Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd
Upload
57 views

Chapter 12 - Hash and MAC Algorithms

HMAC and CMAC are MAC algorithms that provide message authentication using hash functions and block ciphers respectively. HMAC operates by hashing the key concatenated with the message twice using different padding to provide security equivalent to the underlying hash function. CMAC overcomes limitations of CBC-MAC by using two keys derived from the original key and padding if needed. Both algorithms allow any hash function or block cipher to be used to construct the MAC.

Uploaded by

Pkumar Choure
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
57 views

Chapter 12 - Hash and MAC Algorithms

HMAC and CMAC are MAC algorithms that provide message authentication using hash functions and block ciphers respectively. HMAC operates by hashing the key concatenated with the message twice using different padding to provide security equivalent to the underlying hash function. CMAC overcomes limitations of CBC-MAC by using two keys derived from the original key and padding if needed. Both algorithms allow any hash function or block cipher to be used to construct the MAC.

Uploaded by

Pkumar Choure
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 17

Chapter 12 – Hash and

MAC Algorithms
HMAC & CMAC
Keyed Hash Functions as MACs
 want a MAC based on a hash function
 because hash functions are generally faster
 crypto hash function code is widely available
 hash includes a key along with message
 original proposal:
KeyedHash = Hash(Key|Message)
 some weaknesses were found with this

 eventually led to development of HMAC


HMAC Design Objectives
 use, without modifications, hash functions
 allow for easy replaceability of embedded
hash function
 preserve original performance of hash
function without significant degradation
 use and handle keys in a simple way.
 have well understood cryptographic analysis
of authentication mechanism strength
HMAC
 specified as Internet standard RFC2104
 uses hash function on the message:
HMACK(M)= Hash[(K+ XOR opad) ||
Hash[(K+ XOR ipad) || M)] ]
 where K+ is the key padded out to size

 opad, ipad are specified padding constants

 overhead is just 3 more hash calculations than


the message needs alone
 any hash function can be used
 eg. MD5, SHA-1, RIPEMD-160, Whirlpool
HMAC
Overview
HMACK = Hash[(K+ XOR opad) || Hash[(K+
XOR ipad) || M)]
where:
K+ is K padded with zeros on the left so that the
result is b bits in length

ipad is a pad value of 36 hex repeated to fill block

opad is a pad value of 5C hex repeated to fill block

M is the message input to HMAC (including the


padding specified in the embedded hash function)
1.Append zeros to the left end of K to create a b-
bit string K+(e.g., if K is of length 160 bits and b
= 512 then K will be appended with 44 zero bytes
0 x 00).
2. XOR (bitwise exclusive-OR) K+ with ipad to
produce the b-bit block Si.
3.Append M to Si.
4.Apply H to the stream generated in step 3.
5.XOR K+ with opad to produce the b-bit block So
6.Append the hash result from step 4 to So
7.Apply H to the stream generated in step 6 and
output the result.
HMAC Security
 proved security of HMAC relates to that of
the underlying hash algorithm
 attacking HMAC requires either:
 brute force attack on key used
 birthday attack (but since keyed would need
to observe a very large number of messages)
 choosehash function used based on
speed verses security constraints
Using Symmetric Ciphers for
MACs
 can use any block cipher chaining mode
and use final block as a MAC
 Data Authentication Algorithm (DAA) is
a widely used MAC based on DES-CBC
 using IV=0 and zero-pad of final block
 encrypt message using DES in CBC mode
 and send just the final block as the MAC
• or the leftmost M bits (16≤M≤64) of final block
 but final MAC is now too small for security
Data Authentication Algorithm

For one block message, T=MAC(K,X),


Then for adversary , CBC MAC of 2 block message can be predicted as X||(X+T)
CMAC
 previously saw the DAA (CBC-MAC)
 widely used in govt & industry
 but has message size limitation
 can overcome using 2 keys & padding
 thus forming the Cipher-based Message
Authentication Code (CMAC)
 adopted by NIST SP800-38B
CMAC Overview
• It uses the block size of the underlying cipher
(ie 128-bits for AES or 64-bits for triple-DES).
• The message is divided into n blocks M1..Mn,
padded if necessary. The algorithm makes use
of a k-bit encryption key K and an n-bit
constant K1 or K2 (depending on whether the
message was padded or not).
• For AES, the key size k is 128,192, or 256 bits;
• for triple DES, the key size is 112 or 168 bits.
• The two constants K1 & K2 are derived from the
original key K using encryption of 0 and multiplication
in GF(2n)
• L=E(K,0n),
• K1=L.x and K2=L.x2 = (L.x).x
Summary
 have considered:
 message authentication requirements
 message authentication using encryption
 MACs
 HMAC authentication using a hash function
 CMAC authentication using a block cipher
 Pseudorandom Number Generation (PRNG)
using Hash Functions and MACs

You might also like