没有合适的资源?快使用搜索试试~ 我知道了~
资源推荐
资源详情
资源评论
An abridged version of this paper appears in Advances in Cryptology – Crypto 96 Proceedings,
Lecture Notes in Computer Science Vol. 1109, N. Koblitz ed., Springer-Verlag, 1996.
Keying Hash Functions for Message Authentication
Mihir Bellare
∗
Ran Canetti
†
Hugo Krawczyk
‡
June 1996
Abstract
The use of cryptographic hash functions like MD5 or SHA for message authentication has
become a standard approach in many Internet applications and protocols. Though very easy to
implement, these mechanisms are usually based on ad hoc techniques that lack a sound security
analysis.
We present new constructions of message authentication schemes based on a cryptographic
hash function. Our schemes, NMAC and HMAC, are proven to be secure as long as the un-
derlying hash function has some reasonable cryptographic strengths. Moreover we show, in a
quantitative way, that the schemes retain almost all the security of the underlying hash function.
In addition our schemes are efficient and practical. Their performance is essentially that of the
underlying hash function. Moreover they use the hash function (or its compression function) as
a black box, so that widely available library code or hardware can be used to implement them
in a simple way, and replaceability of the underlying hash function is easily supported.
∗
Department of Computer Science & Engineering, Mail Code 0114, University of California at San Diego, 9500
Gilman Drive, La Jolla, CA 92093. Email: mihir@cs.ucsd.edu. http://www-cse.ucsd.edu/users/mihir.
†
IBM T.J. Watson Research Center, PO Box 704, Yorktown Heights, New York 10598. Email: canetti@
watson.ibm.com. Work done while author was at MIT, supported by a post-doctoral grant from the Rothschild
Foundation.
‡
IBM T.J. Watson Research Center, PO Box 704, Yorktown Heights, New York 10598. Email:hugo@watson.ibm.
com.
1
Contents
1 Introduction 3
1.1 Authenticity and MACs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 MACing with cryptographic hash functions . . . . . . . . . . . . . . . . . . . . . . . 3
1.3 This work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.4 A closer look . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.5 Related work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2 Basic Notions 6
2.1 MACs and their security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.2 Cryptographic Hash Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3 Keyed Hash Functions 9
4 The Nested Construction NMAC 10
4.1 The function NMAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
4.2 Security analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
5 HMAC: A fixed IV variant 13
5.1 The function HMAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
5.2 Security of HMAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
5.3 Implementation considerations for HMAC . . . . . . . . . . . . . . . . . . . . . . . . 14
6 Attacks and Comparison to other Proposals 15
2
1 Introduction
1.1 Authenticity and MACs
Verifying the integrity and authenticity of information is a prime necessity in computer systems
and networks. In particular, two parties communicating over an insecure channel require a method
by which information sent by one party can be validated as authentic (or unmodified) by the other.
Most commonly such a mechanism is based on a secret key shared between the parties and takes
the form of a Message Authentication Code (MAC). (Other terms used include “Integrity Check
Value” or “cryptographic checksum”). In this case, when party A transmits a message to party B,
it appends to the message a value called the authentication tag, computed by the MAC algorithm
as a function of the transmitted information and the shared secret key. At reception, B recomputes
the authentication tag on the received message using the same mechanism (and key) and checks
that the value he obtains equals the tag attached to the received message. Only if the values
match is the information received considered as not altered on the way from A to B.
1
The goal
is to prevent forgery, namely, the computation, by the adversary, of a message (not sent by the
legitimate parties) and its corresponding valid authentication tag. A precise definition of MACs
and their security is in Section 2.
1.2 MACing with cryptographic hash functions
MACs have most commonly been constructed out of block ciphers like DES. (The most popular in
this genre is the CBC MAC, analyzed in [BKR, PV1].) More recently, however, there has been a
surge of interest in the idea of constructing MACs from cryptographic hash functions like MD5 [Ri]
and SHA-1 [SHA]. This is particularly visible in the Internet community, where the development of
security protocols has led to the need for simple, efficient, and widely available MAC mechanisms.
It is easy to see why people want to MAC with cryptographic hash functions: the popular hash
functions are faster than block ciphers in software implementation; these software implementations
are readily and freely available; and the functions are not subject to the export restriction rules of
the USA and other countries. The more difficult question is how best to do it. These hash functions
were not originally designed to be used for message authentication. (One of many difficulties is
that hash functions are not keyed primitives, ie. do not accommodate naturally the notion of secret
key.) So special care must be taken in using them to this end. In particular, although many
constructions have been proposed, they lack a sound and realistic security analysis. Thus there is
a need for constructions which maintain the efficiency of the hash functions but are backed by a
more rigorous analysis of their security. This is what we provide.
Section 1.5 describes some background and previous work on this subject. We now proceed to
describe our work.
1.3 This work
In this paper we present two (related) new schemes, NMAC (the Nested construction) and HMAC
(the Hash based mac). They can utilize any cryptographic hash function of the iterated type, and
enjoy several attractive security, efficiency, and practicality features.
Security. Our constructions enjoy a formal security analysis that relates the security of the new
functions to basic properties of the underlying hash schemes, like their resistance to collision finding.
1
More generally, MAC schemes can involve the use of state information (e.g., a counter), use random nonces, or
apply other mechanisms than just appending a tag. For concreteness we stick for now to simple MACs.
3
剩余18页未读,继续阅读
资源评论
beebeeyoung
- 粉丝: 19
- 资源: 62
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
最新资源
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功