HMAC

src: res.cloudinary.com

In cryptography, HMAC (sometimes disabbreviated as message authentication code with hash key or hash-based message authentication code ) is the specific type of message authentication code ( MAC) that involves cryptographic hash functions and cryptographic secret keys. This can be used to simultaneously verify both the data integrity and authentication of a message, as does MAC. Any cryptographic hash function, such as MD5 or SHA-1, can be used in HMAC calculation; the resulting MAC algorithm is called HMAC-X, where X is the hash function used (eg HMAC-MD5 or HMAC-SHA1). The cryptographic strength of HMAC depends on the cryptographic strength of the underlying hash function, its hash output size, and key size and quality.

The HMAC generation uses twice the hash calculation. The secret key was first used to obtain two keys - inside and out. The first algorithm of the algorithm produces an internal hash coming from the message and the key inside. The second pass generates the final HMAC code derived from the result of the inner hash and the outer key. Thus the algorithm provides better immunity against long extension attacks.

The iterative hash function breaks messages down into fixed size blocks and repeats them with compression functions. For example, MD5 and SHA-1 operate on 512-bit blocks. The output size of HMAC is the same as the underlying hash function (eg 128 or 160 bit in case of MD5 or SHA-1, respectively), although it can be truncated if desired.

HMAC does not encrypt messages. Instead, messages (encrypted or not) should be sent alongside the HMAC hash. Parties with a secret key will hash the message itself, and if it is original, the accepted and calculated hashes will match.

The definition and analysis of HMAC construction was first published in 1996 in a paper by Mihir Bellare, Ran Canetti, and Hugo Krawczyk, and they also wrote RFC 2104 in 1997. The 1996 paper also defines a variant called NMAC that is rare, if ever, used. FIPS PUB 198 generalizations and standardization of HMAC usage. HMAC is used in IPsec and TLS protocols.

Video HMAC

Definitions

This definition is taken from RFC 2104:

$Â\; Â{\displaystyle Â\; Â\; Â\; Â\; Â\; Â\; Â\; Â}$ HMAC                (          K         ,          m        )         =         H                               (                          (             Â¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯           ?                ?          o          p          a          d        )         ?         H                               (                          (             Â¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯           ?                ?           me          p          a          d        )         ?          m                              )                                                )                                {\ displaystyle \ operatorname {HMAC} (K, m) = H {\ Bigl (} (K '\ oplus opad) \ | H {\ bigl ( } {K '\ oplus ipad) \ | m {\ bigr}} {\ Bigr}}}  Â

Where

H is a cryptographic hash function,

K is the secret key,

m is the message to be authenticated,

K ' is another secret key, derived from the original key K (by inserting K to the right with an extra zero to the block size input function hash, or with hashing K if longer than the block size),

|| show merge,

? show exclusive or (XOR),

opad is an outer padding (0x5c5c5c... 5c5c, a hexadecimal constants one block),

and ipad are padding in (0x363636... 3636, one-block-long hexadecimal constants).

Maps HMAC

Implementation

The following pseudocode shows how HMAC can be implemented. Blocksize is 64 (bytes) when using one of the following hash functions: SHA-1, MD5, RIPEMD-128/160.

   Function   hmac  Â Â Â   Input:    Â Â Â Â Â Key: Bytes   array of bytes    Â Â Â Â Â message: Bytes   array of bytes to be hashed    Hash function:   hash function to use (eg SHA-1)    BlockSize: Integer   block size of the underlying hash function (eg 64 bytes for SHA-1)    OutputSize: Integer the output size of the underlying hash function (eg 20 bytes for SHA-1)    Â  Â Â Â  Longer buttons from  blockSize  are shortened by hashing them   Â Â Â   if   (long (key) & gt; blockSize)  then    Â Â Â Â Â key <- hash (key)  //Key becomes outputSize long byte    Â Â Â  Shorter buttons from  blockSize  are padded to blockSize by padding with zero on the right   Â Â Â   if   (long (key) & lt; blockSize)  then    Â Â Â Â Â key <- Pad (key, blockSize) //pad key with zero to make it  blockSize  long byte   Â Â Â Â  Â Â Â o_key_pad = key xor [0x5c * blockSize]  //soft outer button    Â Â Â i_key_pad = key xor [0x36 * blockSize]  //Buttons deep in    Â Â Â Â  Â Â Â   return   hash (o_key_pad? Hash (i_key_pad? Message))  //Where ?  is a series    

src: i.ytimg.com

Design principles

The HMAC specification design is motivated by an attack on a more trivial mechanism for combining keys with hash functions. For example, one might assume the same security that HMAC provides can be achieved with MAC = H ( key || message ). However, this method suffers from a serious flaw: with most hash functions, it's easy to add data to messages without knowing the key and getting another valid MAC ("long extension attack"). Alternatively, adding a key using the MAC = H ( message || key ), suffers from the problem that attackers can find collisions in the hash function (no key ) has a collision in MAC (since two messages m1 and m2 that generate the same hash will give the same initial conditions to the hash function before the added key is hashed, so the final hash will be the same). Using MAC = H ( key || messages || key ) is better, but various security documents have suggested vulnerability with this approach, even when two different keys are used.

No known extension attacks were found against the current HMAC specification defined as the H key ( key || H ( i> || message )) because the outer application of the hash function masks the middle result of the internal hash. The ipad and opad values ​​are not important for algorithm security, but are defined in such a way as to have large Hamming spacing from each other and so the inside and outside keys will have more bit the same bit. Reduced HMAC security does require them to differ at least one bit.

The Keck hash function, selected by NIST as the winner of the SHA-3 competition, does not require this multilevel approach and can be used to generate a MAC by simply entering a key to the message, as it is not vulnerable to the length of the additional attack.

src: res.cloudinary.com

Security

The cryptographic strength of HMAC depends on the size of the secret key used. The most common attack on HMAC is the brutal power to uncover the secret key. HMAC is substantially less affected by collisions than those underlying the hashing algorithm alone. Therefore, HMAC-MD5 does not suffer the same weaknesses that have been found in MD5.

In 2006, Jongsung Kim, Alex Biryukov, Bart Preneel and Seokhie Hong showed how to differentiate HMAC with reduced version of MD5 and SHA-1 or full version of HAVAL, MD4, and SHA-0 from random function or HMAC with random function. Differential differentiators allow attackers to design counterfeiting attacks on HMAC. Furthermore, differential and rectangular differentiators can cause a second preimage attack. HMAC with full version of MD4 can be faked with this knowledge. These attacks are not inconsistent with HMAC security evidence, but provide insight into HMAC based on existing cryptographic hash functions.

In 2009, Xiaoyun Wang et al. presents a distinct attack on HMAC-MD5 without using a corresponding key. This can differentiate the HMAC instantiation with MD5 from instantiation with a random function with 2 ⁹⁷ queries with a probability of 0.87.

In 2011, an RFC 6151 information was published to summarize the safety considerations in MD5 and HMAC-MD5. For HMAC-MD5, the RFC summarizes that - although the security of the MD5 hash function itself is severely compromised - the currently known "HMAC-MD5" attack does not seem to indicate a practical vulnerability when used as a message authentication code ", but it also adds that "for the new protocol design, ciphersuite with HMAC-MD5 should not be included" .

src: i.ytimg.com

Example

Here are some empty HMAC values:

 HMAC_MD5 ("", "") = 74e6f7298a9c2d168935f58c001bad88  HMAC_SHA1 ("", "") = fbdb1d1b18aa6c08324b7d64b71fb76370690e1d  HMAC_SHA256 ("", "") = b613679a0814d9ec772f95d778c35fc5ff1697c493715653c6c712144292c5ad  

Here are some non-empty HMAC values, assuming 8-bit ASCII or UTF-8 encoding:

 HMAC_MD5 ("key", "Fox brown quickly jumps over lazy dog") = 80070713463e7749b90c2dc24911e275  HMAC_SHA1 ("key", "Fox brown quickly jump over lazy dog") = de7c9b85b8b78aa6bc8a7a36f70a90701c9db4d9  HMAC_SHA256 ("key", "Fox broke fast over lazy dog") = f7bc83f430538424b13298e6aa6fb143ef4d59a14946175997479dbc2d1a3cd8  

src: image.slidesharecdn.com

References

Notes

src: www.thesecuritybuddy.com

External links

• RFC2104
• Online HMAC Calculator for dozens of underlying hashing algorithms
• Online HMAC Generator/Tester Tool
• FIPS PUB 198-1, Message-Hash Message Authentication Code (HMAC)
• PHP HMAC Implementation
• HMAC Python implementation
• Perl HMAC implementation
• HMAC Ruby implementation
• HMAC implementation
• Implementation of C HMAC (part of Crypto)
• Java implementation
• JavaScript MD5 and SHA HMAC implementations
• HMAC JavaScript JavaScript implementation only
• .NET System.Security.Cryptography.HMAC
• Delphi/Free Pascal Application
• PicoLisp Implementation

Source of the article : Wikipedia