Search code examples
cryptographysignaturejavacarddes

Is DES-MAC different from DES-MAC Signature?

I've wrote a simple Javacard applet to calculate signature of an input data using ALG_DES_MAC8_NOPAD signature as below:

package testPrj ;

import javacard.framework.*;
import javacard.security.*;

public class testPrj extends Applet
{
    private Signature sig8;
    private DESKey key8;

    public static void install(byte[] bArray, short bOffset, byte bLength) 
    {
        new testPrj();
    }
    
    public testPrj(){
        sig8 = Signature.getInstance(Signature.ALG_DES_MAC8_NOPAD, false);
        key8 = (DESKey)KeyBuilder.buildKey(KeyBuilder.TYPE_DES_TRANSIENT_DESELECT, KeyBuilder.LENGTH_DES, false);
        register();
    }

    public void process(APDU apdu)
    {
        if (selectingApplet())
            return;

        byte[] buf = apdu.getBuffer();

        switch (buf[ISO7816.OFFSET_INS])
        {
        case (byte)0x00:
            apdu.setIncomingAndReceive();
            key8.setKey(buf, ISO7816.OFFSET_CDATA);
            sig8.init(key8, Signature.MODE_SIGN, buf, (short)(ISO7816.OFFSET_CDATA + 8), (short)8);
            sig8.sign(buf, (short)(ISO7816.OFFSET_CDATA + 16), (short)8, buf, (short)0);             
            apdu.setOutgoingAndSend((short)0, (short)8);
            break;
        default:
            ISOException.throwIt(ISO7816.SW_INS_NOT_SUPPORTED);
        }           
    }
}

As you see above, this applet supports one APDU command only. First 8 bytes of this command is the DES Key, second 8 bytes are IV and the last 8 bytes are the input data which we want to calculate its signature.

Now, we can calculate Signature of 33 33 33 33 33 33 33 33 using Key = 11 11 11 11 11 11 11 11 and IV = 22 22 22 22 22 22 22 22 as below:

// Select Applet
Send: 00 A4 04 00 06 <Applet AID> 00
Recv: 90 00

// Request DES Signature
Send: 00 00 00 00 18 11 11 11 11 11 11 11 11 22 22 22 22 22 22 22 22 33 33 33 33 33 33 33 33
Recv: F4 03 79 AB 9E 0E C5 33 90 00  <== DES Signature  + Status Words

Ok, now take a look at this picture (from an online tool):

enter image description here

As you may notice, the output is equal with the applet's response.

So, I conclude that DES_MAC8 signature is equivalent with DES encryption in CBC mode.

Well, now take a look at this definition about DES-MAC qouted from RFC:

6.4.6. DES cipher-block chained checksum (des-mac)

The DES-MAC checksum is computed by prepending an 8 octet confounder to the plaintext, performing a DES CBC-mode encryption on the result using the key and an initialization vector of zero, taking the last block of the ciphertext, prepending the same confounder and encrypting the pair using DES in cipher-block-chaining (CBC) mode using a a variant of the key, where the variant is computed by eXclusive-ORing the key with the constant F0F0F0F0F0F0F0F0. The initialization vector should be zero. The resulting checksum is 128 bits (16 octets) long, 64 bits of which are redundant. This checksum is tamper-proof and collision-proof.

Obviously, this definition is different from what happened in the applet/online-tool. So:

Quetion: Is DES-MAC different with DES-MAC Signature? Does they have different uses? In the other words, does DES-MAC prove something that DES-MAC Signature can't prove that (or vice-versa)?

Solution

  • The reason for this is simple, the DES-MAC you are quoting is specific to Kerberos 5. It's not a CBC-MAC, although it does seem to use the same CBC mode.