ISO/IEC 9797-1:1999

E
INTERNATIONAL ISO/IEC
STANDARD 9797-1
First edition
1999-12-15
Information technology - Security
techniques - Message Authentication
Codes (MACs) -
Part 1:
Mechanisms using a block cipher
Technologies de l’information - Techniques de sécurité - Codes
d’authentification de message (MACs) -
Partie 1: Mécanismes utilisant un cryptogramme bloc
Reference number
ISOAEC 9797-1:1999(E)
0 ISOAEC 1999

---------------------- Page: 1 ----------------------
ISO/IEC 9797-1 :1999(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but shall not
be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this
file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The IS0 Central Secretariat accepts no liability in this
area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters
were optimized for printing. Every care has been taken to ensure that the file is suitable for use by IS0 member bodies. In the unlikely event
that a problem relating to it is found, please inform the Central Secretariat at the address given below.
O ISO/IEC 1999
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic
or mechanical, including photocopying and microfilm, without permission in writing from either IS0 at the address below or ISOs member body
in the country of the requester.
IS0 copyright office
Case postale 56 CH-121 1 Geneva 20
Tel. + 41 22 749 O1 11
Fax +41 22734 1079
E-mail copyright Oiso.ch
Web www.iso.ch
Printed in Switzerland
ii O ISOAEC 1999 -All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 9797-1 :1999(E)
Foreword
IS0 (the International Organization for Standardization) and IEC (the International Electrotechnical Commission)
form the specialized system for worldwide standardization. National bodies that are members of IS0 or IEC
participate in the development of International Standards through technical committees established by the
respective organization to deal with particular fields of technical activity. IS0 and IEC technical committees
collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in
liaison with IS0 and IEC, also take part in the work.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 3.
In the field of information technology, IS0 and IEC have established a joint technical committee, ISOAEC JTC 1.
Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting.
Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this part of ISO/IEC 9797 may be the subject of
patent rights. IS0 and IEC shall not be held responsible for identifying any or all such patent rights.
International Standard ISO/IEC 9797-1 was prepared by Joint Technical Committee ISO/IEC JTC 1, lnformation
technology, Subcommittee SC 27, IT Security techniques.
This first edition of ISOAEC 9797-1, together with the subsequent parts of ISO/IEC 9797, cancels and replaces
ISO/IEC 9797:1994, which has been revised and extended to a multi-part standard. Note, however, that
implementations which comply with ISO/IEC 9797:1994 will be compliant with this edition of ISO/IEC 9797-1.
ISO/IEC 9797 consists of the following parts, under the general title lnformation technology - Security
techniques - Message Authentication Codes (MACS):
- Part 1: Mechanisms using a block cipher
- Part 2: Mechanisms using a hash-function
Further parts may follow.
Annexes A and B of this part of ISOAEC 9797 are for information only.
O ISO/IEC 1999 -All rights reserved iii

---------------------- Page: 3 ----------------------
INTERNATIONAL STANDARD O ISO/IEC
ISO/IEC 9797-1:1999(E)
Information technology - Security techniques -
Message Authentication Codes (MACS) -
Part 1:
Mechanisms using a block cipher
bine the two results with a bitwise exclusive-or opera-
1 Scope
tion. They are recommended for applications which re-
quire an increased security level against forgery attacks
This part of ISO/IEC 9797 specifies six MAC algorithms
(cf. Annex B). The fifth mechanism uses a single length
that use a secret key and an n-bit block cipher to calcu-
MAC algorithm key, while the sixth mechanism doubles
lat>e an tn-bit, MAC. These mechanisms can be used as
the MAC algorithm key length.
data integrit,y mechanisms to verify t,hat data has not
been altered in an unauthorised manner. They can also
This part of ISO/IEC 9797 can be applied to the se-
be used as message authentication mechanisms to pro-
curity services of any security architecture, process, or
vide assurance that a message has been originated by
application.
an entity in possession of the secret key. The strengt,h
of the data integrit,y mechanism and niessage aut,henti-
cation mechanism is dependent on the length (in bits)
2 Normative references
k" and secrecy of the key, on the block length (in bits) n
and strength of the block cipher, on the length (in bits)
The following standards contain provisions which,
m of the XI.AC, and on the specific mechanism,
though reference in this text ~ constitute provisions of
this part of ISO/IEC 9797. At the time of publication.
The first three niechanisnis specified in this part of
the editions indicated were valid. All standards are sub-
ISO/IEC 9797 are commonly known as CBC-MAC
ject to revision. and parties to agreements based on this
(CBC is the abbreviation of Cipher Block Chaining).
part of ISO/IEC 9797 are encouraged to investigate the
The calculation of a MAC as described in IS0 8731-
possibility of applying the most recent editions of the
1 and ANSI S9.9 is a specific case of this part of
standards indicated below. Members of IEC and IS0
ISO/IEC 9797 when n = 64. m = 32. MAC .Algorithm 1
maintain registers of currently valid International Stan-
and Padding Method 1 are used, and the block cipher
dards.
is DEA (ANSI 53.92: 1981). The calculation of a MAC
as described in ANSI 59.19 and IS0 9807 is a specific
1989, Information processing systems -
IS0 7498-2;
case of this part of ISO/IEC 9797 when n = 64, rn = 32.
Open Systems Interconnection - Baszc Reference Model
either MAC' Algorithm 1 or MAC Algorithm 3 is used
- Part 2: Security Archztecture.
(both with Padding Method 1)1 and the block cipher is
DEA (ANSI S3.92: 1981).
ISO/IEC 9798-1: 1997. Informatzon technology - Se-
curzfy techniyues - Entzty authentzcntzon - Part 1:
The fourth mechanism is a variant of CBC-IIXC' with
Ge n e ral.
a special initiai transformation. It is reconmiended for
applications which require that t8he key length of the
ISO/IEC 101 16: 1997, Informatzon technology - Secu-
Mi\C algorithm is twice that of the block cipher.
rity techniyues - Modes of operation for an n-bai block
cipher.
NOTES
1 For example. in the case of DEA (ANSI X3.92: 1981),
the block cipher key length is 56 bits, while the MAC
3 Definitions
algorithm key length is 11.2 bits.
2 IVhen used with DEI, (which is also known as DES),
3.1 This part of ISO/IEC 9797 makes use of the follow-
this algorithm is called hlacDES [la].
ing general security-related term defined in IS0 7498-2.
The fifth and sixth mechanism use two parallel instances
of the first and fourth mechanism respectively. and com-
1

---------------------- Page: 4 ----------------------
IS O / IEC 9797-1 : 1999 (E) @ ISO/IEC
3.3.2 decipherment: the reversal of a corresponding
3.1.1 data integrity: the property that data has not
been altered or destroyed in an unauthorized man- encipherment.
ner.
3.3.3 encipherment: the (reversible) transformation
of data by a cryptographic algorithm to produce
3.2 For the purposes of this part of ISO/IEC 9797, the
ciphertext, i.e. to hide the information content of
following definitions apply.
the data.
3.3.4 key: a sequence of symbols that controls the
3.2.1 block: a bit-string of length n.
operation of a cryptographic transformation (e.g.,
3.2.2 block cipher key: a key that controls the oper-
encipherment, decipherment, cryptographic check
ation of a block cipher.
function computation, signature generation, or sig-
nature verification).
3.2.3 initial transformation: a function that is ap-
plied at the beginning of the MAC algorithm.
3.3.5 plaintext: unenciphered information.
3.2.4 MAC algorithm key: a key that controls the
operation of a M.4C algorithm. 3.4 This part of ISO/IEC 9797 makes use of the
following general security-related term defined in
3.2.5 Message Authentication Code (MAC): the
ISO/IEC 10116.
string of bits which is the output of a X4C algo-
rithm.
3.4.1 n-bit block cipher: a block cipher with the
NOTE - A MAC is sometimes called a crypto-
property that plaintext blocks and ciphertext
graphic check value (see for example IS0 7498-2).
blocks are n bits in length.
3.2.6 Message Authentication Code (MAC) al-
gorithm: an algorithm for computing a function
4 Symbols and notation
which maps strings of bits and a secret key to fixed-
length strings of bits, satisfying the following two
Throughout this part of ISO/IEC 9797 the following
properties:
symbols and notation are used:
- for any key and any input string the function
can be computed efficiently;
D data string to be input to the hI.4C‘ algorithm.
- for any fixed key, and given no prior knowledge
of the key, it is computationally infeasible to
Dl a block derived from the data string D after the
compute the function value on any new input
padding process.
string, even given knowledge of the set of in-
~K(C) decipherment of the ciphertext C with the block
put strings and corresponding function values,
cipher e using the key Iï.
where the value of the ith input string may
have been chosen after observing the value of
eK(P) encipherment of the plaintext P with the block
the first i - 1 function values.
cipher e using the key A’.
NOTES
g output transformation, that maps the block H, to the
block G.
1 A MAC algorithm is sometimes called a crypto-
graphic check function (see for example IS0 7498-
G the block that is the result of the output transforma-
2).
tion.
2 Computational feasibility depends on the user’s
specific security requirements and environment.
HJ a block which is used in the MAC algorithm to store
an intermediate result.
3.2.7 output transformation: a function that is ap-
plied at the end of the MAC algorithm, before the
I initial transformation.
truncation operation.
k the length (in bits) of the block cipher key.
3.3 This part of ISO/IEC 9797 makes use of the
k* the length (in bits) of the MAC algorithm key.
following general security-related terms defined in
I<, I<’, I<”, I<”’, KI, Kz, Ki, I<;, Ky, I<; secret
ISO/IEC 9798-1.
block cipher keys.
3.3.1 ciphertext: data which has been transformed to
L the length block, which is used in Padding Method 3.
hide its information content.
2

---------------------- Page: 5 ----------------------
ISO/IEC 9797-1:1999(E)
@ ISO/IEC
NOTE - These choices affect the security level of the
LD the length (in bits) of the data string D.
MAC algorithm. For a detailed discussion, see An-
m the length (in bits) of the MAC.
nex B.
R the block length (in bits) of the block cipher.
The same key shall be used for calculating and verifying
the MAC. If the data string is also being enciphered,
q the number of blocks in the data string D after the
the key used for the calculation of the MAC shall be
padding and splitting process.
different from that used for encipherment.
j - X the string obtained from the string X by taking
NOTE - It is considered to be good cryptographic
the leftniost j bits of X.
practice to have independent keys for confidentiality
and for data integrity.
X 3 Y exclusive-or of bit-strings X and Y.
X((Y concatenation of bit-strings ,Y and Y (in that or-
6 Model for MAC algorithms
der).
:= a symbol denoting the ‘set equal to’ operation used
The application of the MAC algorithm requires the fol-
in the procedural specifications of M.4C algorithms,
lowing six steps: padding, splitting, initial transforma-
where it indicates that the value of the string on
tion, iterative application of the block cipher, output
the left side of the symbol shall be made equal to
transformation, and truncation. Steps 3 through 6 are
the value of the expression on the right side of the
illustrated in Figure 1.
symbol.
5 Requirements
Vsers who wish to employ a MAC algorithm from this
part of IÇO/IEC 9797 shall select:
s a block cipher e;
0 a padding method from amongst those specified in
Clause 6.1:
0 a MAC algorithm from amongst those specified in
Clause 7:
0 the length (in bits) m of the MAC; and
O a common key derivation method if MAC algo-
rithms 4, 5, and 6 are used; a common key deriva-
+
tion method may also be required for MAC algo-
MAC
rithm 2.
Agreement on these choices amongst the users is essen-
Figure 1: Application of Step 3, 4, 5 and 6 of the
tial for the purpose of the operation of the data integrity
MAC algorithm.
mechanism.
The length m of the MAC shall be a positive integer less
6.1 Step 1 (padding)
than or equal to the block length n.
This step involves prefixing and/or postfixing the data
If Padding Method 3 is used, the length in bits of the
string D with additional ‘padding’ bits such that the
data string D shall be less than 2n.
padded version of the data string will always be a mul-
The selection of a specific block cipher e. padding tiple of n bits in length. The padding bits that are
method. MAC algorithm. value for m, and key deriva-
added to the original data string, according to the cho-
tion method (if any) are beyond the scope of this part
sen padding method, are only used for calculating the
of ISO/IEC 9797.
MAC. Consequently. these padding bits (if any) need
not be stored or transmitted with the data. The verifier
shall know whether or not the padding bits have been
3

---------------------- Page: 6 ----------------------
ISO/IEC 9797-1:1999(E) @ ISO/IEC
6.3 Step 3 (initial transformation)
stored or transmitted, and which padding method is in
use.
The initial transformation I is applied to the first block
This part of ISO/IEC 9797 specifies three padding
D1 of the padded data string to derive the block HI.
methods. Any of these three methods can be chosen
Each of the six MAC algorithms specified in this part of
for the six MAC algorithms specified in this part of
ISO/IEC 9797 use one of two possible initial transfor-
ISO/IEC 9797.
mations.
6.1.1 Padding Method 1
6.3.1 Initial Transformation 1
The data string D to be input to the MAC algorithm
This transformation requires only one block cipher key
shall be right-padded with as few (possibly none) ‘O‘
K. The block Hl is computed by applying the block
bits as necessary to obtain a data string whose length
cipher with key Ii as follows:
(in bits) is a positive integer multiple of n.
H1 := eK(D1)
NOTES
1 MAC algorithms using Padding Method 1 may be
6.3.2 Initial Transformation 2
subject to trivial forgery attacks. See informative An-
nex B for further details.
This transformation requires two block cipher keys I<
2 If the data string is empty, Padding Method 1 spec-
and I<”, The block Hl is computed by applying the
ifies that it is right-padded with n ‘O’ bits.
block cipher with keys ii and I<’’ as follows:
6.1.2 Padding Method 2
Hl := eKtr(eK(D1))
The data string D to be input to the MAC algorithm
shall be right-padded with a single ‘1’ bit. The resulting 6.4 Step 4 (iteration)
string shall then be right-padded with as few (possibly
The blocks Hz, Hs, . . . , H, are calculated by iteratively
none) ‘O’ bits as necessary to obtain a data string whose
applying the block cipher to the bitwise exclusive-or of
length (in bits) is a positive integer multiple of n.
the data block D, and the previous result Hz-l:
6.1.3 Padding Method 3
for i from 2 to q:
The data string D to be input to the MAC algorithm
shall be right-padded with as few (possibly none) ‘O’ Hi := eK(D, e HZ-1):
bits as necessary to obtain a data string whose length
(in bits) is a positive integer multiple of n. The re-
If q is equal to 1, Step 4 shall be omitted.
sulting string shall then be left-padded with a block L.
The block L consists of the binary representation of the
NOTE - This operation corresponds to the Ci-
length (in bits) Lo of the unpadded data string D, left-
pher Block Chaining (CBC) mode as defined in
padded with as few (possibly none) ‘O’ bits as necessary
ISO/IEC 10116.
to obtain an n-bit block. The right-most bit of the block
L corresponds to the least significant bit of the binary
6.5 Step 5 (output transformation)
representation of Lo.
The output transformation g is applied to the value H,.
NOTE - Padding Method 3 is not suitable for use in
obtained as a result of Step 4 (or Step 3 in the case
situations where the length of the data string is not
q = 1).
available prior to the start of the MAC calculation.
This part of ISO/IEC 9797 specifies three output trans-
6.2 Step 2 (splitting) formations.
The padded version of the data string D is split into q
6.5.1 Output Transformation 1
n-bit blocks DI, D2, . . . , D,. Here Dl represents the
first n bits of the padded version of D, 02 represents
This output transformation is the identity function, i.e.,
the next n bits, and so on.
G := H,
4

---------------------- Page: 7 ----------------------
ISO/IEC 9797-1:1999(E)
@ IÇO/IEC
6.5.2 Output Transformation 2 2 If It- and IC”’ are equal, a simple xor forgery attack
applies. See informative Annex B for further details.
This output transformation consists of applying the
3 If K and IC”’ are independent, the level of security
block cipher with block cipher key Ii’ to H,, i.e.
against key recovery attacks is less than suggested by
the MAC algorithm key size. See informative Annex B
G := eK‘ (H,)
for further details.
MAC Algorithm 2 is illustrated in Figure 3.
6.5.3 Output Transformation 3
This output transformation consists of applying the
block cipher (in decryption mode) with the key Ii’ to
H, followed by applying the block cipher with key Ii to
the result of this operation. i.e.
I
6.6 Step 6 (truncation)
I t’runcation I
The hI.LIC of 772 bits is derived by taking the leftniost 7n
--I----
bits of the block G. i.e.
MAC
Figure 2 - MAC Algorithm 1.
7 MAC Algorithms
This part of ISO/IEC 9797 specifies six MAC algo-
rithms. The initial transformation and output transfor-
mation are specified in each case. However. the padding
method is not specified, i.e., each MAC algorithni may
be used with any of the three padding methods specified
in Clause 6.1.
XOTE - The choice of padding method affects the se-
curity of the 1iAC algorithm. See informative Annex B
for further details.
truncation
7.1 MAC Algorithm 1
MAC .Algorithm 1 uses Initial Transformation 1 and
MAC
Output Transformation 1. The MAC algorithm key con-
sists of the block cipher key Ii. MAC Algorithm 1 is
Figure 3 - MAC Algorithm 2.
illustrated in Figure 2.
7.3 MAC Algorithm 3
7.2 MAC Algorithm 2
MAC Algorithm 3 uses Initial Transformation 1 and
MAC .4lgorithm 2 uses Initial Transformation 1 and
Output Transformation 3. The MAC algorithm key con-
Output Transformation 2. The MAC algorithm key con-
sists of two block cipher keys I< and Ii’. The values of i<
sists of two block cipher keys Ii and Ii”’. The value of
and I<’ shall be chosen independently. If I<’ = I<, MAC
I<”’ niay be derived from the value of Ii in such a way
Algorithm 3 reduces to MAC .Algorithm 1, which may
that Ii and I<“’ are different.
not always be desirable. MAC Algorithm 3 is illustrated
in Figure 4.
NOTES
1 An example of how to derive K”’ from Ii is to comple-
7.4 MAC Algorithm 4
ment alternate substrings of four bits of Ii commencing
with the first four bits. Another example is to derive
MAC Algorithm 4 uses Initial Transformation 2 and
both I< and I<”’ from a common master key.
Output Transformation 2. The MAC algorithm key con-

---------------------- Page: 8 ----------------------
@ ISO/IEC
IS O/IEC 9797-1 : 1999( E)
I<
I I
Iï 3
c
truncation
MAC
Figure 5 - MAC Algorithm 4.
MAC
The final MAC is obtained by a bitwise exclusive-or be-
Figure 4 - MAC Algorithm 3.
tween intermediate values XACi and MACa, i.e.,
M.4C := MAC1 CE MAC:,
sists of two block cipher keys I< and that shall be
chosen independently. A third block cipher key I<” shall
7.6 MAC Algorithm 6
be derived from Ii’. The values of I<, Iï’) and I<” shall
be different. The block cipher keys I< and I<” are used
MAC Algorithm 6 uses two parallel instances of MAC
with Initial Transformation 2, and the block cipher keys
Algorithm 4, resulting iii two intermediate values,
I< and I<‘ are used with Output Transformation 2.
MACl and MAC:, respectively. The MAC: algorithm
key consists of two block cipher keys I< and I<’- that
NOTE - An example of how to derive IC” from K’ is
shall be chosen independently.
to complement alternate substrings of four bits of Ir”
commencing with the first four bits. Another example
The keys (Ki, Ki) and (I<:,. Ki) used for the first and
is to derive both Ii‘ and IC” from a common master
second instances respectively shall be derived from the
key.
keys (I<, I<’) in such a way that Ii1 and Ki are different,
Ii:, and I<; are different, and the pairs (KI, Ki) and
(I<2, Ki) are different.
The number of blocks in the padded version of the data
string shall be greater than or equal to two, i.e., q 2 2.
NOTES
MAC Algorithm 4 is illustrated in Figure 5.
1 An example of how to derive (KI, Ki) and (Ii2, I<;)
from (IC, IC’) is to take Ki equal to I<, Ki equal to IC’,
and to construct Iiz (IC;) by complementing alternate
7.5 MAC Algorithm 5
substrings of eight bits of KI (Ki) commencing with
MAC Algorithm 5 uses two parallel instances of MAC
the first eight bits.
Algorithm 1, resulting in two intermediate values,
2 MAC Algorithm 4 internally uses a derived key I?,
MAC1 and MAC2 respectively. The MAC algorithm
which means that MAC Algorithm G uses in total six
key consists of the block cipher key Ii. The keys Ii‘l
block cipher keys (KI, IC:, Ici’) and (K2, IC; IC:). It is
and I<2 used for the first and second instances are de-
recommended to check that all of these keys are differ-
rived from the key A’. The values of IC1 and Ii2 shall
ent.
be different.
The number of blocks in the padded version of the data
NOTE - An example of how to derive Iii and IC2
string shall be greater than or equal to two, i.e., q 2 2.
from Ir‘ is to take IC1 equal to IC and to construct It‘2
by complementing alternate substrings of four bits of Ii
The final MAC is obtained by a bitwise exclusive-or be-
commencing with the first four bits. Another example
tween intermediate values MAC1 and MAC:,, i.e.,
is to derive both KI and IC2 from a common master key
in such a way that they are different. MAC := MACI û? MAC2 .
6

---------------------- Page: 9 ----------------------
I
@ IÇO/IEC
ISO/IEC 9797-1:1999(E)
Annex A
(inforrnat ive)
Examples
This annex presents examples of the generation of a
O Padding Method 2: q = 3
MAC using the DEA (see ASS1 X3.92). The plain-
texts are the 7-bit ASCII codes (no parity) for data
Dl 4E 6F 77 20 69 73 20 74
string 1: “N~wuis~theutime~for~allu” and data
Dz 68 65 20 74 69 6D 65 20
string 2: “Nowuisutheutimeuforuit“. where .U’’ de-
i 03 66 6F 72 20 69 74 80 O0
notes a blank. ASCII coding is equivalent to cod-
ing using IS0 646. The two key values used are
O Padding Method 3: q = 4
K = 0123456789ABCDEF (hexadecimal). and I<’ =
FEDCBA9876543210 (hexadecimal). The key parity bits
ID1 1 O0 O0 O0 O0 O0 O0 O0 BO1
are ignored. Derived keys are computed by complemerit-
ing alternate substrings of four bits commencing with
the first four bit,s. For MAC Algorithms 1: 2, 3. and 4,
m = 32, while for MAC Algorithms 5 and 6, m = 64.
All values are written in hexadecimal notat,ion.
For data string 1, the results of the three padding meth-
A.l MAC Algorithm 1
ods are as follows:
Data string 1 with Padding Method 1
O Padding Method 1: y = 3
OB 2E 73 F8 8D C5 85 6A
Padding Method 2: q = 4
M.4C = 70 A3 06 40
Data string 1 with Padding Method 2
key (K) 101 23 45 67 89 AB CD EF
H1 13F A4 OE $A 98 4D 48 15
O Padding Method 3: y = 4
57 C1 2E FE F1 20 2D 35
D- $Hl
OB 2E 73 F8 8D C5 85 6A
H2
6D 41 O1 D8 EC A9 E9 4A
D3$H2
70 A3 06 40 CC 76 DD 8B
H3
FO A3 06 40 CC 76 DD 8B
04 9 H3
G= H4
10 El FO F1 08 34 1B 6D
For data string 2, the results of the three padding rnet’h-
ods are as follows:
MAC = 10 E1 FO Fi
O Padding Method 1: y = 3
Data string 1 with Padding Method 3
7

---------------------- Page: 10 ----------------------
IS O / IEC 9 797- 1 : 1999 (E) @ ISO/IEC
key (I<) 101 23 45 67 89 AB CD EF
H1 14B B5 82 65 DD 87 B3 05
key (I<”’) F1 D3 B5 97 79 5B 3D 1F
05 DA F5 45 B4 F4 93 71
G 10 F9 BC 67 A0 3C D5 D8
40 C4 O0 AD 74 2E 4F D6
28 Al 20 D9 1D 43 2A F6
MAC = 10 F9 BC 67
23 7D 5F 95 OB F7 1F .57
45 12 2D B5 GA 9B 73 77
2C 58 FB 8F F1 2A AE AC
Data string 1 with Padding Method 2
key (I<’”)lFl D3 B5 97 79 5B 3D 1F
MAC = 2C 58 FB 8F
G ]BE 7C 2A Bi D3 6B F5 B7
M.AC = BE 7C 2A B7
O1 23 45 67 89 AB CD EF
key (I<)
3F A4 OE 8A 98 4D 48 15
Hi
Data string 1 with Padding Method 3
57 C1 2E FE F1 20 2D 3.5
02 $Hl
key (I<’”)IFl D3 B5 97 79 5B 3D 1F
OB 2E 73 F8 8D C5 85 6A
H2
G 18E FC 8B C7 C2 72 BE 5C
6D 41 O1 D8 E4 B1 85 GA
D36H2
E4 5B 3A D2 B7 CC 08 56
G=H3
MAC = 8E FC 8B C7
MAC = E4 5B 3A D2
Data string 2 with Padding Method 1
Data string 2 with Padding Method 2
key (I<”’)\F1 D3 B5 97 79 5B 3D 1F
G 121 SE 9C E6 D9 1B C7 FB
MAC = 21 5E 9C E6
OB 2E 73 F8 8D C5 85 6A
key (I<’”) F1 D3 B5 97 79 5B 3D 1F
G 17 36 AC 1A 63 63 OE FB
MAC = A9 24 C7 21
AlAc = 17 36 AC 1A
Data string 2 with Padding Method 3
key (I<) I O1 23 45 67 89 AB CD EF
Data string 2 with Padding Method 3
H1 IDF 9C D6 EA 7E 5A El 62
91 F3 Al CA 17 29 C1 16
key (i<”’)]Fl D3 B5 97 79 5B 3D 1F
C7 6F BO 02 94 A4 19 BE
G 105 38 26 96 27 4F B4 FO
AF OA 90 76 FD C9 7C 9E
83 02 28 FD 78 D7 BE 71
MAC = 05 38 26 96
E5 6D 5A DD 11 A3 BE 71
B1 EC D6 FC 8B 37 C3 92
A.3 MAC Algorithm 3
MAC = B1 EC D6 FC
The first q steps are identical to those of MAC Algo-
rithm l. The only difference is that Output Transfor-
mation 3 is applied instead of Output Transformation 1.
A.2 MAC Algorithm 2
The first q steps are identical to those of MAC Algo-
Data string 1 with Padding Method 1
rithm l. The only difference is that Output Transfor-
mation 2 is applied instead of Output Transformation 1.
Al C7 2E 74 EA 3F A9 B6
8

---------------------- Page: 11 ----------------------
ISO/IEC 9797-1:1999(E)
@ ISO/IEC
MAC = AI C7 2E 74 MAC = AD 35 02 B7
-key (I<’) FE DC BA 98 76 54 32 10
Data string 1 with Padding Method 2
output of d 79 53 7F EE 18 CF 18 93
G E9 08 62 30 CA 3B E7 96
O1 23 45 67 89 AB CD EF
key (ii)
key (Ji’) FE DC BA 98 76 54 32 10
lI.AC = E9 08 62 30
key (ii”) OE 2C 4A 68 86 A4 C2 EO
output of e 3F A4 OE 8A 98 4D 48 15
EA FO 4B F5 31 ED 33 5E
H1
82 95 6B 81 58 80 56 7E
D?d?Hl
key (Ii’) FE DC BA 98 76 54 32 10
H2 7E 7F 98 A0 C8 B1 65 6C
output of d
FE B3 B9 66 1D BE DE CD
18 10 EA 80 A9 DD O9 4C
D3@H2
G AB 05 94 63 D7 A7 D1 70
7B 03 OA AE 67 411 C9 24
H3
FB 93 OA AE 67 4.1 C9 24
D33H3
MAC = AB 05 94 63
26 C4 FA D7 2E 6D D3 A2
H4
G 61 C3 33 E3 42 C5 53 7C
51.4C = 61 C3 33 E3
‘key (Ji’) FE DC BA 98 76 54 32 10
output of d 32 84 Ci 8B Al CA OB 3F
G LE 2B 14 28 CC 78 25 4F
Data string 1 with Padding Method 3
key (Iï) O1 23 45 67 89 AB CD EF
Lf;\C = 2E 2B 14 28
key (KI) FE DC BA 98 76 54 32 10
key (Ii”) OE 2C 4A 68 86 A4 C2 EO
3iitput of E 4B B3 82 65 DD 87 B3 O5
71 5A F8 BE DA BE 90 44
key (Ii‘) FE DC BA 98 76 54 32 10 Hi
02 @ Hi 3F 35 8F 9E B3 CD BO 30
output of d
7.4 71 XF 2F 5D 15 40 A7
.50 2A 04 42 6.4 80 B6 OB
G 512 69 2C E6 4F 40 41 45 H2
38 4F 24 36 03 ED D3 2B
03 a H?
AF 13 8C 04 99 9B 84 30
H3
\f,AC = 5A 69 2C E6
C9 7C FE 74 F8 F7 E8 10
03 @ H3
7F 90 05 61 B4 2C CE D2
H4
G
95 2A F8 38 98 9B 5C O0
key (ii’) FE DC BA 98 76 54 32 10
output of d 20 97 B4 0.5 F1 9E 2D D8
G C3 9F 7E ED 32 8D DD 69
hI.AC = C5 9F 7E ED
01 23 45 67 89 AB CD EF
key (I<)
key (KI)
FE DC BA 98 76 54 32 10
OE 2C 4A 68 86 .44 C2 EO
e 3F A4 OE 8A 98 4D 48 15
EA FO 4B F5 31 ED 33 5E
O1 23 40 67 89 AB CD EF
key (I<) 82 95 6B 81 58 80 56 7E
key (ii’) FE DC BA 98 76 54 32 10
7E 7F 98 A0 C8 B1 65 6C
key (ii”) OE 2C 4A 68 86 A4 C2 EO
18 10 EA 80 Al C5 65 6C
output of e 3F A4 OE 8A 98 4D 48 15
21 FC 35 F2 B2 26 6C 9A
EA FO 4B F5 31 ED 33 5E
H1 05 F1 08 4C 1D E3 A3 3D
82 95 6B 81 58 80 56 7E
D’$Hi
7E 7F 98 A0 C8 B1 65 6C
H2
MAC = 05 FI 08 4C
18 10 EA 80 A9 DD O9 4C
DS$H?
7B 93 OA AE 67 4A C9 24
H3
G AD 35 02 B7 AC 4A 48 A0
9

---------------------- Page: 12 ----------------------
@ ISO/IEC
ISO/IEC 9797’-1:1999(E)
&TAC = 70 FO 5E C9 E4 F7 2F 99
O1 23 45 67 89 AB CD EF
key (I<)
key (I<’) FE DC BA 98 76 54 32 10
Data string 1 with Padding Method 3
key (1;”) OE 2C 4A 68 86 A4 C2 EO
Ikey (Ii1) 101 23 45 67 89 AB CD EF]
output of e 3F A4 OE 8A 98 4D 48 15
2C 58 FB
...