Keyed-Hash Message Authentication Code

A Keyed-Hash Message Authentication Code ( HMAC ) is a Message Authentication Code (MAC), the construction of which is based on a cryptographic hash function , such as the Secure Hash Algorithm (SHA), and a secret key . HMACs are specified in RFC 2104 and in the NIST standard FIPS 198 and extended in RFC 4868 for use in IPsec . They can also be used, for example, in the TLS and SSH protocols .

construction

The HMAC is calculated from the message and a secret key using the hash function according to RFC 2104 as follows. is padded to the block length of the hash function by XOR combination with a constant ("padding") ; that's 64 bytes (512 bits) for most common hash functions. If the length is greater than the block length of the hash function, it is replaced by . ${\ displaystyle M}$ ${\ displaystyle K}$ ${\ displaystyle \ mathrm {H}}$ ${\ displaystyle K}$ ${\ displaystyle B}$ ${\ displaystyle K}$ ${\ displaystyle K}$ ${\ displaystyle \ mathrm {H} (K)}$

{\ displaystyle \ mathrm {HMAC} _ {K} (M) = \ mathrm {H} {\ Big (} (K \ oplus opad) \; || \; \ mathrm {H} {\ big (} (K \ oplus ipad) \; || \; M {\ big)} {\ Big)}}

The values ("outer pad", a string) and ("inner pad", another string) are constants, stand for the bit-by-bit XOR operation and for the linkage through simple assembly ( concatenation ). ${\ displaystyle opad}$ ${\ displaystyle ipad}$ ${\ displaystyle \ oplus}$ ${\ displaystyle \; || \;}$

According to RFC 2104 , both constants "outer pad" and "inner pad" are defined as follows:

{\ displaystyle opad = \ underbrace {\ mathrm {0x5C} \ dotso \ mathrm {0x5C}} _ ​​{{\ frac {B} {8}} {\ text {times}}} {\ text {and}} ipad = \ underbrace {\ mathrm {0x36} \ dotso \ mathrm {0x36}} _ {{\ frac {B} {8}} {\ text {times}}}}

.

Design principles

Merkle-Damgård construction: the hash value is generated from the message blocks by repeatedly applying the compression function.

The construction, which appears cumbersome at first glance, results from the fact that most of the older cryptographic hash functions are based on the Merkle-Damgård construction , i.e. on the iteration of a compression function. For example, there is a simple attack on a MAC design as a . Due to the structure of the hash function, the hash value can easily be calculated for any message and the hash value of an unknown message M if the finalization function is missing or easily reversible. However, this can also be used to expand (“length extension” attack). ${\ displaystyle H (K \ | M)}$ ${\ displaystyle X}$ ${\ displaystyle H (M)}$ ${\ displaystyle H (M \ | X)}$ ${\ displaystyle H (K \ | M)}$ ${\ displaystyle H (K \ | M \ | X)}$

If the underlying hash function is assumed to be collision-resistant , simple MAC constructions are possible, for example the calculation as . However, the construction is uncertain as soon as a collision is found, because if it is , then K is independent of the key due to the structure . ${\ displaystyle H (M \ | K)}$ ${\ displaystyle H (M_ {1}) = H (M_ {2})}$ ${\ displaystyle H (M_ {1} \ | K) = H (M_ {2} \ | K)}$

The idea of the HMAC construction is not to rely on the collision resistance of the hash function for security, but on weaker assumptions. For this reason, an MD5- based HMAC is still safe, even though collisions have already been found for MD5.

safety

If the underlying compression function is a pseudo-random function , the HMAC construction is also a pseudo-random function. Since any pseudo-random function is also a good MAC, the HMAC construction is also a good MAC.

literature

William Stallings: Cryptography and Network Security: Principles and Practice. 5th edition. (International Edition), Pearson Education, publishing as Prentice Hall, 2011, ISBN 978-0-13-705632-3 .

Web links

RFC 2104 , HMAC: Keyed-Hashing for Message Authentication
RFC 2202 , HMAC-MD5 and HMAC-SHA1 Test Vectors, HMAC-SHA1 implementation in C
FIPS PUB 198, The Keyed-Hash Message Authentication Code (PDF; 173 KiB)

Individual evidence

^ Stallings: Cryptography and Network Security: Principles and Practice. Pp. 399-400.
↑ T. Dierks, E. Rescorla: RFC 5246, The Transport Layer Security (TLS) Protocol Version 1.2 . IETF . P. 14. Retrieved November 11, 2011: “The TLS record layer uses a keyed Message Authentication Code (MAC) to protect message integrity. The cipher suites defined in this document use a construction known as HMAC, described in [HMAC], which is based on a hash function. Other cipher suites MAY define their own MAC constructions, if needed. "
Jump up ↑ T. Ylonen, C. Lonvick, Ed .: RFC 4253, The Secure Shell (SSH) Transport Layer Protocol . IETF . P. 12. Accessed on November 11, 2011: "The" hmac- * "algorithms are described in [RFC2104]."
↑ ^a ^b ^c ^d H. Krawczyk, M. Bellare, R. Canetti: RFC 2104, HMAC: Keyed-Hashing for Message Authentication . IETF . Retrieved November 11, 2011.
↑ ^a ^b In the sample code in the appendix of RFC 2104 , "0x36" is used for the inner pad and "0x5c" for the outer pad
↑ ^a ^b Mihir Bellare, Ran Canetti, and Hugo Krawczyk: Keying hash functions for message authentication . In: Advances in Cryptology - Crypto 96 Proceedings . LNCS 1109. Springer, 1996, pp. 1-15 , doi : 10.1007 / 3-540-68697-5_1 ( Link ).
^ Mihir Bellare: New Proofs for NMAC and HMAC: Security without Collision-Resistance . In: Advances in Cryptology - Crypto 2006 Proceedings . LNCS 4117. Springer, 2006, p. 602-619 , doi : 10.1007 / 11818175_36 ( Link ).
↑ Mihir Bellare, Oded Goldreich and Anton Mityagin: The Power of Verification Queries in Message Authentication and Authenticated Encryption . 2004 ( iacr.org ).

[1] Stallings: Cryptography and Network Security: Principles and Practice. Pp. 399-400.

[rfc5246-2] T. Dierks, E. Rescorla: RFC 5246, The Transport Layer Security (TLS) Protocol Version 1.2 . IETF . P. 14. Retrieved November 11, 2011: “The TLS record layer uses a keyed Message Authentication Code (MAC) to protect message integrity. The cipher suites defined in this document use a construction known as HMAC, described in [HMAC], which is based on a hash function. Other cipher suites MAY define their own MAC constructions, if needed. "

[rfc4253-3] Jump up ↑ T. Ylonen, C. Lonvick, Ed .: RFC 4253, The Secure Shell (SSH) Transport Layer Protocol . IETF . P. 12. Accessed on November 11, 2011: "The" hmac- * "algorithms are described in [RFC2104]."

[rfc2104-4] H. Krawczyk, M. Bellare, R. Canetti: RFC 2104, HMAC: Keyed-Hashing for Message Authentication . IETF . Retrieved November 11, 2011.

[padding-5] In the sample code in the appendix of RFC 2104 , "0x36" is used for the inner pad and "0x5c" for the outer pad

[BCK96-6] Mihir Bellare, Ran Canetti, and Hugo Krawczyk: Keying hash functions for message authentication . In: Advances in Cryptology - Crypto 96 Proceedings . LNCS 1109. Springer, 1996, pp. 1-15 , doi : 10.1007 / 3-540-68697-5_1 ( Link ).

[Bell06-7] Mihir Bellare: New Proofs for NMAC and HMAC: Security without Collision-Resistance . In: Advances in Cryptology - Crypto 2006 Proceedings . LNCS 4117. Springer, 2006, p. 602-619 , doi : 10.1007 / 11818175_36 ( Link ).

[BGM04-8] Mihir Bellare, Oded Goldreich and Anton Mityagin: The Power of Verification Queries in Message Authentication and Authenticated Encryption . 2004 ( iacr.org ).