can be reconstructed using a variant of the Berlekamp-Massey algorithm (see for example [15, pp. 200-202]). MAC With another method, the feedback Figure 2 - CBC-MAC With Initialization Vector polynomial can be recovered using about m+1 carefully chosen messages and their associated MACs. IEEE 802.11 WEP (Wireless Equivalent Privacy) standard to secure Wireless LANs. This protocol Recommendation 7 computes a 32-bit CRC on a 128-bit nonce before Don’t Use a Simple CBC-MAC on encrypting the result with an additive stream ci- Variable-Length Inputs pher (RC4). This is highly insecure and allows CBC-MAC is an iterated MAC algorithm based packet spoofing as pointed out by Borisov et al. on a block cipher. The encryption and decryp- [8]. tion with the block cipher E using the key K will If the CRC formula is secret, one can forge a new be denoted by EK(.). The block length of the MAC from two known MACs. Assume that we block cipher is denoted with n, hence EK(.) is a have two equal-length messages M and M’ with permutation of n-bit strings. The input M of the associated MAC values MAC and MAC’.Asev- MAC algorithm is divided into tn-bit blocks de- ery output bit of the LFSR is the same linear noted M1,M2,...,Mt which are processed as fol- combination of the message input bits, it is clear lows: / that the MAC value of the message M M’ / [ [ equals MAC / MAC’. Furthermore, the feedback Hi = EK(Hi-1 Mi), 1 i t polynomial g may be recovered using only a few The initial value H0 is equal to the all zero string chosen messages for which the corresponding (see also Recommendation 9). Often one applies MACs are obtained. Typically, m+1 chosen mes- an output transformation g to obtain the MAC sages of length m bits are required for an m-bit value, or MACK(M)=G(Ht). If no output transfor- MAC or LFSR. Hence, public CRCs or even se- mation is applied, one calls this scheme Simple cret CRCs do not provide the security features CBC-MAC. Figure 2 with IV the all zero string expected from a MAC algorithm and should not represents CBC-MAC with output transforma- be used for data integrity. tion G keyed by a second key K’. Recommendation 6 It has been proved by Bellare et al. [4] that if the Don’t Even Use a Keyed Public Or Secret CRC block cipher E is a secure block cipher, One may believe that the weaknesses pointed CBC-MAC is a secure MAC algorithm if it is ap- out in the previous section can be solved by us- plied on input strings of fixed length. However, ing a secret key, somehow prepended, XOR’ed if CBC-MAC is used on variable-length inputs or appended to the message before the CRC this proof does not apply; even worse, it is computation. This is not the case. Assume that known that simple CBC-MAC on variable length the MAC value is computed on a message M as messages is insecure. In the following M1, M’1, CRC(KyM). Recall that for a public CRC, each bit M2, and M’2 denote n-bit strings. Consider for simplicity a text consisting of a single block M mi of the MAC is defined as a known linear com- 1 and m=n (the attack applies in a more general bination of message bits Mi and key bits Ki. Let l be the length of the message in bits, then case as well). Assume that one knows MACK(M1); it follows immediately that l k //$/ $ MAC (M y(M / MAC (M )))= MAC (M ) maMbKijjjj= K 1 1 K 1 K 1 j=1 j=1 This implies that one can construct a new mes- where all binary coefficients aj and bj are known. sage with the same MAC value, which is a forg- Then it is easy to flip a few bits in M and to ery. Note that this attack applies even if a MAC compute the associated MAC for the new mes- algorithm key is used only once. If one knows sage: the linear combinations of key bits have MACK(M1) and MACK(M’1), a similar calculation not changed, and the linear combinations of shows that

MACK(M1y(M’1 / MACK(M1)))= MACK(M’1)

M1 M2 M3 M4 If one knows MACK(M1), MACK(M1yM2), and K’ MACK(M’1), one knows that Å Å Å

MAC (M’ yM’ )=MAC (M yM ) K 1 2 K 1 2 K E K E K E K E if M’2 = M2 / MACK(M1) / MACK(M’1). Again this allows for a forgery, as an adversary can MAC forge the MAC on M’1yM’2 given knowledge of three other text-MAC pairs. Figure 3 - The OMAC construction. The key K’ is re- In order to preclude these attacks, EMAC should lated to the original key K and takes one of two dif- be used (see further below), in which the output ferent values; exactly which one depends on whether of simple CBC-MAC is encrypted using a differ- the last message block requires padding bits or not ent key, as represented in Figure 2 (when the block cipher E is used as output transformation Recommendation 9 G). This variant has a security proof which is also valid for messages of variable-input length Don’t Use An IV With CBC-MAC [17]. In this section we address the case of CBC-MAC used in combination with an initial value de- Another solution is OMAC [11] (see Figure 3). noted by IV in Figure 2.

Note that a common choice for the output trans- Depending on how the IV itself is transmitted formation G is the selection of the leftmost m/2 and protected in the scheme (encrypted and/or bits. However, Knudsen has shown that for the protected with a MAC, and/or synchronized common parameters n=64, m=32 one can forge with the receiver), this solution may be ex- a MAC based on only 130,000 text-MAC pairs, tremely insecure. Assume that the IV is sent in which is much less than anticipated [12]. clear over the line and is not itself protected by a MAC nor synchronized with the receiver. Then the first block M0 of each message can trivially Recommendation 8 be replaced by an active attacker by any other Don’t Use The Same Key block N0, provided that the IV is also changed to For MAC And Encryption IV / M0 / N0. If this is the case, the value which is encrypted in the first encryption function is We consider here constructions where a MAC is still equal to IV / M . Therefore, the final MAC computed on a message that is also encrypted 0 value is still valid, and the forged message will with the same key. The main reason for using be accepted by the receiver. This remains true different keys for encryption and MAC computa- even if the IV is generated at random by the tion is that these keys may have completely dif- sender. A more subtle case is when the IV equals ferent life cycles. As an example, the key for en- the previous MAC value MAC*. This value can- cryption may need to be backed up (for later re- not be tampered with. However, as the attacker covery), while a MAC key may be thrown away gets to collect messages Mi and their associated after a message has been received and verified. MACs, MACi, he can forge new messages simply by adding the value MAC* / MACi-1 to the first The other reason is that this combination may i block of any pair (M , MACi) he keeps in his list. result in trivial attacks on the MAC algorithm. All these forged messages and their original For example, if the attacker knows a plaintext- MACs will be accepted as valid by the receiver. ciphertext pair (X, Y) from the encryption, he can easily append in CBC-MAC the block Recommendation 10 MACK(M) / X and he knows that the resulting MAC value will be Y. A second trivial example is Be Careful When Using Triple-DES if one computes CBC-MAC on the plaintext and Recommendation 3 states that CBC-MAC based subsequently appends the MAC value to the on DES (with a 56-bit key) should not be used. plaintext. Encrypting the result in CBC-mode One year after the publication of DES in 1977, a with initial value equal to 0 will result in an en- strengthened version of DES was proposed crypted MAC value that is always equal to EK(0), called triple-DES (with two keys or with three independent of the plaintext. keys). In 1986, the ANSI retail MAC algorithm was published, which is a CBC-MAC algorithm As a clarification, this recommendation does not based on two-key triple-DES [1]. This particular hold when a mode for authenticated encryption scheme uses single DES throughout the calcula- is used such as OCB [21], since such a mode is tion and triple-DES for the last block only; in specifically designed to protect both authenticity most applications the output is truncated to 32 and confidentiality in a transformation with a bits. The expectation was that the security would single key. be increased significantly at the cost of only two

Information Security Bulletin, July 2004 Volume 9, Page 217 Copyright ©2004 CHI Publishing Ltd - All rights reserved - Do not copy without written permission SECURE ALGORITHMS additional encryptions. We will now show that popular scheme, since it has also been standard- this expectation has only been reached partially. ized by the IETF and by NIST. We recommend 32 using HMAC with hash functions such as Forging a 32-bit ANSI retail MAC requires 2 at- RIPEMD-160 and SHA-1. They process the mes- tempts. A more sophisticated forgery attack is sage in blocks of 512 bits. The resulting MAC known in which the opponent is sure that the value is computed as follows: forgery will succeed; it needs 232 known text- 33 MAC pairs and 2 chosen text-MAC pairs; while MACK(M)=h((K / opad) y h((K / ipad) y M)) this is not better than CBC-MAC based on single DES, this seems to be an acceptable security where K is the key padded with zeroes to a full level. On the other hand, one would expect that block of 512 bits and opad and ipad are constant a key recovery attack requires at least 280 512-bit strings (equal to 64 times the hexadecimal encryptions. However, it turns out that with ei- values x36 and x5c respectively). It is equivalent 32 48 to compute and store the partial hash value of ther 2 chosen text-MAC pairs or 2 MAC / / verifications, the effort to recover the key can be the two padded key blocks (K ipad) and (K reduced to 257 encryptions (only twice the effort opad) first, and to compute the MAC value of the of breaking single DES). message starting from these pre-computed secret initial values. In some applications, the strength of the ANSI retail MAC is further reduced by sending the Newer MAC algorithms such as PMAC [7] that two DES keys encrypted in ECB mode along allows for parallel operation and UMAC [6] that with the message; this opens an avenue for a offers a very good performance for long mes- subtle attack in which the number of MAC veri- sages are possible alternatives; so far these fications can be further reduced to 232. This schemes have not been included in the existing means that the security against key search is re- standards, but their security has been evaluated duced to the effort of forging a single MAC by thoroughly. brute force and exhaustive search of a single DES key. References [1] ANSI X9.19, Financial Institution Retail Mes- Another example of subtle weaknesses of MAC sage Authentication, American Bankers Associ- algorithms based on triple-DES is the NIST pro- ation, August 13, 1986. posal for RMAC based on three-key triple-DES [16]; it turns out that the 168-bit triple-DES key [2] M. Bellare, R. Canetti, H. Krawczyk, Pseudo- in the output transformation can be recovered random functions revisited: The cascade construc- using about 256 chosen text-MAC pairs and 257 tion and its concrete security, Proceedings 37th encryptions [13]. Annual Symposium on the Foundations of Computer Science, IEEE, 1996, pp. 514–523. Recommended MAC Algorithms Full version: In view of the large number of well-analysed http://www.cs.ucsd.edu/users/mihir/papers/ and standardised MAC algorithms, there should cascade.html be no reason to use insecure MAC algorithms that violate one or more of the recommendations [3] M. Bellare, R. Canetti, H. Krawczyk, Keying put forward in this paper. hash functions for message authentication,Ad- vances in Cryptology, Proceedings Cryp- We recommend to use standardised MAC algo- to’96, LNCS 1109, N. Koblitz, Ed., Springer rithms that can be found in the International Verlag, 1996, pp. 1–15. Full version: Standard ISO/IEC 9797. This is a 2-part interna- http://www.cs.ucsd.edu/users/mihir/papers/ tional standard. Part 1 describes MAC algorithms hmac.html based on block ciphers and Part 2 describes MAC algorithms based on hash functions. [4] M. Bellare, J. Kilian, P. Rogaway, The security of citpher block chaining, Journal of Computer Part 1 contains – in addition to some simpler and System Sciences, Vol 61, No 3, Dec 2000, CBC-MAC schemes for legacy purposes that are pp 362-399. Earlier version in Advances in not recommended – the ANSI retail MAC as well Cryptology, Proceedings Crypto’94, LNCS as MacDES [14] for use with triple-DES and 839, Y. Desmedt, Ed., Springer Verlag, 1994, EMAC [17] that is recommended for use with pp. 341–358. AES. Bear in mind that EMAC applies a simple CBC-MAC and encrypts its output using a differ- [5] A. Biryukov, J. Lano, B. Preneel, Cryptanalysis ent key. The standard contains a comparison of of the Alleged SecurID Hash Function, Selected the security of all the schemes that have been in- Areas in Cryptography, Proceedings SAC cluded. It is likely that the next edition will also 2003, LNCS 3006, M. Matsui, R. Zuccherato, contain OMAC [11] (see Figure 3). Eds., Springer-Verlag, 2004, pp. 130–144. Part 2 of the standard contains HMAC, MDx- [6] J. Black, S. Halevi, H. Krawczyk, T. Krovetz, MAC and a variant of MDx-MAC that is efficient P. Rogaway, UMAC: Fast and secure message for short messages. HMAC is clearly the most authentication, Advances in Cryptology, Pro-

ceedings Crypto’99, LNCS 1666, M.J. Wiener, [20] B. Preneel, P.C. van Oorschot, On the security Ed., Springer Verlag, 1999, pp. 216–233. of iterated Message Authentication Codes, IEEE Trans. on Information Theory, Vol. IT–45, [7] J. Black, P. Rogaway, A block-cipher mode of No. 1, 1999, pp. 188–199. operation for parallelizable message authentication, Advances in Cryptology, Proceedings [21] P. Rogaway, M. Bellare, J. Black, OCB: A Eurocrypt’02, LNCS 2332, L. Knudsen, Ed., block-cipher mode of operation for efficient au- Springer Verlag, 2002, pp. 384–397. thenticated encryption, ACM Trans. Informa- tion and System Security (TISSEC), Vol. 6, [8] N. Borisov, I. Goldberg, D. Wagner, Inter- No. 3, Aug. 2003, pp. 365–403. cepting mobile communications: the insecurity of 802.11, Proceedings MOBICOM 2001, pp. [22] M.J. Wiener, Efficient DES key search, Pres- 180–189. ented at the Rump Session of Crypto’93. Re- printed in Practical Cryptography for Data [9] H. Handschuh, P. Paillier, Reducing the colli- Internetworks, W. Stallings, Ed., IEEE Com- sion probability of alleged Comp128, Smart Card puter Society, 1996, pp. 31–79. Research and Applications, Proceedings CARDIS ’98, LNCS 1820, J.- J. Quisquater, B. Schneier, Eds., Springer Verlag, 2000, pp. About the Authors 366–371. Dr. Helena Handschuh is Card Application Se- curity Manager at Gemplus. She is actively in- [10] ISO/IEC 9797, Information technology – Security volved in various information security and techniques – Message Authentication Codes smart-card projects and has authored several pa- (MACs). Part 1: Mechanisms using a block ci- pers and patents in cryptography. Her current pher, 1999, Part 2: Mechanisms using a dedi- research focuses on secret-key cryptography, as cated hash-function, 2002. well as mobile telecommunications security and [11] T. Iwata, K. Kurosawa, OMAC: One key CBC security issues for contactless technology. MAC, Fast Software Encryption, LNCS 2887, T. Johansson, Ed., Springer Verlag, 2003, pp. Helena Handschuh is a Network and Communi- 129–153. cations engineer from the ENSTA. She received a master’s degree in Cryptography from the Ecole [12] L. Knudsen, Chosen-text attack on CBC-MAC, Polytechnique and holds a PhD in Cryptography Electronics Letters, Vol. 33, No. 1, 1997, pp. from ENST in Paris. 48–49. Dr. Bart Preneel received the Electrical Engi- [13] L. Knudsen, T. Kohno, Analysis of RMAC, neering degree and the Doctorate in Applied Sci- Fast Software Encryption, LNCS 2887, T. ences in 1987 and 1993 respectively, both from Johansson, Ed., Springer Verlag, 2003, pp. the Katholieke Universiteit Leuven (Belgium). 182–191. He is currently professor at the Katholieke [14] L. Knudsen, B. Preneel, MacDES: MAC algo- Universiteit Leuven and visiting professor at the rithm based on DES, Electronics Letters, Vol. T.U.Graz in Austria. He has been visiting profes- 34, No. 9, 1998, pp. 871–873. sor (Professor II) at the University of Bergen in Norway (1997-2001), the Ruhr-Universit"at in [15] A.J. Menezes, P.C. van Oorschot, S. Bochum (Germany) (2001-2002) and at the Uni- Vanstone, Handbook of Applied Cryptography, versity of Ghent (1994-2002). During the aca- CRC Press, 1997. demic year 1993-1994, he was a research fellow of the EECS Department of the University of [16] NIST Special Publication 800-38B, Draft Rec- California at Berkeley. His main research inter- ommendation for Block Cipher Modes of Opera- ests are cryptography, network security, and tion: The RMAC Authentication Mode, October wireless communications. 2002. Together with Prof. J. Vandewalle, he is respon- [17] E. Petrank and C. Rackoff, CBC MAC for sible for the research group COSIC, which has real-time data sources, Journal of Cryptology, 35 members. He has authored and co-authored Vol. 13, No. 3, 2000, pp. 315–338. more than 150 scientific publications and is in- [18] B. Preneel, P.C. van Oorschot, MDx-MAC ventor of one patent. As a consultant, he has and building fast MACs from hash functions, been involved in a large number of security Advances in Cryptology, Proceedings studies a.o. for the financial and telecommunica- Crypto’95, LNCS 963, D. Coppersmith, Ed., tions sector and for the Belgian government. Springer-Verlag, 1995, pp. 1–14. Since 1989, he is a Belgian expert in working group ISO/IEC JTC1/SC27/WG2 (Security Tech- [19] B. Preneel, P.C. van Oorschot, On the security niques and Mechanisms), where he has been ed- of two MAC algorithms, Advances in itor of five international standards. He has also Cryptology, Proceedings Eurocrypt’96, LNCS been involved in standardization initiatives in 1070, U. Maurer, Ed., Springer Verlag, 1996, IEEE, ISO/TC68 (Banking), IETF, and EESSI pp. 19–32. (Electronic Signatures).

He is vice president of the IACR (International He is chairman of the scientific committee of the Association for Cryptologic Research) and a French Action Concert’ee Incitative in Crypto- member of the Editorial Board of the Journal of logy. In 2003, he has received the European In- Cryptology and of the ACM Transactions on In- formation security Award in the area of aca- formation Security. He has participated to 15 re- demic research, and he received an honorary search projects sponsored by the European Com- Certified Information Security Manager (CISM) mission; he has been Project Manager of the IST designation by the Information Projects NESSIE (New European Schemes for Signatures, Integrity and Encryption) and Systems Audit and Control Association (ISACA). He is president of L-SEC vzw. (Leuven Security STORK (Strategic Roadmap for Cryptology). Excellence Consortium), an association of 30 Currently he is Project Manager of the European companies and research institutions in the area Network of Excellence on Cryptology (ECRYPT). of e-security. He was program chairman of the 1994 workshop on Fast Software Encryption, Note The work described in this paper has been partly CMS’99 (Communications and Multimedia Secu- supported by the European Commission under rity, IFIP), Eurocrypt 2000 (IACR) and the RSA contract IST-2002-507932 (ECRYPT). The infor- Security 2002 Cryptographers’ Track. He has mation in this paper is provided as is, and no been a member of the program committee for warranty is given or implied that the informa- more than 60 international conferences, and has tion is fit for any particular purpose. The user been invited speaker at 15 international confer- thereof uses the information at its sole risk and ences. liability.

There is only one way to get all issues of Information Security Bulletin: SUBSCRIBING!

Please use the form in the journal, or visit http://www.isb-online.net