Hmac PDF
Hmac PDF
Hmac PDF
SUBCATEGORY: CRYPTOGRAPHY
Foreword
The Federal Information Processing Standards Publication Series of the National Institute
of Standards and Technology (NIST) is the official series of publications relating to
standards and guidelines adopted and promulgated under the provisions of Section 5131
of the Information Technology Management Reform Act of 1996 (Public Law 104-106)
and the Computer Security Act of 1987 (Public Law 100-235). These mandates have
given the Secretary of Commerce and NIST important responsibilities for improving the
utilization and management of computer and related telecommunications systems in the
Federal government. The NIST, through its Information Technology Laboratory,
provides leadership, technical guidance, and coordination of government efforts in the
development of standards and guidelines in these areas.
Comments concerning Federal Information Processing Standards Publications are
welcomed and should be addressed to the Director, Information Technology Laboratory,
National Institute of Standards and Technology, 100 Bureau Drive, Stop 8900,
Gaithersburg, MD 20899-8900.
William Mehuron, Director
Information Technology
Laboratory
Abstract
This standard describes a keyed-hash message authentication code (HMAC), a
mechanism for message authentication using cryptographic hash functions. HMAC can
be used with any iterative Approved cryptographic hash function, in combination with a
shared secret key. The cryptographic strength of HMAC depends on the properties of the
underlying hash function. The HMAC specification in this standard is a generalization of
Internet RFC 2104, HMAC, Keyed-Hashing for Message Authentication, and ANSI
X9.71, Keyed Hash Message Authentication Code.
Keywords: computer security, cryptography, HMAC, MAC, message authentication,
Federal Information Processing Standard (FIPS).
ii
iii
iv
A copy of the waiver, any supporting documents, the document approving the waiver and
any supporting and accompanying documents, with such deletions as the agency is
authorized and decides to make under Section 552(b) of Title 5, U.S. Code, shall be part
of the procurement documentation and retained by the agency.
14. Where to obtain copies.
This publication is available by accessing
http://csrc.nist.gov/publications/. A list of other available computer security publications,
including ordering information, can be obtained from NIST Publications List 91, which is
available at the same web site. Alternatively, copies of NIST computer security
publications are available from: National Technical Information Service (NTIS), 5285
Port Royal Road, Springfield, VA 22161.
vi
2002 March 6
Specifications for
1. INTRODUCTION........................................................................................................ 1
2.2 Acronyms............................................................................................................... 2
4. TRUNCATED OUTPUT............................................................................................. 3
APPENDIX C: REFERENCES........................................................................................ 13
vii
1.
INTRODUCTION
2.1
Glossary of Terms
Acronyms
The following acronyms and abbreviations are used throughout this standard:
FIPS
FIPS PUB
FIPS Publication
HMAC
MAC
NIST
2.3
Block size (in bytes) of the input to the Approved hash function.
ipad
Secret key shared between the originator and the intended receiver(s).
K0
Block size (in bytes) of the output of the Approved hash function.
text
The data on which the HMAC is calculated; text does not include the padded key.
The length of text is n bits, where 0 n < 2B - 8B.
xN
bits.
||
Concatenation
Exclusive-Or operation.
3.
CRYPTOGRAPHIC KEYS
The size of the key, K, shall be equal to or greater than L/2, where L is the size of the
hash function output. Note that keys greater than L bytes do not significantly increase the
function strength. Applications that use keys longer than B-bytes shall first hash the key
using H and then use the resultant L-byte string as the HMAC key, K. Keys shall be
chosen at random using an Approved key generation method and shall be changed
periodically. Note that the keys should be protected in a manner that is consistent with the
value of the data that is to be protected (i.e., the text that is authenticated using the
HMAC function).
4.
TRUNCATED OUTPUT
A well-known practice with MACs is to truncate their output (i.e., the length of the MAC
used is less than the length of the output of the MAC function L). Applications of this
standard may truncate the output of HMAC. When a truncated HMAC is used, the t
leftmost bytes of the HMAC computation shall be used as the MAC. The output length, t,
shall be no less than four bytes (i.e., 4 t L). However, t shall be at least
L
2
L
2
bytes (i.e.,
example, a low bandwidth channel might prevent numerous trials on a 4 byte MAC, or a
protocol might allow only a small number of invalid MAC attempts. See Appendix B.
5.
HMAC SPECIFICATION
To compute a MAC over the data text using the HMAC function, the following
operation is performed:
MAC(text)t = HMAC(K, text)t = H((K0 opad )|| H((K0 ipad) || text))t
Table 1 illustrates the step by step process in the HMAC algorithm, which is depicted in
Figure 1.
STEPS
Step 1
Step 2
If the length of K > B: hash K to obtain an L byte string, then append (B-L)
zeros to create a B-byte string K0 (i.e., K0 = H(K) || 00...00). Go to step 4.
Step 3
If the length of K < B: append zeros to the end of K to create a B-byte string K0
(e.g., if K is 20 bytes in length and B = 64, then K will be appended with 44
zero bytes 0x00).
Step 4
Step 5
Append the stream of data 'text' to the string resulting from step 4:
(K0 ipad) || text.
Step 6
Step 7
Step 8
Step 9
Step 10
IMPLEMENTATION NOTE
The HMAC algorithm is specified for an arbitrary Approved cryptographic hash function,
H. With minor modifications, an HMAC implementation can easily replace one hash
function, H, with another hash function, H.
Conceptually, the intermediate results of the compression function on the B-byte blocks
(K0 ipad) and (K0 opad) can be precomputed once, at the time of generation of the
5
key K, or before its first use. These intermediate results can be stored and then used to
initialize H each time that a message needs to be authenticated using the same key. For
each authenticated message using the key K, this method saves the application of the hash
function of H on two B-byte blocks (i.e., on (K ipad) and (K opad)). This saving
may be significant when authenticating short streams of data.
These stored
intermediate values shall be treated and protected in the same manner as secret
keys.
Choosing to implement HMAC in this manner has no effect on interoperability.
Object identifiers (OIDs) for HMAC are posted at http://csrc.nist.gov/csor, along with
procedures for adding new OIDs.
00010203
10111213
20212223
30313233
04050607
14151617
24252627
34353637
08090a0b
18191a1b
28292a2b
38393a3b
0c0d0e0f
1c1d1e1f
2c2d2e2f
3c3d3e3f
K0:
00010203
10111213
20212223
30313233
04050607
14151617
24252627
34353637
08090a0b
18191a1b
28292a2b
38393a3b
0c0d0e0f
1c1d1e1f
2c2d2e2f
3c3d3e3f
K0 ipad:
36373435
26272425
16171415
06070405
32333031
22232021
12131011
02030001
3e3f3c3d
2e2f2c2d
1e1f1c1d
0e0f0c0d
3a3b3839
2a2b2829
1a1b1819
0a0b0809
(Key ipad)||text:
36373435
26272425
16171415
06070405
53616d70
32333031
22232021
12131011
02030001
6c652023
3e3f3c3d
2e2f2c2d
1e1f1c1d
0e0f0c0d
31
3a3b3839
2a2b2829
1a1b1819
0a0b0809
Hash((Key ipad)||text):
bcc2c68c abbbf1c3
7b7e1b20
f5b05d8e
7e73a4d2
54555657
44454647
74757677
64656667
50515253
40414243
70717273
60616263
50515253
40414243
K0 opad:
5c5d5e5f 58595a5b
4c4d4e4f 48494a4b
7c7d7e7f 78797a7b
6c6d6e6f 68696a6b
7c7d7e7f 78797a7b
6c6d6e6f 68696a6b
bcc2c68c abbbf1c3
7b7e1b20
74757677
64656667
f5b05d8e
70717273
60616263
7e73a4d2
a0403c0a
A.2
0a1208c9
c61e9c5d
30313233
40414243
34353637
38393a3b
3c3d3e3f
K0:
30313233
40414243
00000000
00000000
34353637
00000000
00000000
00000000
38393a3b
00000000
00000000
00000000
3c3d3e3f
00000000
00000000
00000000
K0 ipad:
06070405
76777475
36363636
36363636
02030001
36363636
36363636
36363636
0e0f0c0d
36363636
36363636
36363636
0a0b0809
36363636
36363636
36363636
(Key ipad)||text:
06070405
76777475
36363636
36363636
53616d70
00000000
00000000
00000000
02030001
36363636
36363636
36363636
6c652023
00000000
00000000
00000000
0e0f0c0d
36363636
36363636
36363636
32800000
00000000
00000000
00000000
0a0b0809
36363636
36363636
36363636
00000000
00000000
00000000
00000248
Hash((Key ipad)||text):
74766e5f 6913e8cb
010c353a
6f7f108a
11298b15
K0 opad:
6c6d6e6f
1c1d1e1f
5c5c5c5c
5c5c5c5c
68696a6b
5c5c5c5c
5c5c5c5c
5c5c5c5c
64656667
5c5c5c5c
5c5c5c5c
5c5c5c5c
60616263
5c5c5c5c
5c5c5c5c
5c5c5c5c
60616263
5c5c5c5c
5c5c5c5c
5c5c5c5c
11298b15
c6c75d24
A.3
58595a5b
68696a6b
78797a7b
88898a8b
98999a9b
a8a9aaab
5c5d5e5f
6c6d6e6f
7c7d7e7f
8c8d8e8f
9c9d9e9f
acadaeaf
40d2a403
015636bf
40d2a403
00000000
00000000
00000000
015636bf
00000000
00000000
00000000
"Sample #3"
50515253
60616263
70717273
80818283
90919293
a0a1a2a3
b0b1b2b3
54555657
64656667
74757677
84858687
94959697
a4a5a6a7
Hash(Key):
a4aabe16 54e78da4
4bb2f329
K0:
30737d5c
Text:
Key:
4f82a458
a4aabe16
4bb2f329
00000000
00000000
54e78da4
00000000
00000000
00000000
K0 ipad:
929c8820 62d1bb92
7d84c51f 36363636
36363636 36363636
36363636 36363636
76e49235
36363636
36363636
36363636
37600089
36363636
36363636
36363636
62d1bb92
36363636
36363636
36363636
6c652023
76e49235
36363636
36363636
36363636
33
37600089
36363636
36363636
36363636
Hash((Key ipad)||text):
d98315c4 2152bea0
2a1a5576
d057de97
84427676
1c8ef85f
5c5c5c5c
5c5c5c5c
5c5c5c5c
5d0a6ae3
5c5c5c5c
5c5c5c5c
5c5c5c5c
5d0a6ae3
5c5c5c5c
5c5c5c5c
5c5c5c5c
84427676
(Key ipad)||text:
929c8820
7d84c51f
36363636
36363636
53616d70
K0 opad:
f8f6e24a
17eeaf75
5c5c5c5c
5c5c5c5c
08bbd1f8
5c5c5c5c
5c5c5c5c
5c5c5c5c
f8d1a3aa
A.4
f3d05caf
7cb092ec
70717273
80818283
90919293
74757677
84858687
94959697
78797a7b
88898a8b
98999a9b
10
7c7d7e7f
8c8d8e8f
9c9d9e9f
a0
K0:
70717273
80818283
90919293
a0000000
74757677
84858687
94959697
00000000
78797a7b
88898a8b
98999a9b
00000000
7c7d7e7f
8c8d8e8f
9c9d9e9f
00000000
K0 ipad:
46474445
b6b7b4b5
a6a7a4a5
96363636
42434041
b2b3b0b1
a2a3a0a1
36363636
4e4f4c4d
bebfbcbd
aeafacad
36363636
4a4b4849
babbb8b9
aaaba8a9
36363636
(Key ipad)||text:
46474445
b6b7b4b5
a6a7a4a5
96363636
53616d70
42434041
b2b3b0b1
a2a3a0a1
36363636
6c652023
4e4f4c4d
bebfbcbd
aeafacad
36363636
34
4a4b4849
babbb8b9
aaaba8a9
36363636
Hash((Key ipad)||text):
bf1e889d 876c34b7
16673a2e
bef3496e
d998c8d1
24252627
d4d5d6d7
c4c5c6c7
5c5c5c5c
20212223
d0d1d2d3
c0c1c2c3
5c5c5c5c
20212223
d0d1d2d3
c0c1c2c3
5c5c5c5c
d998c8d1
K0 opad:
2c2d2e2f
dcdddedf
cccdcecf
fc5c5c5c
28292a2b
d8d9dadb
c8c9cacb
5c5c5c5c
ce420c75
11
12
APPENDIX C: REFERENCES
[1]
[2]
[3]
[4]
13