Federal Information Processing Standards Publications (FIPS PUBS) are issued by the National Institute of Standards and Technology after approval by the Secretary of Commerce pursuant to Section 111(d) of the Federal Property and Administrative Services Act of 1949, as amended by the Computer Security Act of 1987, Public Law 100-235.

Name of Standard: Standard on Computer Data Authentication (FIPS PUB 113).

Category of Standard: ADP Operations, Computer Security.

Explanation: This standard specifies a Data Authentication Algorithm (DAA) which may be used to detect unauthorized modifications, both intentional and accidental, to data, The standard is based on the algorithm specified in the Data Encryption Standard (DES) Federal Information Processing Standards Publication (FIPS PUB) 46, and is compatible with both the Department of the Treasury's Electronic Funds and Security Transfer Policy and the American National Standards Institute (ANSI) Standard for Financial Institution Message Authentication (see cross index). The Message Authentication Code (MAC) as specified in ANSI X9.9 is computed in the same manner as the Data Authentication Code (DAC) specified in this standard. Similarly, the Data Identifier (DID) specified in this standard is sometimes referred to as a Message Identifier (MID) in standards related to message communications. The example given in Appendix 2 may be used when validating implementations of this standard.

Approving Authority: Secretary of Commerce.

Maintenance Agency: U.S. Department of Commerce, National Institute of Standards and Technology, Computer Systems Laboratory.

ANSI X9.9-1982, American National Standard for Financial Institution Message Authentication, April 13, 1982.

ANSI X9. 17-1985, American National Standard for Financial Institution Key Management (wholesale), April 4, 1985. Department of the Treasury Directives Manual, Electronic Funds and Securities Transfer Policy, Chapter TD 81, Section 80, August 16, 1984.

FIPS PUB 1-2, Code for Information Interchange, Its Representations, Subsets, and Extensions November 14, 1984.

FIPS PUB 46, Data Encryption Standard, January 15, 1977.

FIPS PUB 74, Guidelines for Implementing and Using the NBS Data Encryption Standard April 1, 1981.

FIPS PUB 81, DES Modes of Operation. December 2, 1980.

Federal Standard 1026, Telecommunications' Interoperability and Security Requirements for Use of the Data Encryption Standard in the Physical and Data Link Layers of Data Communications, August 3, 1983.

Federal Standard 1027, Telecommunications' General Security Requirements for Equipment Using the Data Encryption Standard. April 14, 1982.

Applicability: This standard shall be used by Federal organizations whenever the person responsible for the security of any computer system or data determines that cryptographic authentication is needed for the detection of intentional modifications of data, unless the data is classified according to the National Security Act of 1947, as amended, or the Atomic' Energy Act of 1954, as amended. Equipments approved for the cryptographic authentication of classified data may be used in lieu of equipments meeting this standard. In all cases, the authorized agency official shall determine that any alternative cryptographic authentication system performs at least as well as those specified in this standard. Use of this standard is also encouraged in private sector applications of cryptographic authentication for data integrity.

Implementation: The DAA may be implemented in hardware, firmware, software, or any combination thereof.

Implementation Schedule: This standard becomes effective November 30, 1985.

Export Control: Cryptographic devices and technical data regarding them are subject to Federal government export controls either as specified in Title 22, Code of Federal Regulations, Parts !21 through 128, or in Title 15, Code of~Federal Regulations, Parts 368 through 399. as applicable. Any exports of cryptographic devices implementing this standard and technical data regarding them must comply with these Federal regulations.

Patents: Cryptographic equipment implementing this standard may be covered by U.S. and foreign patents.

Specifications: Federal Information Processing Standard 113 (FIPS 113), Computer Data Authentication (affixed).

Waivers: Heads of agencies may request that the requirements of this standard be waived in instances where it can be clearly demonstrated that there are appreciable performance or cost advantages to be gained and when the overall interests of the Federal Government are best served by granting the requested waiver. Such waiver requests will be reviewed by and are subject to the approval of the Secretary of Commerce. The waiver request must specify anticipated performance and cost advantages in the justification for the waiver.

Forty-five days should be allowed for review and response by the Secretary of Commerce. Waiver requests shall be submitted to the Secretary of Commerce, Washington, DC 20230, and labeled as a Request for a Waiver to Federal Information Processing Standard Publication 113. No agency shall take any action to deviate from the standard prior to the receipt of a waiver approval from the Secretary of Commerce.

Where to Obtain Copies: Copies of this publication are for sale by the National Technical Information Service, U.S. Department of Commerce, Springfield, VA 22161. When ordering, refer to Federal Information Processing Standards Publication 113 (FIPSPUB113), and title. When microfiche is desired, this should be specified. Payment may be made by check, money order, credit card, or deposit account.

In automated data processing systems it is often not possible for humans to scan data to determine if it has been modified. Examination may be too time consuming for the vast quantities of data involved in modern data processing applications, or the data may have insufficient redundancy for error detection. Even if human scanning were possible, the data could have been modified in such a manner that it would be very difficult for the human to detect the modification. For example, "do" may have been changed to "do not" or $1,000 may have been changed to $3 ,000. Without additional information the human scanner could easily accept the altered data as being authentic. These threats may still exist even when data encryption is used. It is therefore desirable to have an automated means of detecting both intentional and unintentional modifications to data. Ordinary error detecting codes are not adequate because, if the algorithm for generating the code is known, an adversary could generate the correct code after modifying the data. Intentional modification is undetectable with such codes. However, a cryptographic Data Authentication Algorithm (DAA) can protect against both accidental and intentional, but unauthorized, data modification.

A Data Authentication Code (DAC) is generated by applying the DAA to data as described in the following section. The DAC, which is a mathematical function of both the data and a cryptographic key, may then be stored, or transmitted, with the dab When the integrity of the data is to be verified, the DAC is generated on the current data and compared with the previously generated DAC. If the two values are equal, the integrity (i.e., authenticity) of the data is verified.
The DAA detects data modifications which occur between the initial generation of the DAC and the validation of the received DAC. It does not detect errors which occur before the DAC is originally generated.

The Data Authentication Algorithm (DAA) makes use of the Data Encryption Standard (DES) cryptographic algorithm specified in FIPS PUB 46. The DES algorithm transforms (or encrypts) 64-bit input vectors to 64-bit output vectors using a cryptographic key. Let D be any 64-bit input vector and assume a key has been selected. The 64-bit vector, O, which is the output of the DES algorithm when DES is applied to D, using the enciphering operation, is represented as follows.

The data (e.g., record, file, message, or program) to be authenticated is grouped into contiguous -bit blocks: D 1, D2,.... Dn. If the number of data bits is not a multiple of 64, then the final input block will be a partial block of data, left justified. with zeroes appended to form a full 64-bit block. The calculation of the DAC is given by the following equations where G represents the Exclusive-OR of two vectors.

                                             01  = e(D1)
                                             02  = e(D2 + 01)
                                             03  = e(D3 + 02)
                                             On  = e(Dn + 0n-1)

The DAC is selected from On. Devices which Implement the DAA shall be capable of selecting the leftmost M bits of On as the DAC, where 16 < M < 64 and M is a multiple of 8. A block diagram of the DAC generation is given in Appendix 1 and an example is given in Appendix 2. The Cipher Block Chaining Mode (CBC) with Initialization Vector (IV) = 0 and the 64-bit Cipher Feedback Mode with IV = D1 and data equal to D2, D3, ..., Dn (see FIPS PUB 81) both yield the required DAC calculation.

When 7-bit ASCII (American Standard Code for Information Interchange) coded data is to be authenticated by the DAA, each character processed by the authentication algorithm shall be represented as an 8-bit byte (O, b7 b1) where (b7, b6 ..., b1) are defined by FIPS PUB 1-2, Code for Information Interchange. Its Representations, Subsets, and Extensions Thus, a message may have its parity changed without altering its DAC.

When detection of either the unauthorized deletion or the insertion of an entire authenticated data set is required, a Data Identifier (DID) must be used as part of the authenticated data The DID is a sequence number whose value can be checked whenever the data is authenticated. A gap in the DIDs indicates deletion, while a repeated DID indicates insertion.

The integrity provided by the DAA is based on the fact that it is infeasible to generate a DAC without knowing the cryptographic key. An adversary without knowledge of the key will not be able to modify data and then generate an authentic DAC on the modified data. It is therefore crucial that keys be protected so that their secrecy is preserved- Key management, involving key generation, key distribution, key storage, and key destruction, must be provided. Information pertaining to key management may be found in the American National Standard for Financial Institution Key Management (wholesale), ANSI X9. 17-1985.

                    D   = Data Block              K   = DES Key 
                    I   = Input Block             O   = Output Block 
                    DES = Dat Encryption          (+) = Exclusive- OR
                          Standard
                    

Cryptographic Key = 0123456789abcdef
The text is the ASCII code for "7654321 Now is the time for ". These 7-bit characters are written in hexadecimal notation (0.b ₇,b ₆,...b ₁).

Text =
37363534333231204e6f77206873207468652074696d6520666f7220

TIME   PLAIN TEXT         DES INPUT BLOCK     DES OUTPUT BLOCK

1    3736353433323120     3736353433323120     21fb193693a16c28

2    4e6f772068732074    6f946e16fad24c5c     6c463f0cb7167a6f

3    68652074696d6520     04231f78de7b1f4f     956ee891e889d91e

4    666f722000000000     f3019ab1e889d91e    f1d30f6849312ca4

A 23-bit DAC = f1d30f68 is selected.