Cryptography Reference
In-Depth Information
ipad = 0011 0110
,
0011 0110
,...,
0011 0110
so that a length of
b
bit is achieved. The output of the XOR forms the first input
block to the hash function. The subsequent input blocks are the message blocks
(
x
1
,
x
2
,...,
x
n
).
The second, outer hash is computed with the padded key together with the output
of the first hash. Here, the key is again expanded with zeros and then XORed with
the outer pad:
opad = 0101 1100
,
0101 1100
,...,
0101 1100
.
The result of the XOR operation forms the first input block for the outer hash. The
other input is the output of the inner hash. After the outer hash has been computed,
its output is the message authentication code of
x
. The HMAC construction can be
expressed as:
HMAC
k
(
x
)=
h
(
k
+
h
(
k
+
x
.
⊕
opad)
||
⊕
ipad)
||
The hash output length
l
is in practice longer than the width
b
of an input block.
For instance, SHA-1 has an
l
= 160 bit output but accepts
b
= 512 bit inputs. It
does not pose a problem that the inner hash function output does not match the
input size of outer hash because hash functions have preprocessing steps to match
the input string to the block width. As an example, Section 11.4.1 described the
preprocessing for SHA-1.
In terms of computational efficiency, it should be noted that the message
x
, which
can be very long, is only hashed once in the inner hash function. The outer hash
consists of merely two blocks, namely the padded key and the inner hash output.
Thus, the computational overhead introduced through the HMAC construction is
very low.
In addition to its computational efficiency, a major advantage of the HMAC con-
struction is that there exists a
proof of security
. As for all schemes which are prov-
able secure, HMAC is not secure per se, but its security is related to the security of
some other building block. In the case of the HMAC construction it can be shown
that if an attacker, Oscar, can break the HMAC, he can also break the hash function
used in the scheme. Breaking HMAC means that even though Oscar does not know
the key, he can construct valid authentication tags for messages. Breaking the hash
function means that he can either find collisions or that he can compute a hash func-
tion output even though he does not know the initial value IV (which was the value
H
0
in the case of SHA-1).
12.3 MACs from Block Ciphers: CBC-MAC
In the preceding section we saw that hash functions can be used to realize MACs.
An alternative method is to construct MACs from block ciphers. The most popular
