HMAC#

HMAC, or key-Hashed MAC or Hash-based MAC, is a Message Authentication Code (MAC).

Summary of ANSSI rules and recommendations#

Rule/recommendation

SHA-1

SHA-2

SHA-3

Recommended/obsolete

  • Obsolescent with \(K > 100\) bits (see Note 4.3.c).

  • Obsolete otherwise.

  • Recommended with \(K > 128\) bits.

  • Obsolescent with \(128 > K \ge 100\) bits.

  • Recommended with \(K > 128\) bits.

  • Obsolescent with \(128 > K \ge 100\) bits.

RegleIntegSym

Not compliant: (1) usage of SHA-1 is tolerated (see Note 4.3.c).

Compliant

Compliant

Overview#

MACs are computed from a message \(m\) and a secret key \(K\), and are used to verify the integrity and authenticity of the message sent. MAC functions can also be used in a key derivation function such as PBKDF2.

As the name implies, HMAC is based on hash functions, specifically cryptographic hash functions. While the original paper [BCK96] specifies its usage with MD5 and SHA-1, nowadays it is recommended to use it with functions from the SHA-2 and SHA-3 families (see for example RFC 6151 and the SHA method guide).

HMAC is described in RFC 2104, RFC 6234, and was standardized by NIST in FIPS 198-1. It is constructed as follows:

\[ HMAC(K, m) = H\Bigl(\bigl(K' \oplus opad\bigr) || H\bigl((K' \oplus ipad) || m\bigr)\Bigr) \]

Where:

  • \(K\) is the secret key.

  • \(m\) is the message.

  • \(H\) is the cryptographic hash function.

  • \(K'\) is a key derived from \(K\). The size of \(K'\) must be the same size as the hash function’s block.

    • If the size of \(K\) is equal to the size of the block of the hash function, \(K' = K\).

    • If it is shorter, it is padded to the right with zeroes.

    • If it is longer, it is hashed with \(H\) and then padded to the right with zeroes.

  • \(ipad\) is the inner padding. It is the same size as the hash function’s block and consists of 0x36 bytes.

  • \(opad\) is the outer padding. It is the same size as the hash function’s block and consists of 0x5c bytes.

HMAC was designed to prevent hash length extension attacks, to which simpler constructions based on SHA-1 and SHA-2, such as \(H(k || m)\), are vulnerable to.

ANSSI rules and recommendations#

RègleIntegSym

  1. The most common symmetrical methods for integrity are based on block-cipher or hashing mechanisms. These primitives must be compliant.

  2. There should not exist an attack on the integrity mechanism requiring less than \(2^{n/2}\) calls to the underlying primitive, where \(n\) is the size of the output of the primitive.

RecommandationIntegSym

  1. Prefer mechanisms that have a security proof.

ANSSI notes and recommendations#

For bandwidth reasons, MACs can be truncated. The size of the output must be sufficiently large to prevent an adversary from randomly generating a valid MAC.

R7: MAC truncation

In general, it is not recommended to truncate the output of a function that generates MACs to less than 96 bits.

In constrained devices, such as smart cards, it is possible to come across MACs truncated to 64 bits.

Note 4.3.a: Truncating MACs to 64 bits

It is tolerated to truncate a MAC down to 64 bits if the maximum number of verifications performed with a single key is \(2^{20}\).

Note 4.3.c: HMAC-SHA-1

The security of HMAC does not rely on the collision resistance of the underlying hash function. While the usage of SHA-1 is forbidden in general, which is why it was not included in this guide as an obsolescent mechanism[1], the usage of HMAC-SHA-1 is tolerated.