The security of iterated message authentication code (MAC) algorithms is considered, and in particular, those constructed from unkeyed hash functions. A new MAC forgery attack applicable to all deterministic iterated MAC algorithms is presented, which requires on the order of 2n/2 known textMAC pairs for algorithms with n bits of internal memory, as compared to the best previous general attack which required exhaustive key search. A related key-recovery attack is also given which applies to a large class of MAC algorithms including a strengthened version of CBC-MAC found in ANSI X9.19 and ISO/IEC 9797, and envelope MAC techniques such as "keyed MD5." The security of several related existing MAC's based directly on unkeyed hash functions, including the secret prefix and secret suffix methods, is also examined.

Additional Metadata
Keywords Collisions, Cryptanalysis, Data authentication, Hash functions, Message authentication codes
Persistent URL
Journal IEEE Transactions on Information Theory
Preneel, B. (Bart), & Van Oorschot, P. (1999). On the security of iterated message authentication codes. IEEE Transactions on Information Theory, 45(1), 188–199. doi:10.1109/18.746787