Cryptography Reference
In-Depth Information
This construction looks more involved than it actually is. It begins by append-
ing zero bytes (i.e.,
0x00
)totheendof
k
to create a 64-byte or 512-bit string.
6
If, for example,
k
is 128 bits long, then 48 zero bytes are appended. The resulting
48
8 = 384 bits and the 128 key bits sum up to a total of 512 bits. This key is
then added modulo 2 to
ipad
, and the message
m
is appended to this value. At this
point in time, the cryptographic hash function
h
is applied a first time to the entire
data stream generated so far. The key (again, appended with zero bytes) is next added
modulo 2 to
opad
, and the result of the first application of
h
is appended to this value.
To compute the final hash value,
h
is applied a second time (note that this time the
argument for the hash function is comparably short). Last but not least, the output of
the HMAC construction may be truncated to a value that is shorter than
l
(e.g., 80 or
96 bits). In fact, it was shown that some analytical advantages result from truncating
the output [6]. In either case,
k
ยท
opad
are intermediate results of the
HMAC construction that can be precomputed at the time of generation of the key
k
, or before its first use. This precomputation allows the HMAC construction to be
implemented very efficiently.
The appeal of the HMAC construction is that its designers have been able to
prove a mathematical relationship between the strength of the construction and the
strength of the underlying hash function. In fact, it has been shown that a passive
attacker can break the HMAC construction only if he or she is able to successfully
attack the underlying hash function in a certain way and that the probability of such
an attack can be made sufficiently small.
โ
ipad
and
k
โ
11.2.3
MACs Using PRFs
In 1995, Mihir Bellare, Roch Guerin, and Phillip Rogaway proposed a method for
message authentication using families of finite PRFs [15]. The notion of a PRF
was introduced in Section 2.2.4 and is further addressed in Chapter 13. In short,
a function
f
:
X
Y
is pseudorandom if it is randomly chosen from the set of
all mappings from domain
X
to range
Y
. A family of PRFs can, for example, be
constructed with a block cipher (e.g., DES) or a compression function of an iterated
hash function. In the first case,
DES
k
(
m
) yields a family of finite PRF (
k
represents
the seed and
m
represents the argument) with
n
=64.
The MAC constructions developed and proposed by Bellare, Guerin, and
Rogaway are collectively called
XOR MACs
(because they make use of many parallel
XOR operations). In [15], it was argued that XOR MACs have many efficiency and
security advantages (compared to the MAC constructions addressed so far). Roughly
speaking, an XOR MAC is computed in three steps:
โ
6
If the key is longer than 64 bytes, then it must be truncated to the appropriate length.