HMAC, The Keyed Hash-Based MAC Function

Section 1 — Background

What is a MAC? MAC stands for Message Authentication Code. In general, a MAC can be thought of as a checksum for data passed through an unreliable (or more importantly, unsecure) pipeline. A sender will typically generate a MAC code by first passing their message into some MAC algorithm. The sender will then send their message M with the MAC(M). The receiver can then generate their own MAC(M) and verify that MAC(M) sent by the receiver matches the MAC(M) they themselves generated.

A MAC algorithm can be generated using multiple different techniques; howerver, sender and receiver generally need to have a shared secret key, K. A MAC algorithm could be made out of a common symmetric cipher such as DES or AES. A sender wanting to send a secure message can send M encrypted, e(M), with a symmetric cipher and then resend M||K (M concatenated with K) encrypted, e(M||K). The receiver first decrypts M, d(e(M)), to generate M’. He then encrypts M’||K, e(M’||K) and compares with the e(M||K) originally sent. If the two match, the data has not been manipulated.

A general step-by-step process of how a generic MAC functions works can be described in the following steps:

1.Sender sends Message & MAC(Message), M1
2.Receiver receives both parts
3.Receiver makes his own MAC(Message),M2
4.If M2 != M1, data has been corrupted
5.If M2 == M1, data is valid

Note that a hash function alone cannot act as a MAC function. Why? Well, an attacker could intercept M and Hash(M). He could then resend as M’ and Hash(M’). The receiver could then not tell that the message had been altered. In other words, Hash functions can help prevent error in an unreliable channel, but not in an unsecure channel.

Section 2 — HMAC — what is it?

What is HMAC? HMAC is merely a specific type of MAC function. It works by using an underlying hash function over a message and a key. It is currently one of the predominant means to ensure that secure data is not corrupted in transit over unsecure channels (like the internet).

Any hashing fuction could be used with HMAC, although more secure hashing functions are preferable. An example of a secure hash function (which is commonly used in HMAC implementations) is SHA-14. (Other common hashing functions include MD5 and RIPEND-160). As computers become more and more powerful, increasingly complex hash functions will probably be used. Furthermore, there are several generations of SHA hashing functions (SHA-256, SHA-384, and SHA-512) which are currently available but not very widely used as their added security is not yet believed to be needed in everyday transactions.

Section 3 — Internals — how does it work?

How does it work? HMAC generates a Message Authentication Code by the following formula:

HMAC(M) = H[(K+opad)||H[(k+ipad)||M]]

M = Message
H[] = Underlying Hash function
K = Shared Secret Key
opad = 36hex, repeated as needed
ipad = 5Chex, repeated as needed
|| = concatenation operation
+ = XOR operation

The HMAC(M) is then sent as any typical MAC(M) in a message transaction over insecure channels (See section 1).

For a graphical illustration, look at below for diagram of the HMAC algorithm. Diagram was pulled from the NIST website.

diagram

Again, any hash function can be used, but SHA-1 seems to be most popular implementation.

Section 4 — Advantages — why use HMAC?

Why use HMAC? HMAC has all of the general properties of a MAC function; this means that HMAC is suitable anytime senders and receivers wish to guarantee integrity between sender and receiver.

Moreover, HMAC is computationally very fast and very compact. HMAC accomplishes both of these properties with it’s reliance on a given hash function which are both fast and return compact outputs.

Also, HMAC can be (and has been) implemented in practically any language. For example, he Java API already includes a basic implementation of HMAC/SHA-1 for use. Implementation is (almost) as simple as calling a few key pre-written methods.

However, HMAC may not be used for non-repudation. That is, Bob cannot demonstrate that data really came from Alice — both sender and receiver can correctly generate an HMAC output (so Bob could have made the data himself). This is in contrast to digital signatures in which only the sender can generate the correct output.

Section 5 — References — where can I learn more?

  1. HMAC — see also FIPS PUB 113 and RFC 2104
  2. DES — see also FIPS PUB 46
  3. AES — see also FIPS PUB 197
  4. SHA-1 — see also FIPS PUB 180-1
  5. NIST — National Institute of Standards and Technology