CN1369157A - Method and apparatus for generating message authantion code - Google Patents

Method and apparatus for generating message authantion code Download PDF

Info

Publication number
CN1369157A
CN1369157A CN00811485A CN00811485A CN1369157A CN 1369157 A CN1369157 A CN 1369157A CN 00811485 A CN00811485 A CN 00811485A CN 00811485 A CN00811485 A CN 00811485A CN 1369157 A CN1369157 A CN 1369157A
Authority
CN
China
Prior art keywords
group
generator
message
bit
crc
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN00811485A
Other languages
Chinese (zh)
Other versions
CN1163018C (en
Inventor
G·G·罗斯
P·E·本德
小R·F·奎克
J·K·沃尔夫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qualcomm Inc
Original Assignee
Qualcomm Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qualcomm Inc filed Critical Qualcomm Inc
Publication of CN1369157A publication Critical patent/CN1369157A/en
Application granted granted Critical
Publication of CN1163018C publication Critical patent/CN1163018C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/34Encoding or coding, e.g. Huffman coding or error correction
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Abstract

A method for generating a message authentication code (MAC) includes the steps of distributing the bits of a message into a larger message in accordance with a pseudorandom number distribution format. The cyclic redundancy check (CRC) bits of the larger message are computed and used as the MAC for the message. The larger message need not be created. The remainder modulo the CRC polynomial of a polynomial x<i>, where i is the intended bit position in the 'larger message', is calculated. An exclusive-OR (XOR) operation is performed, bit by bit, on the CRC and the calculated remainder to derive the new CRC.

Description

Be used for producing the method and apparatus of Message Authentication Code
Background of invention
I. invention field
The present invention generally speaking relates to the communications field, more particularly, relates to the generation of Message Authentication Code.
II. background
Message Authentication Code (MAC) is that a password is derived, and this password is derived item can append to certain message to verify that this message source is from certain side and show by arbitrary its other party and change.On behalf of MAC, this be used for the reason in many fields of telecommunications.The field of an example is a radio communication.
Wireless communication field has many application, comprises, for example, cordless telephone, paging, wireless local loop, such as the wireless data application of PDA(Personal Digital Assistant), such as the radio telephone of honeycomb and pcs telephone system, mobile Internet Protocol (IP) phone and satellite communication system.The application of a particular importance is mobile subscriber's a radio telephone.
Develop multiple air interface for wireless communication system, comprise, for example, frequency division multiple access (FDMA), time division multiple access (TDMA) and code division multiple access (CDMA).Relevant therewith, set up multiple domestic or international standard, comprise, for example, Advanced Mobile Phone Service (AMPS), global system for mobile communications (GSM) and interim standards 95 (IS-95).
An example wireless telephonic communication system is code division multiple access (CDMA) system.IS-95 standard and variant IS-95A thereof, ANSI J-STD-008, the third generation standard I S-95C and the IS-200 of IS-95B, proposal, (being referred to as IS-95 here) such as high data rate CDMA standards that be exclusively used in data of proposing announced by telecommunications industry association (TIA) and other well-known normal structures, with the use of regulation CDMA air interface in honeycomb or pcs telephone communication system.Basically the example wireless communication system that disposes according to the use of IS-95 standard is 5,103,459 and 4,901 in the patent No., and description is arranged in 307 the United States Patent (USP), and these patents have transferred assignee of the present invention, quote from for referencial use fully at this.
In a representative communication, MAC m is with (length L M) message M and have only the output of this function that shared key K that this message originator and recipient know calculates as the input of a function.If selected function safety, so, the active attack person that can intercept and revise potentially this transmission message can not find that key K can not produce the message of the suitable probability side of being received acceptance as efficient message.If the long L of MAC m(position), then the assailant always can guess out the value of the m of required message, the probability 1/2 of guessing right simply LmTherefore, the arbitrary assurance to the MAC fail safe comes down to probability.No matter have a mind to or introducing at random, MAC does not generally provide than this probability better to detecting the assurance of mistake.Particularly, the single faults in the message is general has same chance coupling to be attached to this MAC on disappearing with arbitrary other replacements.Although it is this probability is little, still significant.
Cyclic redundancy code school (CRC) is an example of known error checking and correction (ECC) sign indicating number (ECC).Data send may be by many application of error in and when wishing to receive function detects modal error and use ECC when being corrected.CRC is effectively to calculating and has useful error detection occurs characteristic.If the message M that receives has mistake in the position of any peanut, CRC will guarantee that detection has been made mistakes and make mistakes in which position of in fact indication (the supposition mistake is as far as possible little).This can carry out error correction.CRC is by thinking that these of this message are polynomial coefficients and calculate remainder and calculate when this deconv is the multinomial P of L with the degree.The careful multinomial P that selects provides required EDC error detection and correction characteristic.Although it is good that CRC is used to detect the type of the random error that causes during the transmission, they are useless in the active attack that prevents arbitrary kind, because the assailant can easily calculate the influence to the CRC of arbitrary modification of message.The assailant also can correspondingly revise CRC.Even have secret information to be incorporated in the calculating of CRC but do not send with this message, this point is still really.
A kind of MAC/CRC of combination need be provided, i.e. code, this code comprise that the mismatch by message and its MAC will detect the assurance of the little random error that detects by CRC.This code also can be useful be that guarantee simultaneously: the active attack person who does not know secret information K can not find K or " forgery " message, and probability is better than 1/ (2 k-1).(it should be noted, as known to the professional in this area, extra " 1 " is derived from the following fact in the probable value: the assailant knows, in the case, original MAC will be not used in the most of identical message of the message of revising with the assailant, so the assailant will select one of other possible MAC on the contrary randomly).Therefore, the error that needs a kind of generation to have assurance detects the method for the MAC of characteristic.
Brief summary of the invention
The present invention is directed to error that a kind of generation has an assurance and detect the method for the MAC of characteristic.Correspondingly, in one aspect of the invention in, a kind of method that produces Message Authentication Code valuably may further comprise the steps: with a kind of mode pseudorandom ground that relies on key first a plurality of message digits are assigned in second batch of a plurality of position; Generation comprises the 3rd batch of a plurality of position of second batch a plurality of CRC; And send first a plurality of message digits and comprise the 3rd batch a plurality of Message Authentication Code.
In another aspect of this invention, be configured to produce valuably the generator of a Message Authentication Code, comprise: be used for first a plurality of message digits being assigned to second batch of device in a plurality of positions with a kind of mode pseudorandom ground that relies on key with lower device; Be used for producing the 3rd batch a plurality of device of the cyclic redundancy code school sign indicating number that comprises second batch a plurality of; And be used for sending first a plurality of message digits and comprise the device of the 3rd batch a plurality of Message Authentication Code.
In another aspect of this invention, be configured to produce valuably the generator of a Message Authentication Code, comprise and be configured to first a plurality of message digits are assigned to second batch of processor in a plurality of positions with a kind of mode pseudorandom ground that relies on key, be coupled to this distributor and be configured to produce the 3rd batch a plurality of generator of the CRC that comprises second batch a plurality of, and be coupled to this generator and be configured to send first a plurality of message digits and comprise the reflector of the 3rd batch a plurality of Message Authentication Code.
In one embodiment of this invention, the method for the position of a kind of pseudorandom valuably ground assignment messages may further comprise the steps: evaluator x iResidue modulus P, i is a predetermined message bit position and P is a cyclic redundancy code school code polynomial here; And, carry out the CRC position bit by bit and the nonequivalence operation of the remainder that calculates to each message digit of 1 of equaling of message.
The accompanying drawing summary
Fig. 1 is the block diagram of cell phone system.
Fig. 2 is the processor that is used for producing message and relevant Message Authentication Code (MAC) and the block diagram of relevant memory element.
Fig. 3 is the block diagram that is used for producing the generator of message and relevant MAC.
Fig. 4 is the schematic diagram that can be used in the generator of Fig. 3 with the register that uses a kind of keying pseudo random number (PRN) message digit distribution technique.
Fig. 5 is the schematic diagram that can be used for CRC (CRC) generator in the generator of Fig. 3.
Fig. 6 is a flow chart, and the method step of being carried out by the generator such as the generator of Fig. 3 is described, produces the MAC of message.
Fig. 7 is a flow chart, and the method step of being carried out by the generator such as the generator of Fig. 3 is described, produces the MAC of message.
Preferred embodiment is described in detail
Here the example that is described below is implemented to be present in to be configured to use in the mobile phone communication system of CDMA air interface.Yet the skilled person in this area understands that the MAC production method of imbody characteristic feature of an invention and equipment can be present in any in the plurality of communication systems of using the technology of the wide region known to the skilled person in this area.
As shown in Figure 1, the cdma wireless telephone system generally includes a collection of moving user unit 10.A collection of base station 12,14 and mobile switching centres of base station controller (BSC) (MSC) 16.MSC16 is set to common public switch telephone network (PSTN) 18 and joins.MSC16 also is configured to join with BSC14.BSC14 is coupled to base station 12 by the schedule circuit.Back haul link can be configured to support several well-known interfaces, comprises, for example, E1/T1, ATM, IP, PPP frame relay, HDSL, any one among ADSL or the XDSL.Be understandable that more than two BSC14 can be arranged in the system.Each base station 12 comprises at least one sector (not shown) valuably, and each sector comprises an omnidirectional antenna or and is oriented to the antenna that warp-wise leaves certain direction of base station 12.Perhaps, each sector can comprise two antennas that are used for diversity reception.Each base station 12 can be designed to support a collection of frequency assignment valuably.The intersection of one sector and a frequency assignment can be described as a CDMA Channel.Base station 12 also can be described as base station transceiver subsystem (BTS) 12.Perhaps, industry can be referred to as BSC14 and one or more BTS12 with " base station ".BTS12 also can generally refer to " cell site " 12.Perhaps the single sector of a given BTS12 also is called cell site.Moving user unit 10 is honeycomb or pcs telephone machine 10 typically.System is disposed for the IS-95 standard valuably.
At the typical run duration of cell phone system, one group of group reverse link signal that base station 12 receives from 10 groups of mobile units.Mobile unit 10 is carrying out call or other communication.Handle in this base station 12 by each reverse link signal that a given base station 12 receives.Result data is submitted to BSC14.BSC14 provides call resources to distribute and the mobile management function, comprises the combination of the coordination of 12 soft handovers in base station.BSC14 also sends the data that receive to MSC16, and MAC16 provides other professional warp of Route Selection and PSTN18 to join.Similarly, PSTN18 and MAC16 join, and MAC16 and BSC14 join, and they are controlled base station 12 successively and send the forward link signal group for 10 groups to mobile unit.
According to an embodiment, as shown in Figure 2, the mechanism 100 that is used for producing the message that comprises MAC comprises a processor 102, one software modules 104 and a storage medium 106.Processor 102 is a microprocessor or such as an application specific processor of Digital Signal Processing (DSP) valuably, but can selectively be processor, controller, arbitrary common form of microcontroller or state machine.Processor 102 is coupled to software module 104, and software module 104 is embodied as the RAM memory of the software instruction that holds the operation of instructing processor 102 valuably.Software instruction can comprise a software program or one group of microcode.RAM memory 104 can be RAM on the plate, and perhaps processor 102 and RAM memory 104 can reside among the ASIC.In an optional embodiment, firmware instructions instead of software module 104.Storage medium 106 is coupled to processor 102, and is embodied as RAM memory and combination such as the common nonvolatile storage of arbitrary form of ROM memory valuably.As described below, storage medium 106 is used for implementing a linear feedback shift register (LFSR) with generation MAC, and stores precalculated table and instruction.For example, instruction and table are stored in the ROM memory assembly and register is stored in the RAM memory assembly.Alternatively.Storage medium 106 can be embodied as a magnetic disc store or can be by the flash memory of processor 102 visits.Alternatively, storage medium 106 can be embodied as register.Mechanism 100 can reside at such as in the base station 12 in the cdma wireless telephone system of arbitrary common communications device of moving user unit 10 or Fig. 1.
As shown in Figure 3, in one embodiment, the generator 200 that is used for producing message and relevant MAC comprises keying pseudo random number (PRN) distributor 202, cyclic redundancy code school sign indicating number (CRC) generator 204, modulator 206 and transmitter 208.The message digit of message M offers keying PRM distributor 202.The following detailed description in detail is assigned to these message digits in the bit sequence in a kind of mode that relies on key to keying PRN distributor 202 pseudorandoms.The bit sequence that comprises the message digit that is assigned with offers CRC generator 204.CRC generator 204 calculates the CRC of the bit sequence that comprises the position that is assigned with according to the arbitrary common CRC computational methods known to the skilled person in this area.
CRC generator 204 produces the CRC position, and the CRC position will be as the MAC of these message digits.MAC position and message digit offer modulator 206.The position that modulator 206 modulation receive is to send on a communication channel.Modulation scheme is with the type of communication system and the communication channel used and different.In one embodiment, modulation scheme is that CDMA scheme and communication system are the radio telephone systems of Fig. 1.Modulator 206 provides the message and the MAC signal of modulation to transmitter 208.Transmitter sends the message and the MAC signal of this modulation on communication channel.
According to reference to figure 3 described embodiment, calculate the CRC of big " message " (bit sequence) and send as MAC, origination message wherein, M, each the victim prediction do not arranged with a kind of, the mode that relies on key obtains distributing.Like this, little random error can be detected and be corrected by common CRC mechanism, and active attack (that is, to one not then legal message have a mind to revise) have only the limited success probability.
Valuably, the method for the position by big distribution of messages origination message M is different with message.Thereby the variation in the distribution method stops the assailant to collect the probability that message improves successful attack gradually.Because MAC must guarantee to detect little mistake, if send two similar message (different MAC being arranged according to definition), the MAC of another then similar but different with these two similar message message also must be different.So that the assailant can only select from the possible MAC of 2L-2 etc. randomly.Valuably, the information that is expressed as " salt " S is used for connecting such as the relevant information of the particular message in the moment that sends message or the mode of sequence number and assignment messages position.This is similar following true, and stream cipher should never produce the same stream of two different sections output of two different message or single message.
Correspondingly, must be with a kind of assailant uncertain and be helpless to the assailant and find the position from origination message M to be assigned in big " message " about the mode of the information of sharing key K.Like this, according to reference to figure 3 described embodiment, the PRN that produces uniform distribution is with the distribution in big message inner control message digit.The PRN of uniform distribution derives from shared key K and salt S in the uncertain mode of a kind of assailant valuably.
In an example embodiment, the output of stream cipher that is called SDBER is as the source of PRN, and the application number that the SOBER stream cipher was delivered on February 8th, 1999 is 09/246366, and title is to be used for producing in the U. S. application of method and apparatus of encryption stream ciphers describing.This application has transferred surrenderee of the present invention.Stream cipher is the bit stream that pseudorandom produces, these bit streams are carried out nonequivalence operation (XDR) with each position of the message that will send bit by bit thus produce a message of encrypting, when receiving the message of this encryption, it is carried out nonequivalence operation, to produce origination message with same stream cipher.In optional embodiment, alternative this stream cipher of other forms of PRN generator.Particularly, the fail safe that provides is that little PRN generator can be used to replace this stream cipher than stream cipher.
In one embodiment, as shown in Figure 4, the position of message M300 is to distribute under the control of a keying PRN generator (not shown), method is: begin and order arrangement position the position of skipping the uncertain number in this big message 302 between two positions in big message 302 with a certain biasing.When, if perhaps run into the termination of this big message 302, distribution locations is resumed at the beginning of this big message 302.Determine the maximum number of the position of skipping between the position of this big message 302 valuably, make the incomplete wraparound of distribution locations, that is, make and do not arrive at or through the original position in this big message 302.This guarantees not have among the message M300 two positions to distribute to this than the same position in big message 302, if this is distributed to than the same position in big message 302 in two positions, changes in the time of these two positions and will cancel out each other and not be detected, thus the target of realization.Consider the worst situation, wherein, each gap between the position that is assigned with is a maximum length, must restriction maximum disparity length.Yet mean gap length only is maximum disparity length half.Therefore, fifty-fifty, message digit only is distributed in half of this big message.This distribution technique provides the relative light of plentiful fail safe and enforcement valuably.
In another embodiment, message digit 300 is to distribute like this: this big message 302 is divided into size is close in the piece that equates, with a biasing beginning and a wraparound at random, with random site a position is placed in each piece.This distribution technique has such Ideal Characteristics: the distribution that these obtain in whole message greatly.
The position of this big message 302 offers CRC generator 304, and CRC generator 304 calculates the CRC of the position that receives.CRC position 306 is as the MAC 306 of message M 300.Be to be noted that as in conjunction with below with reference to shown in described other embodiment of Fig. 6, needn't actually produce big message 302 to obtain required effect.
In an example embodiment, the long L of CRC/MAC mIt is 16.To its maximum message of using the error detection occurs assurance is to comprise 2 of CRC self 16The position.If ((1-x) multiply by the generator of original multinomial as CRC, maximum message-length will be 2 15-1).The length L of input message M300 mRemain more than 2 valuably 15-16 little.According to second above-mentioned embodiment, if big message 302 is divided into the piece of size about equally, the length L of input message M 300 mBe limited to than 2 valuably 15Half of-16 is little.According to above-mentioned first embodiment, if the length L of input message M300 is skipped in the position, position in big message 302 mBe limited to than 2 valuably 15-16 1/4th little.
After having settled first position of message M300, remaining L m-1 is placed in remaining 2 15In-17 positions, if the length L of input message M mBe 1520, maximum allocated will be than 32751/1519 little maximum integer or 21 at interval or the size of piece.Yet the PRN generator can be considered and produces a bit stream.Correspondingly, use a number of 2 power and do not use 21 valuably can be more effective.If 2 power is as maximum allocated interval or block size.Random number in 0 to 15 the scope can produce by 4 positions of getting output from the PRN generator.These random numbers then are adjusted in 5 to 20 scope valuably.Should be appreciated that the equispaced between the position or the size of piece of the skilled person in this area must be at least 2.Therefore, at interval or the optimal value of block size be that 2 power is 2 2With 2 4Between.The arrangement of each of message M 300 thereby two to four positions that need PRN to export.
As described below, even being subject to, the uncertainty in the bit position accepts less PRN generator output, expand these to such an extent that more to open can be useful.No matter that fix or variable, minimal expansion size or minimum block size all can be used.
In another embodiment, the assignment messages position by the keying permutation function of use such as block encryption is to derive new position, position from the raw bits position.In certain embodiment, in conjunction with the block encryption that than the name of offset position at random in the big message 302 is 14 with block size.It should be noted, use the needs of a different displacement to require this block encryption that each message 300 is used a different key each message.Although this is possible in theory, efficient is low in the practice.
In one embodiment, as Fig. 5 institute, CRC generator 400 is embodied as register, and this register comprises that 16 memory element 402a-g are (in order to simplify, have only memory element 402 to illustrate among the figure), three modulus-2 adders 404,406,408 and three switches 410,412,414.In an optional embodiment, such as top with reference to figure 2 description, the CRC generator is implemented with the one group of software instruction of operation and the microprocessor of visiting look-up table (LUT), and this group software instruction is included in the RAM memory valuably, and look-up table is included in ROM memory or the flash memory valuably.
In CRC generator 400, the input message digit offers conversion 410, switch 410 or be set to receive these input message digits or be set to receive 1 digital value.Switch 412 or be set to receive 0 digital value or be set to receive a value from modulus-2 adder 408.Switch 414 or be set to receives from a value of switch 410 or is set to receive a value from switch 412 and modulus-2 adder 408, gets output CRC from switch 414.Modulus-2 adder 404 is between the 5th memory element 402c and the 6th memory element 402d.Modulus-2 adder 406 is between the 12 memory element 402e and the 13 memory element 402f.Modulus-2 adder 408 is positioned at behind the 16 memory element 402h and is configured to receive a value from switch 410.The generator multinomial g (x) of CRC equals x 16+ x 12+ x 5+ 1, by the layout qualification of modulus-2 adder 404,406,408.
Be in operation, switch 410,412,414 originally be arranged on " on " position (as shown in drawings).Register regularly k time, k is defined as and imports message and add 8 length here.Register is a shift register, like this along with these memory elements (as shown in drawings) that move right separately of each clock cycle.Switch 410,412,414 then are set to D score position (as shown in drawings).Register then regularly adds 16 times.16 additional carry-out bits comprise the crc field of this message, send these positions with these orders that appear in the output of CRC generator 400.
The input message digit constitutes " big message ", is somebody's turn to do the MAC of the crc field of big message as message M.This MAC comprises the inherent safety interests of CRC valuably then.Because the MAC that calculates is actually CRC, also be applied to MAC about the assurance of the EDC error detection and correction that is applied to CRC, be applied to except the assurance of " burst error ".Violate burst error and guarantee it is because the position obtains separating thereby no longer form " burst " in the computing interval continuously.
Two kinds of attacks at MAC are arranged basically.First kind of attack at MAC is to steal business.The assailant attempts to produce the message with effective MAC behind the efficient message of observing other.Perhaps, the assailant attempts to deduce key K, allows the assailant arbitrarily to produce the message of forgery.Message is selected in second kind of attack at MAC.The assailant attempt to make fine special message and for certain reason design system calculating effective MAC, wish to recover key K.
The correspondence that the assailant that hope is only done the change of a position to the message of effective MAC then needs can calculate CRC changes; This again requirement can predict this position in extended message.Since have only this 2 L-1Under the individual possible position, what the assailant did can only be better slightly than conjecture MAC.
A kind of may the attack at the MAC of arbitrary kind is so-called selected plaintext attack.In the attack of the type, the assailant can arrange to be accompanied by the message that effective MAC obtains being sent in some way, and this message has certain content of being selected by this assailant like this.For example, the assailant can office's recipient send Email, and Email finally transmits by transmitting channel and has effective MAC and calculates and enclose, and it all is message that " 0 " position constitutes subsequently that the assailant can make by single " 1 " position.By the CRC that observation is calculated, the assailant can calculate that original position reaches some outputs to the PRN generator.This is disadvantageous, because this can cause a kind of method of predicting following output.Correspondingly, in one embodiment, other position of big message are set to 1.These other a position is selected on the random site.
The assailant sends alternatively and comprises all message of zero.The CRC of observation gives the L of the output of assailant PRN generator mIndividual position, the PRN generator must must be enough to prevent the recovery of key information K safely, in view of this announcement.
If the assailant attempts also this message to be done the change of multidigit except that the original position of predicting these, the assailant also must determine these deviation.This can make probability of successful less than only a position being changed.
Also having a kind of modification to attack can use.If the assailant can make one change and this change will to expand to one be in the pattern of the polynomial multiple of CRC, the MAC that calculates will not had influence.This offsets the unpredictability of these original position effectively.If it is favourable using the stream cipher position of peanut, these are useful to select to consider this concrete CRC multinomial ground expansion, so that the attack of the type is impossible to polynomial little multiple and is difficult to polynomial big multiple on adding up.
In one embodiment, upward carry out CRC in " big message " and calculate, produce the MAC of input message M, reality does not produce big message.Each position of input message M in " the big message " that will be distributed in this imagination, must evaluator X iRemainder modulus P, i is precalculated position of the message digit in this big message.Because CRC is linear, if this message should concrete position be one 1, remainder is calculated available addition of polynomial, that is, distance (XOR) computing is added on the existing CRC.The CRC of complete zero message is zero, so by XOR addition of polynomial technology is applied to each position among the input message M in accordance with the law, also by only carrying out L mCalculate, can not produce big message ground and calculating CRC.Similarly, to be equal to be to calculate to select a random start CRC to the initial seed with input message of a nonzero digit.
Can several different methods calculate X iMod (mould) P, i (supposition Lm is 16) in scope 0 to 32767 here.In certain embodiment, use a pair of look-up table (LUT).The LUT of CRC of each possible values that is to be noted that an i in the equation that provides above corresponding is just enough, but demand 2 16Individual 16 entry.On the contrary, with the formal representation of 256hi+lo, hi and lo are respectively 8 positions of high-order and 8 positions of low order of i to i valuably.Two LUT of precomputation calculate X like providing CRC respectively 256hiMod P and X LoThe result of mod P like this, carries out each the nonequivalence operation among first LUT is equal to the respective items among second LUT and calculates CRC.Correspondingly, need LUT on two, each LUT has 256 16 entry, and two tables of every nonzero digit execution of input message M are consulted to calculate CRC.
When by big distribution of messages these the time, curvedization of hi is not rapid, repeating to consult and can cancelling out each other of same like this value notices that in software implementation this point also is useful.Whether each value of hi had used odd number time to be only most realistic influence.
In one embodiment, according to the algorithm steps shown in the flow chart of Fig. 6, the MAC that PRN produces input message M need not to produce as the CRC of " the big message " of an imagination should big message.In this embodiment, Lm is 16 and Lm is 1520.CRC multinomial P is CRC-CCITT multinomial P (X)=X of 16 16+ X 12+ X 5+ 1.Skilled person in this area is understood, can easily be calculated the concrete LUT that is used for searching crc value.Mark R n, n is an integer here, is used for representing getting following n position of the output of PRN generator (not shown) hereinafter.In this embodiment, use a fixing minimum interval of 5,3 positions of using PRN output, make uniform distribution interdigit be spaced apart 5 to 12.Variable C represents the accumulator of final output MAC.Variable K represents to place next bit position of " big message ".Variable i is illustrated in the bit position among the input message M.
In step 500, generator is provided with C and equals R 16, this equates and select one will be set to 1 random order position.Following 16 positions of generator output will form CRC.Generator proceeds to step 502 then.Generator is provided with K and equals R in step 502 15Modulus 32751, this is actual to be first bit position of the input message M that will distribute.Generator proceeds to step 504 then.Generator is provided with i and equals zero in step 504.Produce and proceed to step 506 then.
In step 506, generator is determined a position M[i] whether (the input message digit of current distribution) be set to 1.If position M[i] be not set to 1, generator proceeds to step 508.On the other hand, if position M[i] being set to 1, generator proceeds to step 510.In step 510, generator calculates X KModulus P and according to the step-by-step of above-mentioned addition of polynomial technology to C and X KModulus P carries out the XOR computing.The new value of C is set to equal XOR and calculates the position that produces.Generator proceeds to step 508 then.
In step 508, generator calculating K, 5, R 3(generator output following three positions), modulus 32751 and.The result is set to equal K, and K is updated to the next bit of input message with the position that is assigned to like this.This calculating is distributing present bit M[i] back execution in step 510.Generator proceeds to step 512 then.Generator adds 1 to i in step 512.Generator proceeds to step 514 then.Generator determines that whether i is greater than 1519 in step 514.If i is not more than 1519, generator returns step 506 to handle next input message digit M[i].On the other hand, if i greater than 1519, generator proceeds to step 516.Generator returns the MAC for input message of C in step 516.
In an optional embodiment, the calculating of carrying out in the step 508 is meter K, 10, R 4(generator output following 4 positions), be 65521 and.The result is set to equal K once more.According to this embodiment, generator is provided with K and equals R in step 502 16Modulus 65521.According to this embodiment operable one original multinomial is x 16+ x 14+ x 12+ x 7+ x 6+ x 5+ x 2+ x+1.
In another embodiment, need not to produce as the CRC of " the big message " of an imagination should big message for the PRN generator MAC that produces input message M according to the algorithm steps shown in the flow chart of Fig. 7.In this embodiment, L mBe 16 and L MIt is 1520.CRC multinomial P is CRC-CCITT multinomial P (x)=x of 16 16+ x 12+ x 5+ 1.Skilled person in this area is understood, can easily be calculated the concrete LUT that is used for searching crc value.Mark R n, n is an integer, is used for representing getting following n position of the output of PRN generator (not shown) hereinafter.In this embodiment, use a fixing minimum interval of 5,3 positions of using PRN output, make uniform distribution interdigit be spaced apart 5 to 12.Variable C represents the accumulator of final output MAC.Variable K represents to place next bit position of " big message ".Variable i is illustrated in the bit position among the input message M.
In step 600, generator is provided with C and equals R 16, this equates and select one will be set to 1 random order position.Following 16 positions of generator output will form CRC.Generator proceeds to step 602 then.Generator is provided with K and equals R in step 602 15Modulus 32751, this is actual to be first bit position of the input message M that will distribute.Generator proceeds to step 604 then.Generator is provided with i and equals zero in step 504.Produce and proceed to step 606 then.
In step 606, generator is determined a position M[i] whether (the input message digit of current distribution) be set to 1.If position M[i] be not set to 1, generator proceeds to step 608.On the other hand, if position M[i] be set to 1, produce Lu and proceed to step 610.In step 610, generator calculates X KModulus P and according to the step-by-step of above-mentioned addition of polynomial technology to C and x KModulus P carries out the XOR computing.The new value of C is set to equal XOR result calculated position.Generator proceeds to step 608 then.
Generator adds 1 to i in step 608.Generator proceeds to step 612 then.Generator determines that whether i is greater than 1519 in step 612.If i is not more than 1519, generator proceeds to step 614.On the other hand, if i greater than 1519, generator proceeds to step 616.Generator returns the MAC of the value of C as input message in step 616.Generator calculating K, 5, R in step 614 3(generator output following three positions), modulus 32751 and.The result is set to equal K.K is updated to the position that is assigned with of next bit of input message like this.In the time will distributing one new, carry out this calculating to this position, new position.After the calculating of execution in step 614, generator returns step 606 to handle next input message digit M[i].
In an optional embodiment, the calculating of carrying out in the step 608 is meter K, 10, R 4(generator output following 4 positions), be 65521 and.The result is set to equal K once more.According to this embodiment, generator is provided with K and equals R in step 602 16Modulus 65521.According to this embodiment operable one original multinomial is x 16+ x 14+ x 12+ x 7+ x 6+ x 5+ x 2+ x+1.
Method and apparatus a kind of novelty, that be used for producing MAC has been described like this.Skilled person in this area is understood: disclose here, various illustrative components, blocks of Miao Shuing and algorithm steps available digital signal processor (DSP), special-purpose integrated device (ASIC) discrete gate or transistor logic, the discrete hardware components such as register and FIFO, the processor of carrying out one group of firmware instructions or arbitrary common programmable software modules and a processor are implemented or are carried out in conjunction with the embodiments.Processor can be a microprocessor valuably, but or, processor can be arbitrary ordinary processor, controller, microcontroller or state machine.Software module can reside at arbitrary other forms of writing in the storage medium right shown in RAM memory, flash memory, register or the industry.Skilled person also will appreciate that: data, instruction, order, information, signal, position, symbol and harbour that can reference in above-mentioned whole description be represented with voltage, electric current, electromagnetic wave, magnetic field or magnetic particle, light field or light particle or their arbitrary combination valuably.
Illustrated and described preferred embodiment of the present invention so.Yet, the people that common skill is arranged in this area be it is evident that, can not break away from the spirit or scope of the present invention ground the embodiment that discloses is here made many changes.Therefore, except that according to the following claim, the present invention is unrestricted.

Claims (29)

1, a kind of method that produces Message Authentication Code is characterized in that it comprises following steps:
With a kind of mode pseudorandom ground that relies on key first group of a plurality of message digit is assigned in second group of a plurality of position;
Produce the 3rd group of a plurality of position, it comprises described second group a plurality of cyclic redundancy code and tests; And
Send described first group of message digit and comprise described the 3rd a group a plurality of Message Authentication Code.
2, the method for claim 1 is characterized in that, described generation step is with microprocessor, by the addressable look-up table of this microprocessor and by the executable one group of software instruction execution of this microprocessor.
3, the method for claim 1 is characterized in that, described generation step is carried out with a shift register.
4, the method for claim 1 is characterized in that, described pseudorandom ground allocation step comprises following steps:
In the bits of offset position of first described first group a plurality of position in described second group of a plurality of position; And
The position, position of skipping the unpredictable number described second group of a plurality of position from described bits of offset position.
5, method as claimed in claim 4 also comprises described first group a plurality of next bit is put into step in described second group a plurality of the start bit position.
6, method as claimed in claim 4 also comprises the maximum number of the position of determining to skip, position so that do not arrive at or the step of the start bit position by second group a plurality of in skips steps.
7, method as claimed in claim 4 is characterized in that, the number of the position, position of skipping in skips steps is 4 to 16 powers of 2, comprises 4 and 16.
8, the method for claim 1 is characterized in that, the pseudorandom allocation step comprises following steps:
Second group of a plurality of position is divided into the roughly uniform piece of block size; And
First group of a plurality of position is placed in the interior random order position of each piece, puts into a position in each piece.
9, method as claimed in claim 8 is characterized in that, block size is 2 inferior power 4 to 16 (comprising 4 and 16) uniformly.
10, the method for claim 1 is characterized in that, the pseudorandom allocation step comprises with a keying permutation function derives the step of new position, position from first group a plurality of start bit position second group of a plurality of position.
11, the method for claim 1 is characterized in that, the pseudorandom allocation step comprises following steps;
Evaluator x 1Remainder modulus P, i is an expection position, position in second group of a plurality of position and P is the CRC multinomial from the 3rd group of a plurality of derivation here; And
To each position of 1 of equaling of first group a plurality of, carry out the 3rd group of a plurality of position bit by bit and the nonequivalence operation of the remainder that calculates.
12, a kind of generator that is configured to produce a Message Authentication Code, it comprises:
Be used for first group of message digit being assigned to second group of device in a plurality of positions with a kind of mode pseudorandom ground that relies on key;
Be used for producing the 3rd group a plurality of the device that the cyclic redundancy code that comprises second group a plurality of is tested; And
Be used for sending first group of message digit and the device that comprises the 3rd group a plurality of Message Authentication Code.
13, generator as claimed in claim 12 is characterized in that, described generation device comprises a microprocessor, can be by the look-up table of this microprocessor access and one group of software instruction can being carried out by this microprocessor.
14, generator as claimed in claim 12 is characterized in that, described generation device comprises a shift register.
15, generator as claimed in claim 12 is characterized in that, is used for the pseudorandom assigned unit to comprise:
Be used for first of first group a plurality of is put into second group of device in the bits of offset position in a plurality of positions; And
Be used for skipping the device of the position, position of the uncertain number second group of a plurality of position from this bits of offset position.
16, generator as claimed in claim 15 also comprises the device of the next position in the 3rd group a plurality of start bit position that is used for first group a plurality of.
17, generator as claimed in claim 15 also comprises the maximum number that is used for determining the position, position of skipping so that do not arrive at or the device of the initial bit position by second group a plurality of.
18, generator as claimed in claim 15 is characterized in that, the number of the position, position of skipping is 2 inferior power 4 to 16 (comprising 4 and 16).
19, generator as claimed in claim 12 is characterized in that, is used for the pseudorandom assigned unit to comprise:
Be used for second group of a plurality of position is divided into the roughly device of uniform piece of block size; And
Be used for being put into first group of a plurality of position in the interior random order position of each piece and the device of inserting a position in each piece.
20, generator as claimed in claim 19 is characterized in that, the homogeneous blocks size is 2 inferior power 4 to 16 (comprising 4 and 16).
21, generator as claimed in claim 12 is characterized in that, is used for the pseudorandom assigned unit comprises derives new position, position from first group a plurality of start bit position second group of a plurality of position with a keying permutation function device.
22, generator as claimed in claim 12 is characterized in that, is used for the pseudorandom assigned unit to comprise:
Be used for the device of remainder modulus P of evaluator xi, i is the position, position of an expection in second group of a plurality of position and P is the cyclic redundancy code school code polynomial from the 3rd group of a plurality of derivation here; And
Be used for to each position of 1 of equaling of first group a plurality of, carry out the 3rd group of a plurality of position bit by bit and the device of the nonequivalence operation of the remainder that calculates.
23, a kind of generator that is configured to produce Message Authentication Code is characterized in that it comprises:
Be configured to first group of message digit is assigned to second group of processor in a plurality of positions with a kind of mode pseudorandom ground that relies on key.
Be coupled to this distributor and be configured to produce the 3rd group a plurality of generator of the CRC that comprises second group a plurality of; And
Be coupled to this generator and be configured to send first group of message digit and the reflector that comprises the 3rd group a plurality of Message Authentication Code.
24, generator as claimed in claim 23 is characterized in that, this generator comprises can be by the look-up table of this microprocessor access, and is stored in the memory component and by the executable one group of software instruction of this microprocessor.
25, generator as claimed in claim 23 is characterized in that, this generator comprises a shift register.
26, generator as claimed in claim 23, wherein processor also is configured to be placed on first of first group a plurality of in second group of bits of offset position in a plurality of positions and the position, position of skipping second group of uncertain number a plurality of positions from this bits of offset position.
27, generator as claimed in claim 26 is characterized in that, processor also is configured to first group a plurality of next position in second group a plurality of start bit position.
28, generator as claimed in claim 23 is characterized in that, processor also is configured to second group of a plurality of position is divided into the roughly uniform piece of block size and first group of a plurality of position is placed in the interior random order positions of each piece, inserts a position in each piece.
29, generator as claimed in claim 23 is characterized in that, processor comprises a calculator and an addition of polynomial device, and described calculator is configured to evaluator x iRemainder modulus P, here i is the position, position of an expection in second group of a plurality of position and P is the cyclic redundancy check multinomial from the 3rd group of a plurality of derivation, and described addition of polynomial device be configured to first group a plurality of equal 1 each carry out the 3rd group of a plurality of positions bit by bit and the nonequivalence operation of the remainder that calculates.
CNB008114854A 1999-08-09 2000-08-07 Method and apparatus for generating message authantion code Expired - Fee Related CN1163018C (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US37114799A 1999-08-09 1999-08-09
US09/371,147 1999-08-09

Publications (2)

Publication Number Publication Date
CN1369157A true CN1369157A (en) 2002-09-11
CN1163018C CN1163018C (en) 2004-08-18

Family

ID=23462682

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB008114854A Expired - Fee Related CN1163018C (en) 1999-08-09 2000-08-07 Method and apparatus for generating message authantion code

Country Status (7)

Country Link
EP (1) EP1210790A2 (en)
JP (1) JP2003506750A (en)
KR (1) KR20020026370A (en)
CN (1) CN1163018C (en)
AU (1) AU6625000A (en)
HK (1) HK1046795B (en)
WO (1) WO2001011818A2 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104463007A (en) * 2013-09-22 2015-03-25 华邦电子股份有限公司 Data authentication method and apparatus thereof

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2808948B1 (en) * 2000-05-12 2006-03-03 Ibm Corp Internat Business Mac SYSTEM AND METHOD FOR SINGLE AUTHENTICATION EACH REPRODUCTION OF A GROUP OF ELECTRONIC DOCUMENTS
FR2839594B1 (en) * 2002-05-10 2004-07-30 Radio Systemes Ingenierie SECURE RADIO FREQUENCY TRANSMISSION METHOD AND SYSTEM USING THE SAME
US7702910B2 (en) 2002-10-24 2010-04-20 Telefonaktiebolaget L M Ericsson (Publ) Message authentication
US7103754B2 (en) 2003-03-28 2006-09-05 International Business Machines Corporation Computer instructions for having extended signed displacement fields for finding instruction operands
DE602004011501T2 (en) 2003-05-07 2008-05-21 Matsushita Electric Industrial Co., Ltd., Kadoma SEND RECEIVING SYSTEM WITH MESSAGE AUTHENTICATION CODE
US7356710B2 (en) 2003-05-12 2008-04-08 International Business Machines Corporation Security message authentication control instruction
US7159122B2 (en) 2003-05-12 2007-01-02 International Business Machines Corporation Message digest instructions
US7257718B2 (en) 2003-05-12 2007-08-14 International Business Machines Corporation Cipher message assist instructions
JP2008532410A (en) 2005-03-01 2008-08-14 エヌエックスピー ビー ヴィ Generator for generating message authentication code, generation method, program element and computer-readable medium
WO2008034998A1 (en) * 2006-09-18 2008-03-27 France Telecom Improvement of the resistance to cryptanalytic attacks of a hash function

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5646997A (en) * 1994-12-14 1997-07-08 Barton; James M. Method and apparatus for embedding authentication information within digital data
EP0805575A3 (en) * 1996-05-03 2002-03-06 Texas Instruments Deutschland Gmbh Transponder

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104463007A (en) * 2013-09-22 2015-03-25 华邦电子股份有限公司 Data authentication method and apparatus thereof
CN104463007B (en) * 2013-09-22 2018-10-16 华邦电子股份有限公司 Data verification method and its device

Also Published As

Publication number Publication date
CN1163018C (en) 2004-08-18
EP1210790A2 (en) 2002-06-05
KR20020026370A (en) 2002-04-09
WO2001011818A2 (en) 2001-02-15
HK1046795B (en) 2005-04-22
AU6625000A (en) 2001-03-05
JP2003506750A (en) 2003-02-18
HK1046795A1 (en) 2003-01-24
WO2001011818A3 (en) 2001-06-07

Similar Documents

Publication Publication Date Title
US8098711B2 (en) Methods and apparatus for flexible hopping in a multiple-access communication network
US6014446A (en) Apparatus for providing improved encryption protection in a communication system
US6078667A (en) Generating unique and unpredictable values
EP0672273B1 (en) Method and apparatus for encryption having a feedback register with selectable taps
CN1163018C (en) Method and apparatus for generating message authantion code
US10623187B2 (en) Generating cryptographic checksums
JP2000083008A (en) Radio information transmitter and radio information transmitting method
Gao et al. Frequency-hopped ARQ for wireless network data services
AU2006247818A1 (en) Apparatus and method for channel interleaving in communications system
WO2016177266A1 (en) Data transmission processing method and device
CN1171416C (en) Modulated message authentication system and method
JP4199195B2 (en) Speed matching method to support increased redundancy with flexible layer 1
CN1032039C (en) Encryption system for digital cellular communications
EP2890047B1 (en) Key processing method and apparatus
WO2016043509A1 (en) Decoding method and apparatus in system using sequentially connected binary codes
CN1390406A (en) Mehtod and apparatus for efficient irregular synchronization of a stream cipher
US8121292B2 (en) Method and apparatus for scrambling information bits on a channel in a communications system
Cohen et al. AES as error correction: cryptosystems for reliable communication
US6738946B1 (en) Methods, communication devices, and computer program products for communicating information via a frame check sequence having an information block associated therewith
JP2003527783A (en) Method and apparatus for transmitting data frames and method and apparatus for adapting data rate
EP1279250A2 (en) Generation of keyed integer permutations for message authentication codes
CN110750383B (en) Method for carrying information by using CRC (cyclic redundancy check) code
Dubrova et al. Error-correcting message authentication for 5g
CN116634421B (en) High-security mobile phone communication method
Farkaš On adding security to RLL-LDPC CCSDS codes without additional redundancy

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
REG Reference to a national code

Ref country code: HK

Ref legal event code: GR

Ref document number: 1046795

Country of ref document: HK

C17 Cessation of patent right
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20040818

Termination date: 20110807