5

Given $plaintext$ and its respective authentication $tag$ which is generated from HMAC-MD5 so that $|tag| = 128$ bits.

If the application is constrained and can send only $64$ bits. Is it ok, if we xor the first $8$ bytes and second $8$ bytes of the $tag$ in order to generate a total $64$ bit $tag$?

I believe the strengthen is really in the key size not really the output size for somebody to do a brute force. What worse can happen is two different inputs could have same signature if we are doing the above ?

Or does this weaken the strengthen in any way?

sashank
  • 6,234
  • 4
  • 36
  • 68

1 Answers1

6

Key and tag lengths matter independently. A short tag allows a random guess to be valid more often, but does not help an attacker in finding the key. Rather than XOR, NIST recommends truncation if you need a shorter MAC tag. SP 800-107 (pdf) says to use at least 32 bits:

When an application truncates the HMAC output to generate a MacTag to a desired length, λ, the λ left-most bits of the HMAC output shall be used as the MacTag. However, the output length, λ, shall be no less than 32 bits.

However, using at least 64 bits is recommended:

A commonly acceptable length for the MacTag is 64 bits; MacTags with lengths shorter than 64 bits are discouraged.

Other than that, I would not use HMAC-MD5, although it has not been broken. HMAC-SHA256 (or HMAC-SHA512 if that is faster) can be truncated to the same size.

otus
  • 32,462
  • 5
  • 75
  • 167