Security Analysis of the Message Authenticator Algorithm (MAA)
The security of the ISO banking standard Message Authenticator Algorithm (ISO 8731-2), also known as MAA, is considered. The attacks presented herein, which exploit the internal structure of the algorithm, are the first computationally feasible attacks on MAA. First a MAC forgery attack is presented that requires 217 messages of 256 kbytes or 224 messages of 1 kbyte; the latter circumvents the special MAA mode for long messages defined in the standard. Next a key recovery attack on MAA is described which requires 232 chosen texts consisting of a single message block. The number of off-line multiplications for this attack varies between 244 for one key in 1000 to about 251 for one key in 50. This should be compared to about 3 · 265 multiplications for an exhaustive key search. Finally it is shown that MAA has 233 keys for which it is rather easy to create a large cluster of collisions. These keys can be detected and recovered with 227 chosen texts. From these attacks follows the identification of several classes of weak keys for MAA.
|Journal||European Transactions on Telecommunications|
Preneel, B. (Bart), Rijmen, V. (Vincent), & Van Oorschot, P. (1997). Security Analysis of the Message Authenticator Algorithm (MAA). European Transactions on Telecommunications, 8(5), 455–470. doi:10.1002/ett.4460080504