HMAC 1

HMAC
In cryptography, HMAC (Hash-based
Message Authentication Code), is a
specific construction for calculating a
message authentication code (MAC)
involving a cryptographic hash
function in combination with a secret
key. As with any MAC, it may be used
to simultaneously verify both the data
integrity and the authenticity of a
message. Any iterative cryptographic
hash function, such as MD5 or SHA-1,
may be used in the calculation of an
HMAC; the resulting MAC algorithm
is termed HMAC-MD5 or
HMAC-SHA1 accordingly. The
cryptographic strength of the HMAC
depends upon the cryptographic SHA-1 HMAC Generation.
strength of the underlying hash
function, the size of its hash output length in bits and on the size and quality of the cryptographic key.

An iterative hash function breaks up a message into blocks of a fixed size and iterates over them with a compression
function. For example, MD5 and SHA-1 operate on 512-bit blocks. The size of the output of HMAC is the same as
that of the underlying hash function (128 or 160 bits in the case of MD5 or SHA-1, respectively), although it can be
truncated if desired.
The definition and analysis of the HMAC construction was first published in 1996 by Mihir Bellare, Ran Canetti,
and Hugo Krawczyk,[1] who also wrote RFC 2104. This paper also defined a variant called NMAC that is rarely if
ever used. FIPS PUB 198 generalizes and standardizes the use of HMACs. HMAC-SHA-1 and HMAC-MD5 are
used within the IPsec and TLS protocols.

Definition (from RFC 2104)

Let:
• H(·) be a cryptographic hash function
• K be a secret key padded to the right with extra zeros to the block size of the hash function
• m be the message to be authenticated
• ∥ denote concatenation
• ⊕ denote exclusive or (XOR)
• opad be the outer padding (0x5c5c5c…5c5c, one-block-long hexadecimal constant)
• ipad be the inner padding (0x363636…3636, one-block-long hexadecimal constant)
Then HMAC(K,m) is mathematically defined by
HMAC(K,m) = H((K ⊕ opad) ∥ H((K ⊕ ipad) ∥ m)).
HMAC 2

Implementation
The following pseudocode demonstrates how HMAC may be implemented.
function hmac (key, message)
if (length(key) > blocksize) then
key = hash(key) // keys longer than blocksize are shortened
end if
if (length(key) < blocksize) then
key = key ∥ zeroes(blocksize - length(key)) // keys shorter than blocksize are zero-padded
end if

o_key_pad = [0x5c * blocksize] ⊕ key // Where blocksize is that of the underlying hash function
i_key_pad = [0x36 * blocksize] ⊕ key // Where ⊕ is exclusive or (XOR)

return hash(o_key_pad ∥ hash(i_key_pad ∥ message)) // Where ∥ is concatenation

end function

Example usage
A business that suffers from attackers that place fraudulent Internet orders may insist that all its customers deposit a
secret key with them. Along with an order, a customer must supply the order's HMAC digest, computed using the
customer's symmetric key. The business, knowing the customer's symmetric key, can then verify that the order
originated from the stated customer and has not been tampered with.

Design principles
The design of the HMAC specification was motivated by the existence of attacks on more trivial mechanisms for
combining a key with a hash function. For example, one might assume the same security that HMAC provides could
be achieved with MAC = H(key ∥ message). However this method suffers from a serious flaw: with most hash
functions, it is easy to append data to the message without knowing the key and obtain another valid MAC. The
alternative, appending the key using MAC = H(message ∥ key), suffers from the problem that an attacker who can
find a collision in the (unkeyed) hash function has a collision in the MAC. Using MAC = H(key ∥ message ∥ key) is
better, however various security papers have suggested vulnerabilities with this approach, even when two different
keys are used.[1] [2] [3]
No known extensions attacks have been found against the current HMAC specification which is defined as H(key1 ∥
H(key2 ∥ message)) because the outer application of the hash function masks the intermediate result of the internal
hash. The values of ipad and opad are not critical to the security of the algorithm, but were defined in such a way to
have a large Hamming distance from each other and so the inner and outer keys will have fewer bits in common.
HMAC 3

Security
The cryptographic strength of the HMAC depends upon the size of the secret key that is used. The most common
attack against HMACs is brute force to uncover the secret key. HMACs are substantially less affected by collisions
than their underlying hashing algorithms alone.[4] [5] [6] .
In 2006, Jongsung Kim, Alex Biryukov, Bart Preneel, and Seokhie Hong showed how to distinguish HMAC with
reduced versions of MD5 and SHA-1 or full versions of HAVAL, MD4, and SHA-0 from a random function or
HMAC with a random function. Differential distinguishers allow an attacker to devise a forgery attack on HMAC.
Furthermore, differential and rectangle distinguishers can lead to second-preimage attacks. HMAC with the full
version of MD4 can be forged with this knowledge. These attacks do not contradict the security proof of HMAC, but
provide insight into HMAC based on existing cryptographic hash functions. [7]

External links
• FIPS PUB 198, The Keyed-Hash Message Authentication Code [8]
• PHP HMAC implementation [9]
• Python HMAC implementation [10]
• Perl HMAC implementation [11]
• Ruby HMAC implementation [12]
• C HMAC implementation [13]
• Java implementation [14]
• JavaScript HMAC implementation [15]
• Lightweight JavaScript implementation (SHA-256 & HMAC SHA-256) [16]
• .NET's System.Security.Cryptography.HMAC [17]

References
[1] Bellare, Mihir; Canetti, Ran; Krawczyk, Hugo (1996). "Keying Hash Functions for Message Authentication" (http:/ / citeseerx. ist. psu. edu/
viewdoc/ summary?doi=10. 1. 1. 134. 8430). .
[2] Preneel, Bart; van Oorschot, Paul C. (1995). "MDx-MAC and Building Fast MACs from Hash Functions" (http:/ / citeseerx. ist. psu. edu/
viewdoc/ summary?doi=10. 1. 1. 34. 3855). . Retrieved 2009-08-28.
[3] Preneel, Bart; van Oorschot, Paul C. (1995). "On the Security of Two MAC Algorithms" (http:/ / citeseerx. ist. psu. edu/ viewdoc/
summary?doi=10. 1. 1. 42. 8908). . Retrieved 2009-08-28.
[4] Bruce Schneier (August 2005). "SHA-1 Broken" (http:/ / www. schneier. com/ blog/ archives/ 2005/ 02/ sha1_broken. html). . Retrieved
2009-01-09. "although it doesn't affect applications such as HMAC where collisions aren't important"
[5] IETF (February 1997). "RFC 2104" (http:/ / www. ietf. org/ rfc/ rfc2104. txt). . Retrieved 2009-12-03. "The strongest attack known against
HMAC is based on the frequency of collisions for the hash function H ("birthday attack") [PV,BCK2], and is totally impractical for minimally
reasonable hash functions."
[6] Bellare, Mihir (June 2006). "New Proofs for NMAC and HMAC: Security without Collision-Resistance" (http:/ / cseweb. ucsd. edu/ ~mihir/
papers/ hmac-new. html). in Dwork, Cynthia. . Lecture Notes in Computer Science 4117. Springer-Verlag. . Retrieved 2010-05-25. "This
paper proves that HMAC is a PRF under the sole assumption that the compression function is a PRF. This recovers a proof based guarantee
since no known attacks compromise the pseudorandomness of the compression function, and it also helps explain the resistance-to-attack that
HMAC has shown even when implemented with hash functions whose (weak) collision resistance is compromised."
[7] Jongsung, Kim; Biryukov, Alex; Preneel, Bart; Hong, Seokhie (2006). On the Security of HMAC and NMAC Based on HAVAL, MD4, MD5,
SHA-0 and SHA-1 (http:/ / eprint. iacr. org/ 2006/ 187. pdf). .
[8] http:/ / csrc. nist. gov/ publications/ fips/ fips198/ fips-198a. pdf
[9] http:/ / us2. php. net/ manual/ en/ function. hash-hmac. php
[10] http:/ / docs. python. org/ lib/ module-hmac. html
[11] http:/ / cpan. uwinnipeg. ca/ htdocs/ Digest-HMAC/ Digest/ HMAC. pm. html
[12] http:/ / ruby-hmac. rubyforge. org/
[13] http:/ / www. ouah. org/ ogay/ hmac/
[14] http:/ / download. oracle. com/ javase/ 1. 4. 2/ docs/ guide/ security/ jce/ JCERefGuide. html#HmacEx
[15] http:/ / jssha. sourceforge. net/
[16] http:/ / slbsoftware. com/ sha256/ sha256. js
HMAC 4

[17] http:/ / msdn. microsoft. com/ en-us/ library/ system. security. cryptography. hmac. aspx

Notes
• Mihir Bellare, Ran Canetti and Hugo Krawczyk, Keying Hash Functions for Message Authentication, CRYPTO
1996, pp1–15 (PS or PDF) (http://www-cse.ucsd.edu/users/mihir/papers/hmac.html#kmd5-paper).
• Mihir Bellare, Ran Canetti and Hugo Krawczyk, Message authentication using hash functions: The HMAC
construction, CryptoBytes 2(1), Spring 1996 (PS or PDF) (http://www-cse.ucsd.edu/users/mihir/papers/
hmac.html#hmac-cryptobytes).
Article Sources and Contributors 5

Article Sources and Contributors

HMAC  Source: http://en.wikipedia.org/w/index.php?oldid=384941148  Contributors: Acdx, Angela, Aquntus, ArnoldReinhold, Arvindn, AxelBoldt, BenjaminGittins, BorkaD, Caligatio,
Capricorn42, CesarB's unpriviledged account, Chrismiceli, Conseguenza, Conversion script, CraSH, Crcklssp, DRLB, Daf, Daverocks, David-Sarah Hopwood, Davidgothberg, Drake Redcrest,
Ed Brey, Ehn, Firealwaysworks, Fluffy 543, Frap, GBL, Grr82, Gurch, Hanche, Heandel, IFaqeer, J-Wiki, Jafet, Jaydec, Jesse Viviano, Jsnx, Kate, Kbk, Lee J Haywood, Martijnthie, Matt
Crypto, Michael miceli, Mmernex, Modbus.ug, MrOllie, Mrzaius, Nichalp, Ntsimp, ORBIT, Oli Filth, Pedro, Plfernandez, Polymorphm, Quadrescence, RJFJR, Reikon, Rettetast, Rjwilmsi,
Runtime, Saimhe, Schnolle, Shd, Sinar, VegKilla, Voltin, Waxmop, Ww, Yaronf, ZeroOne, 101 anonymous edits

Image Sources, Licenses and Contributors

File:Shahmac.jpg  Source: http://en.wikipedia.org/w/index.php?title=File:Shahmac.jpg  License: Creative Commons Attribution 2.0  Contributors: Bender235, Dawnseeker2000, ESkog, It Is Me
Here, Jonerworm, Miserlou, Peachey88, Sfan00 IMG, 1 anonymous edits

License
Creative Commons Attribution-Share Alike 3.0 Unported
http:/ / creativecommons. org/ licenses/ by-sa/ 3. 0/