The security of the ISO banking standard Message Authenticator Algorithm (ISO 8731-2), also known as MAA, is considered. The attacks presented herein, which exploit the internal structure of the algorithm, are the first computationally feasible attacks on MAA. First a MAC forgery attack is presented that requires 217 messages of 256 kbytes or 224 messages of 1 kbyte; the latter circumvents the special MAA mode for long messages defined in the standard. Next a key recovery attack on MAA is described which requires 232 chosen texts consisting of a single message block. The number of off-line multiplications for this attack varies between 244 for one key in 1000 to about 251 for one key in 50. This should be compared to about 3 · 265 multiplications for an exhaustive key search. Finally it is shown that MAA has 233 keys for which it is rather easy to create a large cluster of collisions. These keys can be detected and recovered with 227 chosen texts. From these attacks follows the identification of several classes of weak keys for MAA.

Additional Metadata
Persistent URL dx.doi.org/10.1002/ett.4460080504
Journal European Transactions on Telecommunications
Citation
Preneel, B. (Bart), Rijmen, V. (Vincent), & Van Oorschot, P. (1997). Security Analysis of the Message Authenticator Algorithm (MAA). European Transactions on Telecommunications, 8(5), 455–470. doi:10.1002/ett.4460080504