KeyingHashFunctionsforMessageAuthentication.pdf资源-CSDN文库

HMAC

paper

需积分: 10 11 浏览量 2019-06-11 22:47:24 上传评论收藏 210KB PDF 举报

资源推荐

资源详情

资源评论

An abridged version of this paper appears in Advances in Cryptology – Crypto 96 Proceedings,

Lecture Notes in Computer Science Vol. 1109, N. Koblitz ed., Springer-Verlag, 1996.

Keying Hash Functions for Message Authentication

Mihir Bellare

∗

Ran Canetti

†

Hugo Krawczyk

‡

June 1996

Abstract

The use of cryptographic hash functions like MD5 or SHA for message authentication has

become a standard approach in many Internet applications and protocols. Though very easy to

implement, these mechanisms are usually based on ad hoc techniques that lack a sound security

analysis.

We present new constructions of message authentication schemes based on a cryptographic

hash function. Our schemes, NMAC and HMAC, are proven to be secure as long as the un-

derlying hash function has some reasonable cryptographic strengths. Moreover we show, in a

quantitative way, that the schemes retain almost all the security of the underlying hash function.

In addition our schemes are eﬃcient and practical. Their performance is essentially that of the

underlying hash function. Moreover they use the hash function (or its compression function) as

a black box, so that widely available library code or hardware can be used to implement them

in a simple way, and replaceability of the underlying hash function is easily supported.

∗

Department of Computer Science & Engineering, Mail Code 0114, University of California at San Diego, 9500

Gilman Drive, La Jolla, CA 92093. Email: mihir@cs.ucsd.edu. http://www-cse.ucsd.edu/users/mihir.

†

IBM T.J. Watson Research Center, PO Box 704, Yorktown Heights, New York 10598. Email: canetti@

watson.ibm.com. Work done while author was at MIT, supported by a post-doctoral grant from the Rothschild

Foundation.

‡

IBM T.J. Watson Research Center, PO Box 704, Yorktown Heights, New York 10598. Email:hugo@watson.ibm.

com.

1 Introduction

1.1 Authenticity and MACs

Verifying the integrity and authenticity of information is a prime necessity in computer systems

and networks. In particular, two parties communicating over an insecure channel require a method

by which information sent by one party can be validated as authentic (or unmodiﬁed) by the other.

Most commonly such a mechanism is based on a secret key shared between the parties and takes

the form of a Message Authentication Code (MAC). (Other terms used include “Integrity Check

Value” or “cryptographic checksum”). In this case, when party A transmits a message to party B,

it appends to the message a value called the authentication tag, computed by the MAC algorithm

as a function of the transmitted information and the shared secret key. At reception, B recomputes

the authentication tag on the received message using the same mechanism (and key) and checks

that the value he obtains equals the tag attached to the received message. Only if the values

match is the information received considered as not altered on the way from A to B.

The goal

is to prevent forgery, namely, the computation, by the adversary, of a message (not sent by the

legitimate parties) and its corresponding valid authentication tag. A precise deﬁnition of MACs

and their security is in Section 2.

1.2 MACing with cryptographic hash functions

MACs have most commonly been constructed out of block ciphers like DES. (The most popular in

this genre is the CBC MAC, analyzed in [BKR, PV1].) More recently, however, there has been a

surge of interest in the idea of constructing MACs from cryptographic hash functions like MD5 [Ri]

and SHA-1 [SHA]. This is particularly visible in the Internet community, where the development of

security protocols has led to the need for simple, eﬃcient, and widely available MAC mechanisms.

It is easy to see why people want to MAC with cryptographic hash functions: the popular hash

functions are faster than block ciphers in software implementation; these software implementations

are readily and freely available; and the functions are not subject to the export restriction rules of

the USA and other countries. The more diﬃcult question is how best to do it. These hash functions

were not originally designed to be used for message authentication. (One of many diﬃculties is

that hash functions are not keyed primitives, ie. do not accommodate naturally the notion of secret

key.) So special care must be taken in using them to this end. In particular, although many

constructions have been proposed, they lack a sound and realistic security analysis. Thus there is

a need for constructions which maintain the eﬃciency of the hash functions but are backed by a

more rigorous analysis of their security. This is what we provide.

Section 1.5 describes some background and previous work on this subject. We now proceed to

describe our work.

1.3 This work

In this paper we present two (related) new schemes, NMAC (the Nested construction) and HMAC

(the Hash based mac). They can utilize any cryptographic hash function of the iterated type, and

enjoy several attractive security, eﬃciency, and practicality features.

Security. Our constructions enjoy a formal security analysis that relates the security of the new

functions to basic properties of the underlying hash schemes, like their resistance to collision ﬁnding.

More generally, MAC schemes can involve the use of state information (e.g., a counter), use random nonces, or

apply other mechanisms than just appending a tag. For concreteness we stick for now to simple MACs.

剩余18页未读，继续阅读

评论收藏

内容反馈

beebeeyoung

粉丝: 18
资源: 62

Keying Hash Functions for Message Authentication.pdf

最新资源

Keying Hash Functions for Message Authentication.pdf

Probability_and_Statistics_for_Engineers.pdf

论文研究-High-speed polarization-shift keying: experimental and numerical investigation.pdf

code shift keying prospects for improving GNSS signal designs.pdf

NIST SP800-56Ar3.pdf

NIST SP800-71-draft.pdf

Probability & Statistics for engineer and scientist.pdf

TMS320F28335资料整理包括技术手册和应用手册+CCS4.2基础实验例程工程文件.zip

NIST.SP.800-57pt1r5.pdf NIST Recommendation for Key Management:

NIST SP800-56A.pdf

NIST SP800-56Br2.pdf

NIST SP800-56C.pdf

论文研究-副载波STBC-MIMO紫外通信系统性能分析 .pdf

PCI_Express_M.2_Spec_Rev3.0_Ver1.2_06262019_NCB.pdf

论文研究-100-km Long-Reach WDM-PON Using High Power Efficient On-Off Keying Codes in Downstream.pdf

GSMKhandout-10页.pdf

基于FPGA的FSK调制与解调器设计.pdf

计算机网络技术期末复习.pdf

GameProgrammingv2.0LazyFoo.pdf

simulink仿真ASKFSK.pdf

无线局域网术语表汇编.pdf

GPRS试题库3.pdf

AlphaNet_ An Attention Guided Deep Network for Automatic Image Matting.pdf

GSM原理及其网络优化.rar

ieeestd802.11b-1999.pdf

SWIFT密押原理.pdf

802.11b-1999.pdf

计算机网络基础试题库二.pdf

最新资源