GB 15852-1995 Information technology security technology - Data integrity mechanism using block cipher algorithm as cryptographic check function
Some standard content:
GB15852—1995
This standard is equivalent to the international standard ISO/IEC9797:1994 "Data integrity mechanism using block cipher algorithm as cryptographic check function for information technology security technology".
The data integrity mechanism using block cipher algorithm as cryptographic check function specified in this international standard is suitable for use in my country. Appendix A of this standard is a standard appendix. Appendix B and Appendix C of this standard are suggestive appendices. This standard was proposed by the Ministry of Electronics Industry of the People's Republic of China. This standard is under the jurisdiction of the Standardization Research Institute of the Ministry of Electronics Industry. The drafting unit of this standard: the 30th Research Institute of the Ministry of Electronics Industry. The main drafters of this standard: Xiang Qijiao, Huang Yuejiang, Wu Shizhong, Du Mingyu. 567
GB15852—1995
ISO/IEC Foreword
ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission) form a specialized system of standardization within a world-wide framework. Member countries of ISO or IEC participate in the development of international standards through technical committees established by various organizations dealing with special technical activities. ISO and IEC technical committees collaborate in fields of common interest. Other official and non-governmental international organizations, in liaison with ISO and IEC, also take part in this work.
In the field of information technology, ISO and IEC have established a joint technical committee ISO/IEC JTC1. Draft international standards accepted by the joint technical committee are circulated to the member countries for voting. Publication of an international standard requires a vote by at least 75% of the member countries. International Standard ISO/IEC 9797 was prepared by Subcommittee SC27 on IT Security Technology of Joint Technical Committee ISO/IEC JTC1 on Information Technology.
This second edition replaces the first edition (ISO/IEC 9797:1989), which was revised and extended to include a filling method and an optional process, and a new annex containing several examples. Annex A is an integral part of this International Standard. Annexes B and C are for information only. 568
GB15852—1995
The mechanism specified in this standard is the same as that used in ISO8731-1, ISO9807 and ANSI X9.9, except that it uses an algorithm with n-bit data blocks, an m-bit check value and specifies an additional padding method. The method for calculating the cryptographic check value described in ISO8731-1, ANSI X9.9 and ANSI X9.19 is a special case of this standard, that is, when n=64m=32, padding method 1 specified in 5.1 is used and the DEA (see ANSI X3.92:1981) data encryption algorithm is used.
1 Scope
National Standard of the People's Republic of China
Information technology security technology-Data integrity mechanism using a cryptographic check function employing a block'cipher algorithmGB15852—1995
idt ISO/IEC 9797:1994
This standard specifies a method for calculating a bit cryptographic check value using a key and a bit block cryptographic algorithm. This method can be used as a data integrity mechanism to detect whether the data has been changed without authorization. The strength of this data integrity mechanism depends on the length and confidentiality of the key, the characteristics of the cryptographic algorithm and the length m of the check value. This standard is applicable to the security services of any security architecture, process or application. 2 Referenced standards
The provisions contained in the following standards constitute the provisions of this standard through reference in this standard. When this standard was published, the versions shown were valid. All standards will be revised, and parties using this standard should explore the possibility of using the latest versions of the following standards. GB/T9387.2-1995 Information Processing Systems Open Systems Interconnection Basic Reference Model Part 2: Security Architecture (idtISO 7498-2:1989)wwW.bzxz.Net
ISO/IEC10116:1991 Information technology n-bit block cipher algorithm working mode 3 Definitions and notation
3.1 Definitions
This standard uses the terms defined in GB/T9387.2 and ISO/IEC10116. 3.1.1 Cryptographic check value Information obtained by cryptographically transforming a data unit. 3.1.2 Data integrity refers to the property that data has not been changed or destroyed without authorization. 3.1.3 n-bit block cipher algorithm n-bit block cipher algorithm The length of both the plaintext block and the ciphertext block is n bits. 3.2 Notation
This standard refers to the cryptographic check value as a message authentication code (MAC). In the context of this standard, when the terms "most significant bit/byte" and "least significant bit/byte" have a certain meaning, for example, if the bit string is regarded as a numerical value, the leftmost bits of a block are the most significant bits. 4 Requirements
The length of the MAC (m) should be less than or equal to the length of the block (n). The result of the calculation and the result of any optional process is an information block of length n, and the leftmost m bits of the last n-bit block form the MAC. Approved by the State Administration of Technical Supervision on December 13, 1995 570
Implementation on August 1, 1996
5 MAC calculation
5.1 Padding and blocking
GB15852—1995
The generation of the MAC requires the selection of one of the following two padding methods. The means of making this selection is beyond the scope of this standard. Method 1
The data for which MAC is to be calculated should be padded with the necessary several (possibly none) "0" bits to obtain a data string with a length (in bits) that is an integer multiple of n.
Method 2
The data for which MAC is to be calculated should first be padded with a "1' bit, and then padded with the necessary several (possibly none) \0" bits to obtain a data string with a length (in bits) that is an integer multiple of n. If the verifier does not know the length of the data, padding method 2 should be used because this method allows the verifier to find out the padded "0" bits. The resulting data is divided into blocks of n bits (D1Dz,,D,). According to the selected padding method, the bits padded to the original data are only used to calculate and verify the MAC, so these padding bits (if any) do not have to be stored or transmitted with the original data. The verifier should know whether these padding bits have been stored or transmitted and what padding method is used. 5.2 Encryption Key
The key should be generated randomly or quasi-randomly. If the algorithm is also used for message encryption, the key used to calculate the MAC should be different from the key used for data encryption.
5.3 Initial Step
The MAC is calculated as shown in Figure 1.
The input register is initialized by the first block (Di). The input data (I,) is passed through the algorithm (A) using the key (K) to generate n bits and stored in the output register (O,).
5.4 Subsequent Steps
The next n bits of data (Dz) are bitwise XORed with the n bits in the output register (O1) and the result is loaded into the next input register (I,). The data in the input register (I,) is passed through the algorithm (A) using the key (K) to generate n bits and stored in the output register (O,). This operation continues until all data blocks have been processed. The result is the final output block (O.). 5.5 Optional Process
The final output block (O,) may be optionally processed to increase the strength of the MAC. The optional process (if used) shall be selected from the ones specified in Appendix A (Standard Appendix). 5.6 MAC
The leftmost m bits of the last n-bit block constitute the MAC. Note: If the optional process specified in Section A1 of Appendix A (Standard Appendix) is used, the threat of exhaustive search attacks can be mitigated. In particular, when m=n, it is recommended to use this optional process.
Step 1
GB 158521995
Step 2
Step Q-1
A Encryption
I Input block i=,.)
An bit block cipher algorithm
0. Output block (i-1.q)
K Milang
Data block i-1....
XOR
Figure 1 Calculation of MAC
A Encryption
Optional process
Interconnection
A1 Optional process 1
GB:15852-1995
Appendix
(Standard Appendix)
Optional process
The following process specifies an optional process (see 5.5), which can be used according to the pre-agreed between the sender and the receiver. This optional process increases the strength of MAC against exhaustive key search and chosen plaintext attacks: In this optional process, two encryption keys are used, denoted as (K) and (K,). First, the n-bit block (0,) is generated using the key (K) according to the process specified in 5.3 and 5.4, and then two additional steps are performed (see Figure AD:
A Decryption
A Encryption
Min<,n
Figure A1 Optional Process 1
a) Decrypt the output (O,) using the key (K,) to obtain (O); b) Encrypt (O) using the key (K) to obtain (O\). This completes the optional process and the MAC is obtained as specified in 5.6. A2 Optional Process 2
The following process specifies an optional process (see 5.5) that can be used as agreed upon between the sender and the receiver. This optional process increases the strength of the MAC against chosen plaintext attacks. In this optional process, two encryption keys are used, denoted as (K) and (K,), where (K,) can be derived from (K). Note: Starting from the first 4-bit group, the alternating complement and unchanged addition of every 4 bits of (K) is an example of deriving (K,) from (K). First, generate the bit block (O) with the key (K) according to the process specified in 5.3 and 5.4, and then perform an additional step (see Figure A2): 573
Encrypt the output (O) with (K) to obtain (O) GB15852—1995
After encryption
cross xmcn
Figure A2 Optional Process 2
This completes the optional process, and the MAC is obtained according to the provisions of 5.6. Appendix B
(Reminder)
This appendix gives several examples of generating MACs using the encryption algorithm DEA (see ANSI X3.92) for padding methods 1 and 2 and optional processes 1 and 2. The plaintexts are "Nawisthe-timelforLallL\ and \NowistheLitiueL-forit" respectively? bit ASCI code (without parity bit) 1, where \L" represents a space. If padding method 1 is selected, the first plaintext does not need any padding. The key (K) is 0123456789ABCDEF, and the key K,) is selected as FEDCBA9876543210 in optional process 1, while in optional process 2, the key (K1) is derived according to the note of A2 in Appendix A (Standard Appendix). Padding method 1
Example 1 NowLjistJtheLJtimeL-dorlallMitidal(K)
Adoption instructions:
1] my country's standard GB1988--89 (Information Processing 374
The seven-bit coded character set for information point exchange is equivalent to the ASC code.AB
Mitlang(K)
I2=0,Dz
L,=02D,
GB15852-1995
If the optional process is not used, MAC consists of the leftmost m bits of (O;).Optional process 1
Mitlang(K)
MAC consists of the leftmost m bits of (O\).Optional process 2
Key(Ki)
MAC It consists of the leftmost m bits of (O\,). Example 2: Now is the L-time for it
Key (K)
I=O,OD
If the optional process is not used, MAC consists of the leftmost m bits of (O3). Optional process 1
Key (K,)
MAC consists of the leftmost m bits of (O\). Optional process 2
Key (K)
MAC consists of the leftmost m bits of (O). DC
B2 filling method 2
GB15852-1995
Example 1: Now is Lthel-time faralld||t t||Key (K)
I2=OiOD2
1=02OD
L=O,OD,
If the optional process is not used, MAC consists of the leftmost m bits of (O,). Optional process 1
Key (K,)
MAC consists of the leftmost m bits of (O\). Optional process 2
Key (K)
MAC consists of the leftmost m bits of (O\). Example 2.Nowisthetimelfortit
Key (K)
12=0ByD
GB15852—1995
If the optional process is not used, MAC It consists of the leftmost m bits of (O,). Optional process 1
Secret period (Ki)
MAC consists of the leftmost m bits of (O\). Optional process 2
Secret period (K,)
MAC consists of the leftmost m bits of (O'3). DC
Appendix C
(Informative Appendix)
References
[1] ISO 8731-1:1987
Approved algorithms for banking message authentication Part 1: Data Encryption Algorithm (DEA)[2]ISO 9807:1991 Requirements for message authentication for banking and related financial services (retail)[3]ISO/IEC 9979,1991
Registration procedures for cryptographic algorithms for data encryption techniques[4]ISO/IEC 10181-5:1>
[5] ANSI X3. 92:1981
[6] ANSI X9. 9:1986
[7]J ANSI X9. 19:1986
1) This document is hereby issued.
Information Technology Open Systems Interconnection Security Framework for Open Systems: Integrity Framework Data Encryption Algorithm
Message Identification for Financial Institutions (Wholesale)
Message Identification for Financial Institutions (Retail)92) Several examples of generating MAC. The plaintexts are "Nawisthe-timelforLallL\ and \NowistheLitiueL-forit" respectively? 1-bit ASCI code (without parity bit), where \L" represents a space. If padding method 1 is selected, the first plaintext does not need any padding. The key (K) is 0123456789ABCDEF, and the key K,) is selected as FEDCBA9876543210 in optional process 1, while in optional process 2, the key (K1) is derived according to the note of A2 in Appendix A (Standard Appendix). Padding method 1
Example 1 NowLjistJtheLJtimeL-dorlallMitidal(K)
Adoption instructions:
1] my country's standard GB1988--89 (Information Processing 374
The seven-bit coded character set for information point exchange is equivalent to the ASC code.AB
Mitlang(K)
I2=0,Dz
L,=02D,
GB15852-1995
If the optional process is not used, MAC consists of the leftmost m bits of (O;).Optional process 1
Mitlang(K)
MAC consists of the leftmost m bits of (O\).Optional process 2
Key(Ki)
MAC It consists of the leftmost m bits of (O\,). Example 2: Now is the L-time for it
Key (K)
I=O,OD
If the optional process is not used, MAC consists of the leftmost m bits of (O3). Optional process 1
Key (K,)
MAC consists of the leftmost m bits of (O\). Optional process 2
Key (K)
MAC consists of the leftmost m bits of (O). DC
B2 filling method 2
GB15852-1995
Example 1: Now is Lthel-time faralld||t t||Key (K)
I2=OiOD2
1=02OD
L=O,OD,
If the optional process is not used, MAC consists of the leftmost m bits of (O,). Optional process 1
Key (K,)
MAC consists of the leftmost m bits of (O\). Optional process 2
Key (K)
MAC consists of the leftmost m bits of (O\). Example 2.Nowisthetimelfortit
Key (K)
12=0ByD
GB15852—1995
If the optional process is not used, MAC It consists of the leftmost m bits of (O,). Optional process 1
Secret period (Ki)
MAC consists of the leftmost m bits of (O\). Optional process 2
Secret period (K,)
MAC consists of the leftmost m bits of (O'3). DC
Appendix C
(Informative Appendix)
References
[1] ISO 8731-1:1987
Approved algorithms for banking message authentication Part 1: Data Encryption Algorithm (DEA)[2]ISO 9807:1991 Requirements for message authentication for banking and related financial services (retail)[3]ISO/IEC 9979,1991
Registration procedures for cryptographic algorithms for data encryption techniques[4]ISO/IEC 10181-5:1>
[5] ANSI X3. 92:1981
[6] ANSI X9. 9:1986
[7]J ANSI X9. 19:1986
1) This document is hereby issued.
Information Technology Open Systems Interconnection Security Framework for Open Systems: Integrity Framework Data Encryption Algorithm
Message Identification for Financial Institutions (Wholesale)
Message Identification for Financial Institutions (Retail)92) Several examples of generating MAC. The plaintexts are "Nawisthe-timelforLallL\ and \NowistheLitiueL-forit" respectively? 1-bit ASCI code (without parity bit), where \L" represents a space. If padding method 1 is selected, the first plaintext does not need any padding. The key (K) is 0123456789ABCDEF, and the key K,) is selected as FEDCBA9876543210 in optional process 1, while in optional process 2, the key (K1) is derived according to the note of A2 in Appendix A (Standard Appendix). Padding method 1
Example 1 NowLjistJtheLJtimeL-dorlallMitidal(K)
Adoption instructions:
1] my country's standard GB1988--89 (Information Processing 374
The seven-bit coded character set for information point exchange is equivalent to the ASC code.AB
Mitlang(K)
I2=0,Dz
L,=02D,
GB15852-1995
If the optional process is not used, MAC consists of the leftmost m bits of (O;).Optional process 1
Mitlang(K)
MAC consists of the leftmost m bits of (O\).Optional process 2
Key(Ki)
MAC It consists of the leftmost m bits of (O\,). Example 2: Now is the L-time for it
Key (K)
I=O,OD
If the optional process is not used, MAC consists of the leftmost m bits of (O3). Optional process 1
Key (K,)
MAC consists of the leftmost m bits of (O\). Optional process 2
Key (K)
MAC consists of the leftmost m bits of (O). DC
B2 filling method 2
GB15852-1995
Example 1: Now is Lthel-time faralld||t t||Key (K)
I2=OiOD2
1=02OD
L=O,OD,
If the optional process is not used, MAC consists of the leftmost m bits of (O,). Optional process 1
Key (K,)
MAC consists of the leftmost m bits of (O\). Optional process 2
Key (K)
MAC consists of the leftmost m bits of (O\). Example 2.Nowisthetimelfortit
Key (K)
12=0ByD
GB15852—1995
If the optional process is not used, MAC It consists of the leftmost m bits of (O,). Optional process 1
Secret period (Ki)
MAC consists of the leftmost m bits of (O\). Optional process 2
Secret period (K,)
MAC consists of the leftmost m bits of (O'3). DC
Appendix C
(Informative Appendix)
References
[1] ISO 8731-1:1987
Approved algorithms for banking message authentication Part 1: Data Encryption Algorithm (DEA)[2]ISO 9807:1991 Requirements for message authentication for banking and related financial services (retail)[3]ISO/IEC 9979,1991
Registration procedures for cryptographic algorithms for data encryption techniques[4]ISO/IEC 10181-5:1>
[5] ANSI X3. 92:1981
[6] ANSI X9. 9:1986
[7]J ANSI X9. 19:1986
1) This document is hereby issued.
Information Technology Open Systems Interconnection Security Framework for Open Systems: Integrity Framework Data Encryption Algorithm
Message Identification for Financial Institutions (Wholesale)
Message Identification for Financial Institutions (Retail)
Tip: This standard content only shows part of the intercepted content of the complete standard. If you need the complete standard, please go to the top to download the complete standard document for free.