**Connected: An Internet Encyclopedia**

*6.4.6. DES cipher-block chained checksum (des-mac)*

**Up:**
Connected: An Internet Encyclopedia

**Up:**
Requests For Comments

**Up:**
RFC 1510

**Up:**
6. Encryption and Checksum Specifications

**Up:**
6.4. Checksums

**Prev:** 6.4.5. RSA MD5 Cryptographic Checksum Using DES (rsa-md5des)

**Next:** 6.4.7. RSA MD4 Cryptographic Checksum Using DES alternative

### 6.4.6. DES cipher-block chained checksum (des-mac)

6.4.6. DES cipher-block chained checksum (des-mac)
The DES-MAC checksum is computed by prepending an 8 octet confounder
to the plaintext, performing a DES CBC-mode encryption on the result
using the key and an initialization vector of zero, taking the last
block of the ciphertext, prepending the same confounder and
encrypting the pair using DES in cipher-block-chaining (CBC) mode
using a a variant of the key, where the variant is computed by
eXclusive-ORing the key with the constant F0F0F0F0F0F0F0F0. The
initialization vector should be zero. The resulting checksum is 128
bits (16 octets) long, 64 bits of which are redundant. This checksum
is tamper-proof and collision-proof.

The format for the checksum is described in the following diagram:

+--+--+--+--+--+--+--+--
| des-cbc(confounder
+--+--+--+--+--+--+--+--
+-----+-----+-----+-----+-----+-----+-----+-----+
des-mac(conf+msg,iv=0,key),key=var(key),iv=0) |
+-----+-----+-----+-----+-----+-----+-----+-----+

The format cannot be described in ASN.1, but for those who prefer an
ASN.1-like notation:

des-mac-checksum ::= ENCRYPTED UNTAGGED SEQUENCE {
confounder[0] UNTAGGED OCTET STRING(8),
check[1] UNTAGGED OCTET STRING(8)
}

The DES specifications identify some "weak" and "semiweak" keys;
those keys shall not be used for generating DES-MAC checksums for use
in Kerberos, nor shall a key be used whose veriant is "weak" or
"semi-weak".

**Next:** 6.4.7. RSA MD4 Cryptographic Checksum Using DES alternative

**Connected: An Internet Encyclopedia**

*6.4.6. DES cipher-block chained checksum (des-mac)*