Cryptography Reference
In-Depth Information
MAC
k
1
,k
2
(
m
)=
h
(
k
1
m
k
2
)
Until the middle of the 1990s, people thought that this method would be secure
and that breaking it would require a simultaneous exhaustive key search for
k
1
and
k
2
(see, for example, [9] for a corresponding line of argumentation). In 1995,
however, it was shown that this is not the case and that there are more efficient
attacks against the envelope method than to do a simultaneous exhaustive key search
for
k
1
and
k
2
[6]. Since then, the envelope method is slowly being replaced by some
alternative methods, as addressed next.
11.2.2.4
Alternative Methods
After Tsudik had published his results, many cryptographers turned their interest to
the problem of using keyed one-way hash functions for message authentication and
finding proofs for their security claims (e.g., [6, 10, 11]). Most importantly, Mihir
Bellare, Ran Canetti, and Hugo Krawczyk developed a pair of message authenti-
cation schemes—the
nested MAC
(NMAC) and the
hashed MAC
(HMAC)—that
can be proven to be secure as long as the underlying hash function is reasonably
strong (in a cryptographic sense) [12]. From a practical point of view, the HMAC
construction has become particularly important [13]. In a slightly modified form, it
was, for example, specified in informational RFC 2104 [14] and has been adopted
by many standardization bodies working in the field.
The HMAC construction uses the following pair of 64-byte strings:
•
The string
ipad
(standing for “inner pad”) consists of the byte
0x36
(i.e.,
00110110
) repeated 64 times;
•
The string
opad
(standing for “outer pad”) consists of the byte
0x5C
(i.e.,
01011100
) repeated 64 times.
8 = 512 bits long. Let
h
be a crypto-
graphic hash function,
k
be the secret key,
5
and
m
be the message to be authenti-
cated. The HMAC construction is as follows:
Consequently,
ipad
and
opad
are 64
·
HMAC
k
(
m
)=
h
(
k
⊕
opad
h
(
k
⊕
ipad
m
))
5
The recommended minimal length of the key is
l
bits.
