5.3.6.2 FIPS
Prior to performing an encryption or decryption operation, the cryptographic modules used to implement Triple DES are configured with the following Initialization Vector.
-
{0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF}
The 160-bit MAC signature key is used to key the HMAC function ([RFC2104]), which uses SHA-1 as the iterative hash function.
-
MACSignature = First64Bits(HMAC(HMACKey, Data + EncryptionCount))
EncryptionCount is the cumulative encryption count, indicating how many encryptions have been carried out. It is expressed as a little-endian 32-bit integer. The description for Data is the same as in section 5.3.6.1.
Encryption of the data and construction of the network packet to transmit is similar to section 5.3.6.1. The main difference is that Triple DES (in cipher block chaining (CBC) mode) is used. Because DES is a block cipher, the data to be encrypted is padded to be a multiple of the block size (8 bytes). The FIPS Security Header (sections 2.2.8.1 and 2.2.9.1) has an extra field to record the number of padding bytes which were appended to the data prior to encryption to ensure that upon decryption these bytes are not included as part of the data.