Cryptography Reference
In-Depth Information
the idea behind the Hash-based Message Authentication Code ( HMAC ). This type
of MAC can, at least in theory, be constructed from any cryptographic hash
function. Thus it is common to see HMAC more precisely being referred to as,
for example, HMAC-MD5, where the suffix identifies the name of the underlying
hash function.
The design of HMAC is very simple. Let h be a hash function and let K 1
and K 2 be two symmetric keys. Then the MAC on message M is computed as
follows:
1. compute the hash of K 2 concatenated (see Section 1.6.1) with the message; in
other words compute h ( K 2 || M );
2. compute the hash of K 1 concatenated with the output of step 1; in other words
compute:
h ( K 1 ||
h ( K 2 ||
M ))
.
Thus computing the MAC involves two applications of the underlying hash
function, first to K 2 and the message, and then to K 1 and the first hash output.
HMAC is simple and fast to implement. So what is the catch?
In some sense there is no catch, however, it is important to recognise that the
security of HMAC depends on three separate things:
The security of the keys . HMAC employs two symmetric keys. Thus the
length of an HMAC key can be regarded as the sum of the lengths of these
two keys.
The security of the hash function . HMAC's security depends on the security of
the underlying hash function. Thus it should be deployed using hash functions
that have been approved for use in HMAC by recognised experts.
The length of the MAC output . Just as we discussed in Section 6.3.3, it is possible
to use just part of the HMAC output as the actual MAC, but reducing its length
will reduce security.
Perhaps the most 'delicate' of these three dependencies is the second one. As we
discussed in Section 6.2.4, the security of hash functions is arguably a less 'mature'
subject than the security of block ciphers. If a flaw is found in a hash function then
it is possible (probable) that this flaw will have implications for the use of HMAC
with that hash function. However, it is of course also true that HMAC could still
then be used with an alternative underlying hash function.
It is important to note that:
• Once again we have presented a 'textbook' version of a cryptographic primitive
rather than one ready for immediate implementation. In practice, it is normal in
HMAC to introduce some padding after the keys in order to format the input
for processing by the hash function.
• It is tempting to consider HMAC as 'over-engineered' and to just treat h ( K 2 || M ),
the output from step 1, as a suitableMAC for message M . The problemwith this
approach is that, for many choices of hash function, it becomes possible for an
 
Search WWH ::




Custom Search