Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [hmac]

HMAC is a method for constructing a message authentication code based on a cryptographic hash function.

HMAC (Hash-based Message Authentication Code) is a method constructing a message authentication code based on a cryptographic hash function. The HMAC construction was published in 1996 by Mihir Bellare, Ran Canetti and Hugo Krawczyk. It is standardized in RFC 2104.

The HMAC construction can be used with any cryptograåhic hash function. Common examples include HMAC-SHA1, HMAC-SHA-256 and, in older use, HMAC-MD5.

HMAC can be proven to be secure as long as the hash function satisfies some rather mild security assumptions. In the original 1996 paper the security of HMAC was proven based on the assumption that the hash is a "weakly collision resistant" iterated hash function and that its compression function is a pseudo-random function (PRF).

In 2006 Mihir Bellare published a new security proof of HMAC based solely on the assumption that the compression function is a PRF or, alternatively, that the hash is "computationally almost universal" and that the compression function is a privacy-preserving MAC. In particular, the new proof shows that, despite the practical collision attacks known against the MD5 hash function, the HMAC-MD5 construction remains secure (at least as long as no new attacks are discovered).

645 questions
63
votes
2 answers

Why is $H(k\mathbin\Vert x)$ not a secure MAC construction?

If $H(m)$ is a secure hash function, can't we implement a MAC using $H(k\mathbin\Vert m)$? However, it seems the more widely used MACs, such as NMAC and HMAC (both originally defined in Keying hash functions for message authentication) use a much…
Anne Nonimus
  • 733
  • 1
  • 5
  • 4
60
votes
2 answers

What is the difference between MAC and HMAC?

In reference to this question, what are the "stronger security properties" that HMAC provides over MAC. I got that MAC requires an IV whereas HMAC doesn't. I also understood that MAC may reveal information about plaintext in contrast to HMAC. Is my…
TheRookierLearner
  • 1,011
  • 1
  • 11
  • 15
52
votes
3 answers

What is the difference between a HMAC and a hash of data?

On a recent question it became apparent that there's a significant difference between an HMAC of input data and a hash of input data. What exactly is the difference between an HMAC and a hash of a span of input data?
Naftuli Kay
  • 1,007
  • 1
  • 11
  • 14
46
votes
2 answers

What do the magic numbers 0x5c and 0x36 in the opad/ipad calc in HMAC do?

Wikipedia lists the following pseudocode for HMAC: function hmac (key, message) if (length(key) > blocksize) then key = hash(key) // keys longer than blocksize are shortened end if if (length(key) < blocksize) then //…
sneak
  • 617
  • 1
  • 5
  • 10
42
votes
4 answers

Purpose of outer key in HMAC

From what I know, the HMAC constructions has two strength: It's resistant to length extensions Since the key is consumed before the message, the attacker does not know the initial state, preventing simple collision attacks. But the simple…
CodesInChaos
  • 25,121
  • 2
  • 90
  • 129
39
votes
2 answers

HMAC vs ECDSA for JWT

I will be implementing JSON web tokens into my website and have a question about implementing them. I have a choice of using two algorithms, HMAC-SHA256 and ECDSA-SHA256. I have used HMAC-SHA256 in the past for jwt, but now I noticed ECDSA is being…
user2924127
  • 493
  • 1
  • 4
  • 8
39
votes
2 answers

Why is HMAC-SHA1 still considered secure?

This Q & A https://security.stackexchange.com/questions/33123/hotp-with-as-hmac-hashing-algoritme-a-hash-from-the-sha-2-family says that the security of HMAC-SHA1 does not depend on resistance to collisions? Are they are saying specifically with…
user93353
  • 2,348
  • 3
  • 28
  • 49
36
votes
2 answers

Using the same secret key for encryption and authentication in a Encrypt-then-MAC scheme

Is it a weakness to use a single shared secret for protecting messages using a Encrypt-then-MAC scheme? Assuming a system is using AES-256-CBC and a SHA1-HMAC and the same secret key for both operations. Upon intercepting one of these messages…
Rook
  • 1,506
  • 1
  • 13
  • 22
36
votes
2 answers

HMAC-SHA1 vs HMAC-SHA256

I have three questions: Would you use HMAC-SHA1 or HMAC-SHA256 for message authentication? How much HMAC-SHA256 is slower than HMAC-SHA1? Are the security improvements of SHA256 (over SHA1) enough to justify its usage?
Mario
  • 361
  • 1
  • 3
  • 3
34
votes
2 answers

Is HMAC-MD5 considered secure for authenticating encrypted data?

I've read something to the effect that the HMAC construct is able to lessen the problem of collisions in the underlying hash. Does that mean that something like HMAC-MD5 still might be considered safe for authenticating encrypted data?
Nuoji
  • 813
  • 1
  • 7
  • 21
34
votes
0 answers

Key size for HMAC-SHA256

After reading a bunch of past stack exchange posts like this one and RFCs 5869, 2104, and 4868 I felt comfortable that a 32-byte key was sufficient for HMAC-SHA256. However, I am implementing my code in C# and someone pointed out to me that the…
Ralph P
  • 543
  • 1
  • 4
  • 10
30
votes
1 answer

How secure would HMAC-SHA3 be?

It would be possible to implement the HMAC construction with (draft) SHA-3, leading to HMAC-SHA3-224, HMAC-SHA3-256, HMAC-SHA3-384, HMAC-SHA3-512 (the last 3 digits are the output size $\ell$, where $\ell/8$ is the $L$ parameter in HMAC). All that's…
fgrieu
  • 149,326
  • 13
  • 324
  • 622
29
votes
6 answers

Why not authenticate full-disk encryption?

Common FDE software (TrueCrypt, BitLocker, dm-crypt) doesn't authenticate ciphertext stored on the disk. The commonly cited reason is "it would take too much space", reasoning that you would need an authentication tag for every sector and that would…
matejcik
  • 393
  • 3
  • 5
29
votes
2 answers

HMAC vs MAC functions

I've read definitions of MAC and HMAC, but can't say I've completely grasped the differences. What are principle differences? When to use one and when the other?(Typical Use Cases)
Matteo
  • 1,171
  • 2
  • 12
  • 23
27
votes
1 answer

Use cases for CMAC vs. HMAC?

Both can be used to verify the integrity of a message. Assuming you have the needed primitives available to you (i.e. the code space of needing both a cipher and a hash function isn't prohibitive), is there any reason to prefer one over an other? In…
Alex Gaynor
  • 356
  • 1
  • 4
  • 11
1
2 3
42 43