Cryptography Reference
In-Depth Information
one.
The message
M
input to the HMAC is assumed to be separated into blocks
M
j
of bitlength
each for 0
1. There are also two padding constants
(which we will not explicitly specify here), of bitlength
each, denoted by
p
1
and
p
2
. The secret key is denoted by
k
, which we will assume to have bitlength
. (Typically,
k
will have to be padded, but we assume for the sake of simplicity,
that this has already been done.) Last, the output of the HMAC is of bitlength
n
≤
j
≤
−
≤
.
Algorithm Steps
1. Compute
k
=
k
⊕
p
1
, where
⊕
is addition modulo 2.
2. Form the concatenation
M
=(
M,k
).
3. Compute
H
=
H
(
M
), and pad to bitlength
.
4. Compute
k
=
k
p
2
.
5. Form the concatenation
M
=(
k
,H
).
6. Compute
H
=
H
(
M
), as the HMAC output.
⊕
The above algorithm steps may be succinctly stated as a single equation:
H
(
k
⊕
p
2
,H
(
M,k
⊕
p
1
))
.
This is illustrated as follows, where
✄
✂
✁
+
denotes addition modulo 2 in Dia-
gram 7.6.
Diagram 7.6 HMAC
→
✄
✂
✁
k
+
←
p
2
k
M
H
−−−−→
p
1
✄
✂
Pad to
bits
✁
HMAC
−−−−→
k
−−−−→
k
H
−−−−→
+
→
H
H
Analysis
: Step1 flips one half of the bits of
k
, whereas step4 flips the
other half. Thus, once
H
compresses
k
and
k
, we have essentially produced
two pseudorandomly generated keys from the original key
k
. The designers of
HMAC employed this feature with an eye to both oSine and online attacks (the
underlying assumption being that oSine attacks are easier to mount). Use of
the key
k
in step4 is used to thwart oSine attacks.
Typically HMAC is used with MD5 or SHA-1, but as noted earlier, if one
desires the very best possible long-term security, SHA-256 is the premium choice
since HMAC is already e:cient and easy to implement, so the time cost is offset
by the security profit.
Search WWH ::
Custom Search