Cryptography Reference
In-Depth Information
5.6.5.1 HMAC
We are going to describe the HMAC algorithm with a view to implementing it in
Maple, mentioning its security properties by pointing to the appropriate references
but without going into the details. We assume that we are given a cryptographic hash
function
H
that is obtained by means of the Merkle-Damgård construction from a
compression function that takes inputs of
B
bytes and produces a hash value of
L
bytes (for example, if
H
is SHA-256, then
B
=
64 and
L
=
32). Optionally, we
may use a parameter
t
such that 4
≤
t
≤
L
which serves to truncate HMAC's output
to
t
bytes. We denote by length
(
K
)
the byte length of the key
K
.
Algorithm 5.4. HMAC
.
Input
:Akey
K
and a message
text
.
Output
: A 256-bit hash value.
Key Processing
:
if
length
(
K
)
=
B
then
K
elif
length
K
0
:=
(
K
)>
B
then
.
K
0
:=
H
(
K
)
||
00
...
00 (
B
−
L
zeros are appended to create a
B
-byte string)
else
K
0
:=
K
||
00
...
00 (
B
−
length
(
K
)
zeros are appended to create a
B
-byte string).
Compute MAC tag
:
ipad
:= the byte
x36
repeated
B
times (
inner pad
);
opad
:= the byte
x5c
repeated
B
times (
outer pad
);
return
H
((
K
0
⊕
opad
)
||
H
((
K
0
⊕
ipad
)
||
text
))
.
L
but a longer key does not
add significantly to the security if the key is random, so that often len
For security reasons it is recommended that len
(
K
)
≥
L
.As
mentioned, the output is often truncated, for example to 128bits if a hash function
with a 256-bit output is used. One interesting characteristic of HMAC is that it uses
the hash function
H
as a “black box”, which makes it very easy to implement and
also makes it easy to replace the hash function by another one if necessary.
As alreadymentioned, HMAC has a security reduction to very reasonable assump-
tions which, as shown in [13], boil down to some mild constraints on the underlying
hash function. Indeed, it is shown there that an adversary able to forge the HMAC
function is also able to find collisions in the hash function even when the IV (namely,
the IV in the Merkle-Damgård construction from which
H
is obtained) is random
and secret which, in principle, is harder than finding collisions in the hash function
as it would require interaction with the legitimate user of the function in order to
generate the input/output pairs. The property of hash functions being violated here
is weaker than collision resistance but it seems that some popular hash functions like
MD5 and SHA-1 which have recently been shown not to be collision resistant (see
the discussion in Sect.
5.7
) can also be attacked in this way. However, this possibility
(like the standard collision attacks against MD5 and SHA-1 which make these hash
functions unsuitable for many cryptographic uses) seems not to have led to any suc-
(
K
)
=
