|
Abstract : |
We consider the security of two message authentication code (MAC) algorithms: the MD5-based envelope method (RFC 1828), and the banking standard MAA (ISO 8731--2). Customization of a general MAC forgery attack allows improvements in both cases. For the envelope method, the forgery attack is extended to allow key recovery; for example, a 128-bit key can be recovered using 2 67 known text-MAC pairs and time plus 2 13 chosen texts. For MAA, internal collisions are found with fewer and shorter messages than previously by exploiting the algorithm's internal structure; the number of chosen texts (each 256 Kbyte long) for a forgery can be reduced by two orders of magnitude, e.g. from 2, |
