Keyed-Hash Message Authentication Code
A Keyed-Hash Message Authentication Code ( HMAC ) is a Message Authentication Code (MAC), the construction of which is based on a cryptographic hash function , such as the Secure Hash Algorithm (SHA), and a secret key . HMACs are specified in RFC 2104 and in the NIST standard FIPS 198 and extended in RFC 4868 for use in IPsec . They can also be used, for example, in the TLS and SSH protocols .
construction
The HMAC is calculated from the message and a secret key using the hash function according to RFC 2104 as follows. is padded to the block length of the hash function by XOR combination with a constant ("padding") ; that's 64 bytes (512 bits) for most common hash functions. If the length is greater than the block length of the hash function, it is replaced by .
The values ("outer pad", a string) and ("inner pad", another string) are constants, stand for the bit-by-bit XOR operation and for the linkage through simple assembly ( concatenation ).
According to RFC 2104 , both constants "outer pad" and "inner pad" are defined as follows:
- .
Design principles
The construction, which appears cumbersome at first glance, results from the fact that most of the older cryptographic hash functions are based on the Merkle-Damgård construction , i.e. on the iteration of a compression function. For example, there is a simple attack on a MAC design as a . Due to the structure of the hash function, the hash value can easily be calculated for any message and the hash value of an unknown message M if the finalization function is missing or easily reversible. However, this can also be used to expand (“length extension” attack).
If the underlying hash function is assumed to be collision-resistant , simple MAC constructions are possible, for example the calculation as . However, the construction is uncertain as soon as a collision is found, because if it is , then K is independent of the key due to the structure .
The idea of the HMAC construction is not to rely on the collision resistance of the hash function for security, but on weaker assumptions. For this reason, an MD5- based HMAC is still safe, even though collisions have already been found for MD5.
safety
If the underlying compression function is a pseudo-random function , the HMAC construction is also a pseudo-random function. Since any pseudo-random function is also a good MAC, the HMAC construction is also a good MAC.
literature
- William Stallings: Cryptography and Network Security: Principles and Practice. 5th edition. (International Edition), Pearson Education, publishing as Prentice Hall, 2011, ISBN 978-0-13-705632-3 .
Web links
- RFC 2104 , HMAC: Keyed-Hashing for Message Authentication
- RFC 2202 , HMAC-MD5 and HMAC-SHA1 Test Vectors, HMAC-SHA1 implementation in C
- FIPS PUB 198, The Keyed-Hash Message Authentication Code (PDF; 173 KiB)
Individual evidence
- ^ Stallings: Cryptography and Network Security: Principles and Practice. Pp. 399-400.
- ↑ T. Dierks, E. Rescorla: RFC 5246, The Transport Layer Security (TLS) Protocol Version 1.2 . IETF . P. 14. Retrieved November 11, 2011: “The TLS record layer uses a keyed Message Authentication Code (MAC) to protect message integrity. The cipher suites defined in this document use a construction known as HMAC, described in [HMAC], which is based on a hash function. Other cipher suites MAY define their own MAC constructions, if needed. "
- Jump up ↑ T. Ylonen, C. Lonvick, Ed .: RFC 4253, The Secure Shell (SSH) Transport Layer Protocol . IETF . P. 12. Accessed on November 11, 2011: "The" hmac- * "algorithms are described in [RFC2104]."
- ↑ a b c d H. Krawczyk, M. Bellare, R. Canetti: RFC 2104, HMAC: Keyed-Hashing for Message Authentication . IETF . Retrieved November 11, 2011.
- ↑ a b In the sample code in the appendix of RFC 2104 , "0x36" is used for the inner pad and "0x5c" for the outer pad
- ↑ a b Mihir Bellare, Ran Canetti, and Hugo Krawczyk: Keying hash functions for message authentication . In: Advances in Cryptology - Crypto 96 Proceedings . LNCS 1109. Springer, 1996, pp. 1-15 , doi : 10.1007 / 3-540-68697-5_1 ( Link ).
- ^ Mihir Bellare: New Proofs for NMAC and HMAC: Security without Collision-Resistance . In: Advances in Cryptology - Crypto 2006 Proceedings . LNCS 4117. Springer, 2006, p. 602-619 , doi : 10.1007 / 11818175_36 ( Link ).
- ↑ Mihir Bellare, Oded Goldreich and Anton Mityagin: The Power of Verification Queries in Message Authentication and Authenticated Encryption . 2004 ( iacr.org ).