Advertisement

Keying Hash Functions for Message Authentication

  • Mihir Bellare
  • Ran Canetti
  • Hugo Krawczyk
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1109)

Abstract

The use of cryptographic hash functions like MD5 or SHA-1 for message authentication has become a standard approach in many applications, particularly Internet security protocols. Though very easy to implement, these mechanisms are usually based on ad hoc techniques that lack a sound security analysis.

We present new, simple, and practical constructions of message authentication schemes based on a cryptographic hash function. Our schemes, NMAC and HMAC, are proven to be secure as long as the underlying hash function has some reasonable cryptographic strengths. Moreover we show, in a quantitative way, that the schemes retain almost all the security of the underlying hash function. The performance of our schemes is essentially that of the underlying hash function. Moreover they use the hash function (or its compression function) as a black box, so that widely available library code or hardware can be used to implement them in a simple way, and replaceability of the underlying hash function is easily supported.

References

  1. 1.
    R. Atkinson, “Security Architecture for the Internet Protocol”, IETF Network Working Group, RFC 1825, August 1995.Google Scholar
  2. 2.
    R. Atkinson, “IP Authentication Header”, IETF Network Working Group, RFC 1826, August 1995.Google Scholar
  3. 3.
    M. Bellare, R. Canetti and H. Krawczyk, “Keying hash functions for message authentication,” (full version of the current paper) available at http://www-cse.ucsd.edu/users/mihir or http://www.research.ibm.com/security/keyed-md5.html.
  4. 4.
    M. Bellare, R. Canetti and H. Krawczyk, “Pseudorandom functions revisted: the cascade construction,” Available via http://www.research.ibm.com/security/ or http://www-cse.ucsd.edu/users/mihir/papers/papers.html.
  5. 5.
    M. Bellare, R. Guérin and P. Rogaway, “XOR MACs: New methods for message authentication using finite pseudorandom functions,” Advances in Cryptology — Crypto 95 Proceedings, Lecture Notes in Computer Science Vol. 963, D. Coppersmith ed., Springer-Verlag, 1995.Google Scholar
  6. 6.
    M. Bellare, J. Kilian and P. Rogaway, “The security of cipher block chaining.” Advances in Cryptology — Crypto 94 Proceedings, Lecture Notes in Computer Science Vol. 839, Y. Desmedt ed., Springer-Verlag, 1994.Google Scholar
  7. 7.
    A. Bosselaers, R. Govaerts, J. Vandewalle, “Fast hashing on the Pentium,” Advances in Cryptology — Crypto 96 Proceedings, Lecture Notes in Computer Science Vol. ??, N. Koblitz ed., Springer-Verlag, 1996.Google Scholar
  8. 8.
    I. Damgård, “A design principle for hash functions,” Advances in Cryptology — Crypto 89 Proceedings, Lecture Notes in Computer Science Vol. 435, G. Brassard ed., Springer-Verlag, 1989.Google Scholar
  9. 9.
    H. Dobbertin, “MD4 is not collision-free,” Manuscript, September 1995. To appear in Fast Software Encryption Workshop, Cambridge, 1996.Google Scholar
  10. 10.
    H. Dobbertin, “MD5 is not collision-free,” Manuscript, 1996.Google Scholar
  11. 11.
    National Institute for Standards and Technology, “Digital Signature Standard (DSS)”, Federal Register, Vol. 56, No. 169, August, 1991Google Scholar
  12. 12.
    O. Goldreich, S. Goldwasser and S. Micali, “How to construct random functions,” Journal of the ACM, Vol. 33, No. 4, 210–217, (1986).CrossRefMathSciNetGoogle Scholar
  13. 13.
    B. Kaliski and M. Robshaw, “Message Authentication with MD5”, RSA Labs’ CryptoBytes, Vol. 1 No. 1, Springer 1995.Google Scholar
  14. 14.
    H. Krawczyk, M. Bellare and R. Canetti, Internet draft draft-ietf-ipsec-hmac-md5-txt.00, March 1996.Google Scholar
  15. 15.
    P. Metzger and W. Simpson, “IP Authentication using Keyed MD5”, IETF Network Working Group, RFC 1828, August 1995.Google Scholar
  16. 16.
    R. Merkle, “One way hash functions and DES,” Advances in Cryptology — Crypto 89 Proceedings, Lecture Notes in Computer Science Vol. 435, G. Brassard ed., Springer-Verlag, 1989. (Based on unpublished paper from 1979 and his Ph. D thesis, Stanford, 1979).Google Scholar
  17. 17.
    J. Nechvatal, “Public Key Cryptography,” in Contemporary Cryptography, The Science of Information Integrity, G. Simmons ed., IEEE Press, 1992.Google Scholar
  18. 18.
    B. Preneel and P. van Ooorschot, “MD-x MAC and building fast MACs from hash functions,” Advances in Cryptology — Crypto 95 Proceedings, Lecture Notes in Computer Science Vol. 963, D. Coppersmith ed., Springer-Verlag, 1995.Google Scholar
  19. 19.
    B. Preneel and P. van Oorschot, “On the security of two MAC algorithms,” Advances in Cryptology — Eurocrypt 96 Proceedings, Lecture Notes in Computer Science Vol. 1070, U. Maurer ed., Springer-Verlag, 1996.Google Scholar
  20. 20.
    R. Rivest, “The MD5 message-digest algorithm,” IETF Network Working Group, RFC 1321, April 1992.Google Scholar
  21. 21.
    FIPS 180-1. Secure Hash Standard. Federal Information Processing Standard (FIPS), Publication 180-1, National Institute of Standards and Technology, US Department of Commerce, Washington D.C., April 1995.Google Scholar
  22. 22.
    J. Touch, “Performance Analysis of MD5”, Proceedings of Sigcomm’ 95, pp. 77–86. (See also RFC 1810).Google Scholar
  23. 23.
    G. Tsudik, “Message authentication with one-way hash functions,” Proceedings of Infocom 92.Google Scholar
  24. 24.
    P. van Oorschot and M. Wiener, “Parallel Collision Search with Applications to Hash Functions and Discrete Logarithms”, Proceedings of the 2nd ACM Conf. Computer and Communications Security, Fairfax, VA, November 1994.Google Scholar
  25. 25.
    ANSI X9.9, “American National Standard for Financial Institution Message Authentication (Wholesale),” American Bankers Association, 1981. Revised 1986.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1996

Authors and Affiliations

  • Mihir Bellare
    • 1
  • Ran Canetti
    • 2
  • Hugo Krawczyk
    • 3
  1. 1.Department of Computer Science and Engineering, Mail Code 0114University of California at San DiegoLa JollaUSA
  2. 2.MIT Laboratory for Computer ScienceCambridgeUSA
  3. 3.IBM T.J. Watson Research CenterYorktown HeightsUSA

Personalised recommendations