Cryptography Reference
In-Depth Information
Hash Function-Based MACs
The HMAC construction was originally proposed at
the Crypto 1996 conference [14]. A very accessible treatment of the scheme can be
found in [15]. HMAC was turned into an Internet RFC, and was quickly adopted in
many Internet security protocols, including TLS and IPsec. In both cases it protects
the integrity of a message during transmission. It is widely used with the hash func-
tions SHA-1 and MD5, and its use with RIPEMD-160 has also been often discussed.
It seems likely that the switch to more modern hash functions such as SHA-2 and
SHA-3 will result in more and more HMAC constructions with these hash functions.
Other MAC Constructions
Another type of message authentication code is based
on
universal hashing
and is called
UMAC
. UMAC is backed by a formal security
analysis, and the only internal cryptographic component is a block cipher used to
generate the pseudorandom pads and internal key material. The universal hash func-
tion is used to produce a short hash value of fixed length. This hash is then XORed
with a key-derived pseudorandom pad. The universal hash function is designed to be
very fast in software (e.g., as low as one cycle per byte on contemporary processors)
and is mainly based on additions of 32-bit and 64-bit numbers and multiplication
of 32-bit numbers. Based on the original idea by Wegman and Carter [40], numer-
ous schemes have been proposed, e.g., the schemes Multilinear-Modular-Hashing
(MMH) and UMAC [89, 23].
12.6 Lessons Learned
MACs provide two security services,
message integrity
and
message authentica-
tion
, using symmetric techniques. MACs are widely used in protocols.
Both of these services are also provided by digital signatures, but MACs are
much faster.
MACs do not provide nonrepudiation.
In practice, MACs are either based on block ciphers or on hash functions.
HMAC is a popular MAC used in many practical protocols such as TLS.
