Chapter 12 – Hash and

MAC Algorithms
HMAC & CMAC
Keyed Hash Functions as MACs
 want a MAC based on a hash function
 because hash functions are generally faster
 crypto hash function code is widely available
 hash includes a key along with message
 original proposal:
KeyedHash = Hash(Key|Message)
 some weaknesses were found with this

 eventually led to development of HMAC

 HMAC Design Objectives
 use, without modifications, hash functions
 allow for easy replaceability of embedded
hash function
 preserve original performance of hash
function without significant degradation
 use and handle keys in a simple way.
 have well understood cryptographic analysis
of authentication mechanism strength
 HMAC
 specified as Internet standard RFC2104
 uses hash function on the message:
HMACK(M)= Hash[(K+ XOR opad) ||
Hash[(K+ XOR ipad) || M)] ]
 where K+ is the key padded out to size

 opad, ipad are specified padding constants

 overhead is just 3 more hash calculations than

the message needs alone
 any hash function can be used
 eg. MD5, SHA-1, RIPEMD-160, Whirlpool
 HMAC
Overview
HMACK = Hash[(K+ XOR opad) || Hash[(K+
XOR ipad) || M)]
where:
K+ is K padded with zeros on the left so that the
result is b bits in length

ipad is a pad value of 36 hex repeated to fill block

opad is a pad value of 5C hex repeated to fill block

M is the message input to HMAC (including the

padding specified in the embedded hash function)
1.Append zeros to the left end of K to create a b-
bit string K+(e.g., if K is of length 160 bits and b
= 512 then K will be appended with 44 zero bytes
0 x 00).
2. XOR (bitwise exclusive-OR) K+ with ipad to
produce the b-bit block Si.
3.Append M to Si.
4.Apply H to the stream generated in step 3.
5.XOR K+ with opad to produce the b-bit block So
6.Append the hash result from step 4 to So
7.Apply H to the stream generated in step 6 and
output the result.
 HMAC Security
 proved security of HMAC relates to that of
the underlying hash algorithm
 attacking HMAC requires either:
 brute force attack on key used
 birthday attack (but since keyed would need
to observe a very large number of messages)
 choosehash function used based on
speed verses security constraints
 Using Symmetric Ciphers for
MACs
 can use any block cipher chaining mode
and use final block as a MAC
 Data Authentication Algorithm (DAA) is
a widely used MAC based on DES-CBC
 using IV=0 and zero-pad of final block
 encrypt message using DES in CBC mode
 and send just the final block as the MAC
• or the leftmost M bits (16≤M≤64) of final block
 but final MAC is now too small for security
 Data Authentication Algorithm

For one block message, T=MAC(K,X),

Then for adversary , CBC MAC of 2 block message can be predicted as X||(X+T)
 CMAC
 previously saw the DAA (CBC-MAC)
 widely used in govt & industry
 but has message size limitation
 can overcome using 2 keys & padding
 thus forming the Cipher-based Message
Authentication Code (CMAC)
 adopted by NIST SP800-38B
CMAC Overview
• It uses the block size of the underlying cipher
(ie 128-bits for AES or 64-bits for triple-DES).
• The message is divided into n blocks M1..Mn,
padded if necessary. The algorithm makes use
of a k-bit encryption key K and an n-bit
constant K1 or K2 (depending on whether the
message was padded or not).
• For AES, the key size k is 128,192, or 256 bits;
• for triple DES, the key size is 112 or 168 bits.
• The two constants K1 & K2 are derived from the
original key K using encryption of 0 and multiplication
in GF(2n)
• L=E(K,0n),
• K1=L.x and K2=L.x2 = (L.x).x
 Summary
 have considered:
 message authentication requirements
 message authentication using encryption
 MACs
 HMAC authentication using a hash function
 CMAC authentication using a block cipher
 Pseudorandom Number Generation (PRNG)
using Hash Functions and MACs