Keying Hash Functions for Message Authentication
The use of cryptographic hash functions like MD5 or SHA-1 for message authentication has become a standard approach in many applications, particularly Internet security protocols. Though very easy to implement, these mechanisms are usually based on ad hoc techniques that lack a sound security analysis.
We present new, simple, and practical constructions of message authentication schemes based on a cryptographic hash function. Our schemes, NMAC and HMAC, are proven to be secure as long as the underlying hash function has some reasonable cryptographic strengths. Moreover we show, in a quantitative way, that the schemes retain almost all the security of the underlying hash function. The performance of our schemes is essentially that of the underlying hash function. Moreover they use the hash function (or its compression function) as a black box, so that widely available library code or hardware can be used to implement them in a simple way, and replaceability of the underlying hash function is easily supported.
- 1.R. Atkinson, “Security Architecture for the Internet Protocol”, IETF Network Working Group, RFC 1825, August 1995.Google Scholar
- 2.R. Atkinson, “IP Authentication Header”, IETF Network Working Group, RFC 1826, August 1995.Google Scholar
- 3.M. Bellare, R. Canetti and H. Krawczyk, “Keying hash functions for message authentication,” (full version of the current paper) available at http://www-cse.ucsd.edu/users/mihir or http://www.research.ibm.com/security/keyed-md5.html.
- 4.M. Bellare, R. Canetti and H. Krawczyk, “Pseudorandom functions revisted: the cascade construction,” Available via http://www.research.ibm.com/security/ or http://www-cse.ucsd.edu/users/mihir/papers/papers.html.
- 5.M. Bellare, R. Guérin and P. Rogaway, “XOR MACs: New methods for message authentication using finite pseudorandom functions,” Advances in Cryptology — Crypto 95 Proceedings, Lecture Notes in Computer Science Vol. 963, D. Coppersmith ed., Springer-Verlag, 1995.Google Scholar
- 6.M. Bellare, J. Kilian and P. Rogaway, “The security of cipher block chaining.” Advances in Cryptology — Crypto 94 Proceedings, Lecture Notes in Computer Science Vol. 839, Y. Desmedt ed., Springer-Verlag, 1994.Google Scholar
- 7.A. Bosselaers, R. Govaerts, J. Vandewalle, “Fast hashing on the Pentium,” Advances in Cryptology — Crypto 96 Proceedings, Lecture Notes in Computer Science Vol. ??, N. Koblitz ed., Springer-Verlag, 1996.Google Scholar
- 8.I. Damgård, “A design principle for hash functions,” Advances in Cryptology — Crypto 89 Proceedings, Lecture Notes in Computer Science Vol. 435, G. Brassard ed., Springer-Verlag, 1989.Google Scholar
- 9.H. Dobbertin, “MD4 is not collision-free,” Manuscript, September 1995. To appear in Fast Software Encryption Workshop, Cambridge, 1996.Google Scholar
- 10.H. Dobbertin, “MD5 is not collision-free,” Manuscript, 1996.Google Scholar
- 11.National Institute for Standards and Technology, “Digital Signature Standard (DSS)”, Federal Register, Vol. 56, No. 169, August, 1991Google Scholar
- 13.B. Kaliski and M. Robshaw, “Message Authentication with MD5”, RSA Labs’ CryptoBytes, Vol. 1 No. 1, Springer 1995.Google Scholar
- 14.H. Krawczyk, M. Bellare and R. Canetti, Internet draft draft-ietf-ipsec-hmac-md5-txt.00, March 1996.Google Scholar
- 15.P. Metzger and W. Simpson, “IP Authentication using Keyed MD5”, IETF Network Working Group, RFC 1828, August 1995.Google Scholar
- 16.R. Merkle, “One way hash functions and DES,” Advances in Cryptology — Crypto 89 Proceedings, Lecture Notes in Computer Science Vol. 435, G. Brassard ed., Springer-Verlag, 1989. (Based on unpublished paper from 1979 and his Ph. D thesis, Stanford, 1979).Google Scholar
- 17.J. Nechvatal, “Public Key Cryptography,” in Contemporary Cryptography, The Science of Information Integrity, G. Simmons ed., IEEE Press, 1992.Google Scholar
- 18.B. Preneel and P. van Ooorschot, “MD-x MAC and building fast MACs from hash functions,” Advances in Cryptology — Crypto 95 Proceedings, Lecture Notes in Computer Science Vol. 963, D. Coppersmith ed., Springer-Verlag, 1995.Google Scholar
- 19.B. Preneel and P. van Oorschot, “On the security of two MAC algorithms,” Advances in Cryptology — Eurocrypt 96 Proceedings, Lecture Notes in Computer Science Vol. 1070, U. Maurer ed., Springer-Verlag, 1996.Google Scholar
- 20.R. Rivest, “The MD5 message-digest algorithm,” IETF Network Working Group, RFC 1321, April 1992.Google Scholar
- 21.FIPS 180-1. Secure Hash Standard. Federal Information Processing Standard (FIPS), Publication 180-1, National Institute of Standards and Technology, US Department of Commerce, Washington D.C., April 1995.Google Scholar
- 22.J. Touch, “Performance Analysis of MD5”, Proceedings of Sigcomm’ 95, pp. 77–86. (See also RFC 1810).Google Scholar
- 23.G. Tsudik, “Message authentication with one-way hash functions,” Proceedings of Infocom 92.Google Scholar
- 24.P. van Oorschot and M. Wiener, “Parallel Collision Search with Applications to Hash Functions and Discrete Logarithms”, Proceedings of the 2nd ACM Conf. Computer and Communications Security, Fairfax, VA, November 1994.Google Scholar
- 25.ANSI X9.9, “American National Standard for Financial Institution Message Authentication (Wholesale),” American Bankers Association, 1981. Revised 1986.Google Scholar