Cryptography Reference
In-Depth Information
attacks based upon chosen plaintext (see Footnote 3.4 on page 127). Third, it
should be computationally infeasible to compute a valid MAC pair (
m
,h
a
(
m
))
from a known MAC pair (
m, h
a
(
m
)), for any new input
m
=
m
. This property
thwarts a cryptanalyst's attempts to create a valid MAC for a given message
m
, called
existential forgery
, whereas if the secret key itself is obtained, Eve
can manufacture a MAC for any selected plaintext, called
selective forgery
.
The security of MACs employing secret-key block ciphers, such as DES or
AES, depends upon the security of the underlying block cipher and the secret
key. In particular, the new AES-XCBC-MAC-96 algorithm is a variant of the
basic CBC-MAC using AES with a
minimum
128-bit key, although variable
key lengths are possible. The AES-XCBC-MAC-96 algorithm and its use with
IPsec (which we will study in Section 8.3), released in 2003, is document RFC
3566 (see Footnote 7.2 and
http://www.faqs.org/rfcs/rfc3566.html
). For any
CBC-MAC variant, the major computational effort is expended in computing
the underlying block cipher, and for AES-XCBC-MAC-96, there is a minimal
number of AES operations used, resulting in performance roughly equivalent to
the above-described CBC-MAC. The use of a MAC with underlying block cipher
such as AES, is suggested since we achieve a desirable level of security. As noted
in the aforementioned RFC document: “The security provided by AES-XCBC-
MAC-96 is based upon the strength of AES. At the time of this writing there
are no practical cryptographic attacks against AES or AES-XCBC-MAC-96.”
Ideally, the most desirable MAC function is one that maps randomly from
bitstrings of arbitrary length to bitstring of length
n
. Hence, it seems most
reasonable to seek a hash function as the MAC function to do the job. Moreover,
hash functions, such as SHA-1 (see page 255), typically execute much faster in
software implementations than block ciphers, such as DES. The most successful
of the developments in the direction of such a MAC is the HMAC, which is
a new standard as a keyed-hash MAC, which is FIPS-198, updated April 8,
2002 (see
http://www.faqs.org/rfcs/rfc2104.html
). HMAC is a generalization of
Internet RFC 2104, and ANSI X9.71, and it can be used with any iterative
7.3
hash function, in combination with a shared secret key. The security of HMAC
depends on the properties of the underlying hash function.
HMAC Algorithm
Background Assumptions
: We assume the HMAC has been prepared
as a module wherein the hash function
H
, (such as SHA-256, for instance, to
ensure optimal security, or SHA-1, if speed is a concern, even MD5 if speed is
more of a concern than rigorous security) is embedded as a separate module.
In this fashion, we have a prepared HMAC that may be installed where needed
with no further alterations. Moreover, if
H
has to be replaced, say, for security
reasons, then one merely removes the
H
-module and replaces it with another
7.3
Iterative
hash functions, such as SHA-1, split the input into a sequence of fixed blocks
m
1
,m
2
,...,m
n
with padding to fill in the
n
th block, typically of blocklength 512 bits. Then
the blocks are processed in ascending order, using a compression function and a fixed size
buffer, or intermediate state, again as with SHA-1, for instance, the final value being the
output of the hash function.
Search WWH ::
Custom Search