Cryptography Reference
In-Depth Information
where
h
refers to a secure digest. The problem with this approach is its vulner-
ability to
known plaintext attacks
. The attack works like this: The attacker convinces
somebody with the MAC secret to hash and XOR the text “abc” or some other
value that is known to the attacker. This has the MD5 hash 900150983cd24fb0
d6963f7d28e17f72. Remember that the attacker can compute this as well — an
MD5 hash never changes. The holder of the secret then XORs this value with
the secret and makes the result available.
Unfortunately, the attacker can then XOR the hash with the result and recover
the secret. Remember that a ≈ b ≈ b
a, but a ≈ b ≈ a
b as well. So
hash
≈
secret
≈
hash
secret
. Since
mac
(
hash
≈
secret
),
mac
≈
hash
secret
, and the
secret has been revealed.
Implementing a Secure HMAC Algorithm
A more secure algorithm is specifi ed in RFC 2104 and is the standard for com-
bining shared secrets with secure hash algorithms. Overall, it's not radically
different in concept than XORing the shared secret with the result of a secure
hash; it just adds a couple of extra functions.
An HMAC-hash prepends one block of data to the data to be hashed. The
prepended block consists of 64 bytes of 0x36, XORed with the shared secret.
This means that the shared secret can't be longer than 64 bytes. If it is, it should
be securely hashed itself, and the results of that hash used as the shared secret.
This result (the prepended block, plus the input data itself) is then hashed, using
a secure hash algorithm. Finally, this hash is appended to a new block of data
that consists of one block of the byte 0x5C, XORed again with the shared secret
(or its computed hash as described previously), and hashed again to produce
the fi nal hash value. Figure 4-1 illustrates this process.
This double-hash technique stops the attacker in the known-plaintext attack
described earlier from computing the hash code and XORing it against the secret
to recover it. All of this complexity is carefully designed to create a repeatable
process. Remember, if “abc” hashes to “xyz” for me, it must hash that way for
you no matter when you run it or what type of machine you're on — but in such
a way that can't be reversed or forged. It seems complicated (and it is), but after
it's implemented, it can be treated as a black box.
Using the
digest
algorithm above, you can put together an HMAC imple-
mentation that can work with any hash algorithm in Listing 4-19.
Listing 4-19:
“hmac.c” HMAC function
/**
* Note: key_length, text_length, hash_block_length are in bytes.
* hash_code_length is in ints.
*/
void hmac( const unsigned char *key,
Search WWH ::
Custom Search