Cryptography Reference
In-Depth Information
We can also make a MAC from cryptographic hash functions. The following
construction, called HMAC, is due to Mihir Bellare, Ran Canetti, and Hugo Krawczyk.
It has been published as the Internet standard RFC 2104 (Ref. [109]).
We assume that we are given a cryptographic hash function
H
which internally
processes messages by blocks of
B
bytes and produces a digest of
L
bytes. For instance,
if
H
is SHA-1, we have
B
20. We further use a parameter
t
which is
the required size of the MAC in bytes. We require that
t
is at least 4 and at most
the output size of
H
. Computing the MAC of a message
m
with a key
K
works as
follows.
=
64 and
L
=
1. If
K
has more than
B
bytes, we first replace
K
by
H
(
K
). (Having a key of such
a long size does not increase the security.) Note that
H
(
K
) has
L
bytes.
2. We append zero bytes to the right of
K
until it has exactly
B
bytes.
3. We compute
m
))
where ipad and opad are two fixed bitstrings of
B
bytes. The ipad consists of
B
bytes equal to
0x36
in hexadecimal. The opad consists of
B
bytes equal to
0x5c
in hexadecimal.
4. We truncate the result to its
t
leftmost bytes. We obtain HMAC
K
(
m
).
H
(
K
⊕
opad
||
H
(
K
⊕
ipad
||
We can prove that if
H
(
K
m
) defines a secure MAC on fixed-length messages
and if
H
is collision-resistant, then HMAC is a secure MAC on variable-length messages
with two independent keys. However, we do not have any result on
H
(
K
⊕
ipad
||
⊕
ipad
||
m
).
More precisely, here is the security result.
Theorem 3.8 (Bellare-Canetti-Krawczyk 1996 [24]).
Let H be a hash function
which hashes onto
}
we consider the following MAC
bits. Given K
1
,
K
2
∈{
0
,
1
algorithm.
MAC
K
1
,
K
2
(
m
)
=
H
(
K
2
||
H
(
K
1
||
m
))
Assuming that H is collision-resistant and that m
→
H
(
K
2
||
m
)
is a secure MAC al-
gorithm for messages m of fixed length
, then
MAC
is a secure MAC algorithm for
messages of arbitrary length.
Hence, provided that HMAC is indistinguishable from the construction in this theorem,
HMAC is a secure MAC algorithm as well.
Proof.
In order to avoid confusion, we call
m
→
H
(
K
2
||
m
) the small MAC and
MAC
K
1
,
K
2
the big MAC. We assume that we have an adversary
A
for the big MAC.
A
for the small MAC by simulation as follows.
We construct an adversary
1. We pick a random
K
1
and we simulate
A
.
2. Every time
X
i
) and we
query the small MAC oracle with the result. We get
c
i
which is returned to
A
sends a query
X
i
to the oracle, we compute
H
(
K
1
||
A
as the answer to the query.
Search WWH ::
Custom Search