Cryptography Reference
In-Depth Information
i.e., an attacker cannot do better than brute-forcing the entire key space to forge a
message. However, if an attacker exp
loits
the birthday paradox (cf. Section 11.2.3),
he can forge a signature with about
√
2
160
= 2
80
computations. There are indications
that SHA-1 collisions can be constructed with even fewer steps, so that an actual
attack might be even easier. In summary, we conclude that the secret suffix method
also does not provide the security one would like to have from a MAC construction.
HMAC
A hash-based message authentication code which does not show the security weak-
ness described above is the HMAC construction proposed by Mihir Bellare, Ran
Canetti and Hugo Krawczyk in 1996. The scheme consists of an inner and outer
hash and is visualized in Figure 12.2.
Fig. 12.2
HMAC construction
The MAC computation starts with expanding the symmetric key
k
with zeros on
the left such that the result
k
+
is
b
bits in length, where
b
is the input block width of
the hash function. The expanded key is XORed with the inner pad, which consists
of the repetition of the bit pattern:
