Message Authentication using Hash Functions| The HMAC Construction | CS 4363, Lab Reports of Cryptography and System Security

Material Type: Lab; Class: Cryptography; Subject: Computer Science; University: University of Texas - San Antonio; Term: Spring 1996;

Typology: Lab Reports

Pre 2010

Uploaded on 07/30/2009

koofers-user-vo9
koofers-user-vo9 🇺🇸

10 documents

1 / 5

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Appears in
RSA Laboratories' CryptoBytes,
Vol. 2, No. 1, Spring 1996.
Message Authentication using Hash Functions| The
HMAC Construction
Mihir Bellare
Ran Canetti
y
Hugo Krawczyk
z
There has recently been a lot of interest in the
subject of authenticating information using cryp-
tographic hash functions like MD5 and SHA, par-
ticularly for Internet security protocols. We report
on our HMAC construction [1] which seems to be
gaining acceptance as a solution.
Introduction
Two parties communicating across an insecure
channel need a method by which any attempt to
modify the information sentby one to the other, or
fake its origin, is detected. Most commonly such
a mechanism is based on a shared key between
the parties, and in this setting is usually called a
MAC, or Message Authentication Code. (Other
terms include Integrity Check Value or Crypto-
graphic Checksum). The sender appends to the
data
D
an
authentication tag
computed as a func-
tion of the data and the shared key. At reception,
the receiver recomputes the authentication tag on
the received message using the shared key, and ac-
cepts the data as valid only if this value matches
the tag attached to the received message.
The most common approach is to construct MACs
from block ciphers like DES. Of such constructions
Department of Computer Science & Engineering, Mail
Code 0114, University of California at San Diego, 9500
Gilman Drive, La Jolla, CA 92093. Email:
edu
.
http://www-cse.ucsd.edu/users/mihir
.
y
Laboratory for Computer Science, 545 Technology
Square, Cambridge, MA 02139. Email:
canetti@theory.
lcs.mit.edu
. Supported by a post-do ctoral grant from the
Rothschild Foundation.
z
IBM T.J. Watson Research Center, PO Box 704, York-
town Heights, New York 10598. Email:
com
.
the most popular is the CBC MAC. (Its securityis
analyzed in [4, 12]). More recently,however, people
have suggested that MACs might be constructed
from cryptographic hash functions like MD5 and
SHA. There are several good reasons to attempt
this: In software these hash functions are signi-
cantly faster than DES; library code is widely and
freely available; and there are no export restrictions
on hash functions.
Thus people seem agreed that hash function based
constructions of MACs are worth having. The more
dicult question is how best to do it. Hash func-
tions were not originally designed for message au-
thentication. (One of many diculties is that they
are not even keyed primitives, i.e., do not accommo-
date naturally the notion of a secret key). Several
constructions were proposed prior to HMAC, but
they lacked a convincing security analysis.
The HMAC construction is intended to ll this gap.
It has a performance which is essentially that of the
underlying hash function. It uses the hash func-
tion in a black box way so that it can be imple-
mented with available code, and also replacement
of the hash function is easy should need of sucha
replacement arise due to security or performance
reasons. Its main advantage, however, is that it can
be proven secure provided the underlying hash func-
tion has some reasonable cryptographic strengths.
The security features can be summarized like this: if
HMAC fails to be a secure MAC, it means there are
sucient weaknesses in the underlying hash func-
tion that it needs to be dropped not only from this
particular usage but also from a wide range of other
popular usages to whichitisnow subject.
1
pf3
pf4
pf5

Partial preview of the text

Download Message Authentication using Hash Functions| The HMAC Construction | CS 4363 and more Lab Reports Cryptography and System Security in PDF only on Docsity!

App ears in RSA Lab oratories' CryptoBytes, Vol. 2, No. 1, Spring 1996.

Message Authentication using Hash Functions| The

HMAC Construction

Mihir Bellare^ Ran Canettiy^ Hugo Krawczykz

There has recently b een a lot of interest in the sub ject of authenticating information using cryp- tographic hash functions like MD5 and SHA, par- ticularly for Internet security proto cols. We rep ort on our HMAC construction [1] which seems to b e gaining acceptance as a solution.

Intro duction

Two parties communicating across an insecure channel need a metho d by which any attempt to mo dify the information sent by one to the other, or fake its origin, is detected. Most commonly such a mechanism is based on a shared key b etween the parties, and in this setting is usually called a MAC, or Message Authentication Co de. (Other terms include Integrity Check Value or Crypto- graphic Checksum). The sender app ends to the data D an authentication tag computed as a func- tion of the data and the shared key. At reception, the receiver recomputes the authentication tag on the received message using the shared key, and ac- cepts the data as valid only if this value matches the tag attached to the received message.

The most common approach is to construct MACs from blo ck ciphers like DES. Of such constructions

 Department of Computer Science & Engineering, Mail Co de 0114, University of California at San Diego, 9500 Gilman Drive, La Jolla, CA 92093. Email: [email protected]. edu. http://www-cse.ucsd.edu/ use rs/m ihi r. y (^) Lab oratory for Computer Science, 545 Technology Square, Cambridge, MA 02139. Email: canetti@theory. lcs.mit.edu. Supp orted by a p ost-do ctoral grant from the Rothschild Foundation. zIBM T.J. Watson Research Center, PO Box 704, York- town Heights, New York 10598. Email: [email protected]. com.

the most p opular is the CBC MAC. (Its security is analyzed in [4, 12 ]). More recently, however, p eople have suggested that MACs might b e constructed from cryptographic hash functions like MD5 and SHA. There are several go o d reasons to attempt this: In software these hash functions are signi - cantly faster than DES; library co de is widely and freely available; and there are no exp ort restrictions on hash functions. Thus p eople seem agreed that hash function based constructions of MACs are worth having. The more dicult question is how b est to do it. Hash func- tions were not originally designed for message au- thentication. (One of many diculties is that they are not even keyed primitives, i.e., do not accommo- date naturally the notion of a secret key). Several constructions were prop osed prior to HMAC, but they lacked a convincing security analysis. The HMAC construction is intended to ll this gap. It has a p erformance which is essentially that of the underlying hash function. It uses the hash func- tion in a black b ox way so that it can b e imple- mented with available co de, and also replacement of the hash function is easy should need of such a replacement arise due to security or p erformance reasons. Its main advantage, however, is that it can b e proven secure provided the underlying hash func- tion has some reasonable cryptographic strengths. The security features can b e summarized like this: if HMAC fails to b e a secure MAC, it means there are sucient weaknesses in the underlying hash func- tion that it needs to b e dropp ed not only from this particular usage but also from a wide range of other p opular usages to which it is now sub ject.

Several articles in the literature survey existing con- structions, their prop erties, and some of their weak- nesses, so we will not try to do this again here. In particular the reader is referred to Tsudik [17], who provides one of the earliest works on the sub ject; Kaliski and Robshaw who, in the rst CryptoBytes [8], compare various p ossible constructions; up dates app earing in succeeding issues of CryptoBytes; and Preneel and van Oorschot [12, 13 ], who present a de- tailed description of the e ect of birthday attacks on \iterated constructions" and also a new construc- tion called MDx-MAC.

We now move on to discuss the HMAC construc- tion, status, and rationale. For a complete descrip- tion, implementation guidelines, and detailed anal- ysis we refer the reader to [1, 9].

HMAC

Let H b e the hash function. For simplicity of de- scription we may assume H to b e MD5 or SHA-1; however the construction and analysis can b e ap- plied to other functions as well (see b elow). H takes inputs of any length and pro duces l -bit out- put (l = 128 for MD5 and l = 160 for SHA-1). Let Text denote the data to which the MAC function is to b e applied and let K b e the message authentica- tion secret key shared by the two parties. (It should not b e larger than 64 bytes, the size of a hashing blo ck, and, if shorter, zeros are app ended to bring its length to exactly 64 bytes.) We further de ne two xed and di erent 64 byte strings ipad and opad as follows (the \i" and \o" are mnemonics for inner and outer):

ipad = the byte 0x36 rep eated 64 times opad = the byte 0x5C rep eated 64 times.

The function HMAC takes the key K and Text, and pro duces HMACK (Text) =

H (K  opad; H (K  ipad; Text)) :

Namely,

(1) App end zeros to the end of K to create a 64 byte string

(2) XOR (bitwise exclusive-OR) the 64 byte string computed in step (1) with ipad

(3) App end the data stream Text to the 64 byte string resulting from step (2)

(4) Apply H to the stream generated in step (3)

(5) XOR (bitwise exclusive-OR) the 64 byte string computed in step (1) with opad

(6) App end the H result from step (4) to the 64

byte string resulting from step (5) (7) Apply H to the stream generated in step (6) and output the result

The recommended length of the key is at least l bits. A longer key do es not add signi cantly to the secu- rity of the function, although it may b e advisable if the randomness of the key is considered weak. HMAC optionally allows truncation of the nal out- put say to 80 bits. As a result we get a simple and ecient construc- tion. The overall cost for authenticating a stream Text is close to that of hashing that stream, esp e- cially as Text gets large. Furthermore, the hashing of the padded keys can b e precomputed for even improved eciency. Note HMAC uses the hash function H as a black b ox. No mo di cations to the co de for H are re- quired to implement HMAC. This makes it easy to use library co de for H , and also makes it easy to replace a particular hash function, such as MD5, with another, such as SHA, should the need to do this arise. HMAC was recently chosen as the mandatory-to- implement authentication transform for the Inter- net security proto cols b eing designed by the IPSEC working group of the IETF (it replaces as a manda- tory transform the one describ ed in [10]). For this purp ose HMAC is describ ed in the Internet Draft [9], and in an up coming RFC. Other Internet pro- to cols are adopting HMAC as well (e.g., s-http [14], SSL [7]).

The rationale

We now brie y explain some of the rationale used in [1] to justify the HMAC construction. As we indicated ab ove, hash functions were not orig- inally designed to b e used for message authentica- tion. In particular they are not keyed primitives, and it is not clear how b est to \key" them. Thus, one ought to b e quite careful in using hash functions to build MACs. The standard approach to security evaluation is to lo ok for attacks on a candidate MAC construction. When practical attacks can b e found, their e ect is certainly conclusive: the construction must b e dropp ed. The diculty is when attacks are not yet found. Should one adopt the construction? Not clear, b ecause attacks might b e found in the future. The maxim that guided the HMAC construction was that an absence of attacks today does not im-

Resistance to known attacks

As shown in [12, 2], birthday attacks, that are the basis to nding collisions in cryptographic hash functions, can b e applied to attack also keyed MAC schemes based on iterated functions (including also CBC-MAC, and other schemes). These attacks ap- ply to most (or all) of the prop osed hash-based constructions of MACs. In particular, they con- stitute the b est known forgery attacks against the HMAC construction. Consideration of these at- tacks is imp ortant since they strongly improve on naive exhaustive search attacks. However, their practical relevance against these functions is negli- gible given the typical hash lengths like 128 or 160. Indeed, these attacks require the collection of the MAC value (for a given key) on ab out 2 l=^2 mes- sages (where l is the length of the hash output). For values of l  128 the attack b ecomes totally infea- sible. In contrast to the birthday attack on key-less hash functions, the new attacks require interaction with the key owner to pro duce the MAC values on a huge numb er of messages, and then allow for no parallelization. For example, when using MD5 such an attack would require the authentication of 264 blo cks (or 273 bits) of data using the same key. On a 1 Gbit/sec communication link, one would need 250,000 years to pro cess all the data required by such an attack. This is in sharp contrast to birth- day attacks on key-less hash functions which allow for far more ecient and close-to-realistic attacks [18].

References

[1] M. Bellare, R. Canetti and H. Kraw- czyk. Keying hash functions for message authentication. Advances in Cryptology { Crypto 96 Pro ceedings, Lecture Notes in Com- puter Science Vol. ??, N. Koblitz ed., Springer- Verlag, 1996. [2] M. Bellare, R. Canetti and H. Kraw- czyk. Pseudorandom functions revisited: The cascade construction. Manuscript, April 1996. [3] M. Bellare, R. Guerin and P. Rogaway. XOR MACs: New metho ds for message au- thentication using nite pseudorandom func- tions. Advances in Cryptology { Crypto 95 Pro ceedings, Lecture Notes in Computer Sci- ence Vol. 963, D. Copp ersmith ed., Springer- Verlag, 1995. [4] M. Bellare, J. Kilian and P. Rogaway. The security of cipher blo ck chaining. Ad- vances in Cryptology { Crypto 94 Pro ceedings,

Lecture Notes in Computer Science Vol. 839, Y. Desmedt ed., Springer-Verlag, 1994.

[5] I. Damgard. A design principle for hash func- tions. Advances in Cryptology { Crypto 89 Pro ceedings, Lecture Notes in Computer Sci- ence Vol. 435, G. Brassard ed., Springer- Verlag, 1989.

[6] National Institute for Standards and Technology. Digital Signature Standard (DSS). Federal Register, Vol. 56, No. 169, Au- gust, 1991

[7] A.O. Freier, P. Karlton, and P. C. Kocher. The SSL Proto col { Version 3.0. Internet draft draft-freier-ssl-version3-01.txt, March 1996.

[8] B. Kaliski and M. Robshaw. Message Au- thentication with MD5. RSA Labs' Crypto- Bytes, Vol. 1 No. 1, Spring 1995.

[9] H. Krawczyk, M. Bellare and R. Can- etti. HMAC-MD5: Keyed-MD5 for Message Authentication. Internet draft draft-ietf-ipsec- hmac-md5-txt.00, March 1996.

[10] P. Metzger and W. Simpson. IP Authen- tication using Keyed MD5", IETF Network Working Group, RFC 1828, August 1995.

[11] R. Merkle. One way hash functions and DES. Advances in Cryptology { Crypto 89 Pro ceedings, Lecture Notes in Computer Sci- ence Vol. 435, G. Brassard ed., Springer- Verlag, 1989. (Based on unpublished pap er from 1979 and his Ph. D thesis, Stanford, 1979).

[12] B. Preneel and P. van Oorschot. MD-x MAC and building fast MACs from hash func- tions. Advances in Cryptology { Crypto 95 Pro ceedings, Lecture Notes in Computer Sci- ence Vol. 963, D. Copp ersmith ed., Springer- Verlag, 1995.

[13] B. Preneel and P. van Oorschot. On the security of two MAC algorithms. Advances in Cryptology { Euro crypt 96 Pro ceedings, Lecture Notes in Computer Science Vol. ??, U. Maurer ed., Springer-Verlag, 1996.

[14] E. Rescorla and A. Schiffman. The Secure Hyp erText Transfer Proto col. Inter- net draft draft-ietf-wts-shttp-01.txt, Febru- ary 1996.

[15] R. Rivest. The MD5 message-digest al- gorithm. IETF Network Working Group, RFC 1321, April 1992.

[16] FIPS 180-1. Secure Hash Standard. Fed- eral Information Pro cessing Standard (FIPS), Publication 180-1, National Institute of Stan- dards and Technology, US Department of Commerce, Washington D.C., April 1995.

[17] G. Tsudik. Message authentication with one- way hash functions. Pro ceedings of Info- com 92.

[18] P. van Oorschot and M. Wiener. Par- allel Collision Search with Applications to Hash Functions and Discrete Logarithms. Pro- ceedings of the 2nd ACM Conf. Computer and Communications Security, Fairfax, VA, Novemb er 1994.