view Side-By-Side changes
Date: Tue, 09 Apr 2002 04:15:51 GMT Server: Apache/1.3.20 (Unix) Last-Modified: Sat, 30 Mar 1996 23:00:00 GMT ETag: "2f542f-4ac6-315dbcf0" Accept-Ranges: bytes Content-Length: 19142 Connection: close Content-Type: text/plain Network Working Group H. KrawczykInternet DraftRequest for Comments: 2104 IBM Category: Informational M. Bellare UCSD R. CanettiExpires September, 1996 March, 1996 HMAC-MD5: Keyed-MD5IBM February 1997 HMAC: Keyed-Hashing for Message Authentication<draft-ietf-ipsec-hmac-md5-00.txt>Status ofthisThis MemoDistribution of this memo is unlimited.Thisdocument is an Internet-Draft. Internet Drafts are working documents ofmemo provides information for the InternetEngineering Task Force (IETF), its Areas, and its Working Groups. Note that other groups may also distribute working documents as Internet Drafts. Internet Drafts are draft documents valid for a maximum of six months, and may be updated, replaced, or obsoleted by other documents at any time. It iscommunity. This memo does notappropriate to usespecify an InternetDrafts as reference material, or to cite them other than as a ``working draft'' or ``work in progress.'' To learn the current statusstandard of anyInternet-Draft, please check the ``1id-abstracts.txt'' listing contained in the internet-drafts Shadow Directories on: ftp.is.co.za (Africa) nic.nordu.net (Europe) ds.internic.net (US East Coast) ftp.isi.edu (US West Coast) munnari.oz.au (Pacific Rim)kind. Distribution of this memo is unlimited. Abstract This document describes HMAC, akeyed-MD5mechanism(called HMAC-MD5)foruse as amessage authenticationcode (or, integrityusing cryptographic hash functions. HMAC can be used with any iterative cryptographic hash function, e.g., MD5, SHA-1, in combination with a secret shared key. The cryptographic strength of HMAC depends on the properties of the underlying hash function. 1. Introduction Providing a way to checkvalue). It is mainly intended forthe integrityverificationof information transmitted over or stored in an unreliable medium is a prime necessity in the world of opennetworks (e.g., Internet)computing and communications. Mechanisms that provide such integrity check based on a secret key are usually called "message authentication codes" (MAC). Typically, message authentication codes are used between two parties that share acommon secret key. The proposed mechanism combines the (key-less) MD5 hash function [RFC-1321] with a sharedsecretkey. The description of HMAC-MD5key in order to validate information transmitted between these parties. In this document we present such a MAC mechanism based on cryptographic hash functions. This mechanism, called HMAC, isindependentbased on work by the authors [BCK1] where the construction is presented and cryptographically analyzed. We refer to that work for the details on the rationale and security analysis of HMAC, and itsuse in any particular protocol. An analogous mechanismcomparison to other keyed-hash methods. Krawczyk, et. al. Informational [Page 1] RFC 2104 HMAC February 1997 HMAC can be used in combination withother iterative hash functions, e.g., SHA. Krawczyk, Bellare & Canetti Expires September 1996 [Page i] INTERNET-DRAFT HMAC-MD5 March 1996 1. Introduction Rivest introduced MD5 [RFC-1321] as aany iterated cryptographic hash function.It was originally designedMD5 andintended as a collision-resistant function as required for the hashingSHA-1 are examples ofinformation prior to application of a signature function (e.g., RSA). However, due to its relatively good performance in software implementation and its free availability the same function was adapted to provide functionalities different than the one for which MD5 was originally designed. In particular, MD5 (as well as other cryptographicsuch hashfunctions) was proposed to provide message authentication by combining it withfunctions. HMAC also uses a secret key(see [Tsu]). Only recently a close analysisfor calculation and verification of thesecurity of these keyed MD5 modes has been initiated [BCK1,BCK2,KR,PV1,PV2].message authentication values. The main goals behind this construction are * To use, without modifications, available hash functions. In particular,Bellare, Canetti, and Krawczyk [BCK2] described a keyed-hash mechanism called HMAC which we adopt here for use with MD5. (An analogous mechanism can be used in combination with other iterativehashfunctions, e.g., SHA [SHA].) The description of this transform in this document is independent of its usefunctions that perform well inany particular protocol. It is intended to serve as a common mechanismsoftware, and forthe many protocols (especially, IETF protocols) that require integrity verification based on a shared secret key (e.g., IP Authentication Header [RFC-1826]). The proposed mechanism follows the same principles that guided some of the previous keyed-MD5 proposals, that is: * itwhich code isbased on MD5freely and widely available. *no change toTo preserve theMD5 code required * no degradationoriginal performance ofMD5 speedthe hash function without incurring a significant degradation. * To use and handle keys in a simplekey requirementsway. *replaceability of MD5 by otherTo have a well understood cryptographichash functions However, it improves on previous proposals relative to its security analysis. The present isanalysis of thefirst construction (andstrength of theonly one we are aware of) that can be fully analyzedauthentication mechanism based onrelatively weakreasonable assumptions on the underlying hash function. * To allow for easy replaceability of the underlying hash function(MD5). It only requires MD5 to be collision-resistantin case that faster or more secure hash functions are found or required. This document specifies HMAC using aweak sense, and its compressiongeneric cryptographic hash function (denoted by H). Specific instantiations of HMAC need tobe weakly unpredictable. These requirements are weaker than the ones neededdefine a particular hash function. Current candidates forother common applications of MD5, e.g., assuch hash functionsfor digital signatures and as "randomizers" (for pseudorandom generation, key derivation, etc.). In particular, we only require that collisions are hard to find when the "initial vector"include SHA-1 [SHA], MD5 [MD5], RIPEMD-128/160 [RIPEMD]. These different realizations of HMAC will be denoted by HMAC-SHA1, HMAC-MD5, HMAC-RIPEMD, etc. Note: To thefunction is random and secret,date of writing of this document MD5 andthatSHA-1 are theoutputmost widely used cryptographic hash functions. MD5 has been recently shown to be vulnerable to collision search attacks [Dobb]. This attack and other currently known weaknesses of MD5 do not compromise thecompression function is unpredictable when applieduse of MD5 within HMAC as specified in this document (see [Dobb]); however, SHA-1 appears topartially unknown strings. The analytical results that backbe a cryptographically stronger function. To thisparticular construction are provideddate, MD5 can be considered for use in[BCK2]. Note: The mechanism presented next differs fromHMAC for applications where the superior performance of MD5 is critical. In any case, implementers and users need to be aware of possible cryptanalytic developments regarding any of these cryptographic hash functions, and theone presented in draft-krawczyk-keyed-md5-txt.01 ineventual need to replace theway padding is defined (seeunderlying hash function. (See section2).6 for more information on the security of HMAC.) Krawczyk,Bellare & Canetti Expires September 1996et. al. Informational [Page1] INTERNET-DRAFT HMAC-MD5 March 19962] RFC 2104 HMAC February 1997 2.CalculationDefinition of HMAC The definitionand reference implementationofMD5 appears in [RFC-1321]. Let `text' denote the data toHMAC requires a cryptographic hash function, whichHMAC-MD5 is to be appliedwe denote by H, andK be the message authenticationa secret keysharedK. We assume H to be a cryptographic hash function where data is hashed by iterating a basic compression function on blocks of data. We denote by B theparties.byte-length of such blocks (B=64 for all the above mentioned examples of hash functions), and by L the byte-length of hash outputs (L=16 for MD5, L=20 for SHA-1). The authentication key K can be of any length up to B, the block length of the hashfunction, namely, 64 bytes for MD5 (however, 16 bytes is the minimal recommended length for keys -- see section 3).function. Applications that use keys longer than64 byte keysB bytes will first hash the key usingMD5H and then use the resultant16L byte string as the actual key toHMAC-MD5.HMAC. In any case the minimal recommended length for K is L bytes (as the hash output length). See section 3 for more information on keys. We define two fixed and different strings ipad and opad as follows (the 'i' and 'o' are mnemonics for inner and outer): ipad = the byte 0x36 repeated64B times opad = the byte 0x5C repeated64B times. To computeHMAC-MD5HMAC over the data `text' we performMD5(KH(K XOR opad,MD5(KH(K XOR ipad, text)) Namely, (1) append zeros to the end of K to create a64B byte string (e.g., if K is of length1620 bytesitand B=64, then K will be appended with4844 zero bytes 0x00) (2) XOR (bitwise exclusive-OR) the64B byte string computed in step (1) with ipad (3) append thedatastream of data 'text' to the64B byte string resulting from step (2) (4) applyMD5H to the stream generated in step (3) (5) XOR (bitwise exclusive-OR) the64B byte string computed in step (1) with opad (6) append theMD5H result from step (4) to the64B byte string resulting from step (5) (7) applyMD5H to the stream generated in step (6) and output the result For illustration purposes, sample code based on MD5 is provided as an appendix. Krawczyk, et. al. Informational [Page 3] RFC 2104 HMAC February 1997 3. Keys The key forHMAC-MD5HMAC can be of any length (keys longer than64B bytes are first hashed usingMD5).H). However, less than16L bytes is strongly discouraged as it would decrease the security strength of the function. Keys longer than16L bytes are acceptable but the extra length would not significantly increase the function strength. (A longer key may be advisable if the randomness of the key is considered weak.)Note: when using other cryptographic hash functions the length of the key should be chosen at least as the length of the hash output (e.g., 160 bits in the case of SHA). Krawczyk, Bellare & Canetti Expires September 1996 [Page 2] INTERNET-DRAFT HMAC-MD5 March 1996Keys need to be chosen atrandom, orrandom (or using a cryptographically strong pseudo-random generator seeded with a randomseed. We recommend that the key be changed periodicallyseed), andas frequently as possible.periodically refreshed. (Current attacks do not indicate a specific recommended frequency for key changes as these attacks are practically infeasible. However, periodic key refreshment is a fundamental security practice that helps against potential weaknesses of the function and keys, andlimits the damage of an exposed key.) 4. Implementation Note Implementation of HMAC-MD5 requires the implementation of MD5 (see [RFC-1321]) andlimits thecalculation describeddamage of an exposed key.) 4. Implementation Note HMAC is defined inSection 2. Noticesuch a way thatthis calculation does not require any change inthedefinition or code of MD5.underlying hash function H can be used with no modification to its code. In particular, it uses the function H with the pre-defined initial value IV (a fixed value specified by each iterative hash function to initialize its compression function). However, if desired, a performance improvement can be achievedby a simple adaptationat the cost of (possibly) modifying theMD5codeas presented next. (Choosing or not to implement HMAC-MD5 in this way is a decisionofthe local implementation and has no effect on inter-operability.)H to support variable IVs. The idea is that the intermediate results ofMD5the compression function on the64-byteB-byte blocks (K XOR ipad) and (K XOR opad) can be precomputed only once at the time of generation of the key K, or before its first use. These intermediate results(called "contexts", and stored under MD5's structure MD5_CTX [RFC-1321])are stored and then used to initialize theMD5 functionIV of H each time that a message needs to be authenticated.(This involves settingThis method saves, for each authenticated message, the application of the compression function of H on two B-byte blocks (i.e., on (K XOR ipad) and (K XOR opad)). Such a savings may be significant when authenticating short streams of data. We stress that the stored intermediate values need to be treated and protected the same as secret keys. Choosing to implement HMAC in the above way is a decision of the local implementation and has no effect on inter-operability. Krawczyk, et. al. Informational [Page 4] RFC 2104 HMAC February 1997 5. Truncated output A well-known practice with message authentication codes is to truncate the output of the MAC and output only part of the bits (e.g., [MM, ANSI]). Preneel and van Oorschot [PV] show some analytical advantages of truncating the output of hash-based MAC functions. The results in this area are not absolute as for the overall security advantages of truncation. It has advantages (less information on the hash result available to an attacker) and disadvantages (less bits to predict for the attacker). Applications of HMAC can choose to truncate the output of HMAC by outputting the t leftmost bits of the HMAC computation for some parameter t (namely, the computation is carried in theMD5_CTX variable tonormal way as defined in section 2 above but thestored value and applying MD5Updateend result is truncated to t bits). We recommend that thedata.) This method saves, for each authenticated message,output length t be not less than half theapplicationlength of theMD5's compression function (MD5Update)hash output (to match the birthday attack bound) and not less than 80 bits (a suitable lower bound ontwo 64-byte blocks; a savings which may be significant when authenticating short streamsthe number ofdata. We stressbits thatthe stored contextsneed to betreatedpredicted by an attacker). We propose denoting a realization of HMAC that uses a hash function H with t bits of output as HMAC-H-t. For example, HMAC-SHA1-80 denotes HMAC computed using the SHA-1 function andprotectedwith thesame as secret keys. 5.output truncated to 80 bits. (If the parameter t is not specified, e.g. HMAC-MD5, then it is assumed that all the bits of the hash are output.) 6. Security The security of the message authentication mechanism presented here depends on cryptographic properties ofMD5:the hash function H: the resistance to collision finding (limited to the case where the initial value is secret and random, and where the output of the function is not explicitly available to the attacker), and the message authentication property of the compression function ofMD5H when applied to single blocks(these(in HMAC these blocks are partially unknown to an attacker as they contain the result of theinternal MD5inner H computation and, in particular, cannot be fully chosen by the attacker).Krawczyk, Bellare & Canetti Expires September 1996 [Page 3] INTERNET-DRAFT HMAC-MD5 March 1996These properties, and actually stronger ones, are commonly assumed forMD5. While significant weaknesseshash functions ofMD5 regarding these properties could be discovered inthefuture, such weaknesseskind used with HMAC. In particular, a hash function for which the above properties do not hold wouldrend MD5 uselessbecome unsuitable for most (probably, all) cryptographic applications, including alternative message authentication schemes based onthis function. Twosuch functions. (For a complete analysis and rationale of the HMAC function the reader is referred to [BCK1].) Krawczyk, et. al. Informational [Page 5] RFC 2104 HMAC February 1997 Given the limited confidence gained so far as for the cryptographic strength of candidate hash functions, it is important to observe the following two properties of theapplication of MD5 here are:HMAC construction and its secure use for message authentication: 1.ThisThe construction is independent of theparticulardetails ofMD5the particular hash function H in use and then the latter can be replaced by any other secure (iterative) cryptographic hash function. 2. Message authentication, as opposed to encryption, has a "transient" effect. A published breaking of a message authentication scheme would lead to the replacement of that scheme, but would have no adversarial effect on information authenticated in the past. This is in sharp contrast with encryption, where information encrypted today may suffer from exposure in the future if, and when, the encryption algorithm is broken. The strongest attack known againstthe proposed schemeHMAC is based on the frequency of collisions forMD5the hash function H ("birthday attack")[BCK1,PV][PV,BCK2], and is totally impractical forwhichminimally reasonable hash functions. As an example, if we consider a hash function like MD5 where the output length equals L=16 bytes (128 bits) the attacker needs to acquire the correct message authentication tags computedon about 2**64 known plaintexts (and with(with the _same_ secret keyK!).K!) on about 2**64 known plaintexts. This would require the processing of2^70 bytesat least 2**64 blocks underMD5,H, an impossible task in any realistic scenario(this(for a block length of 64 bytes this would take 250,000 years in a continuous1Gbit1Gbps link, and without changing the secret key K during all this time). This attack could become realistic only if serious flaws in the collision behavior ofMD5the function H are discovered (e.g. collisions found after 2**30 messages). Such a discovery would determine the immediate replacement ofMD5the function H (the effects of such failure would be far more severe for the traditional uses ofMD5H in the context of digital signatures, public key certificates, etc.). Note: this attack needs to be strongly contrasted with regular collision attacks onMD5cryptographic hash functions where no secret key is involved and where2^642**64 off-line parallelizable (!) operations suffice to find collisions. The latter attack is approaching feasibility [VW] while the birthday attack onHMAC-MD5HMAC is totally impractical. (Inall ofthe abovediscussion 64 should be replaced by 80examples, if one uses a160 bithash functionas SHA.)with, say, 160 bit of output then 2**64 should be replaced by 2**80.) Krawczyk, et. al. Informational [Page 6] RFC 2104 HMAC February 1997 A correct implementation of the above construction, the choice of random (or cryptographically pseudorandom) keys, a secure key exchange mechanism, frequent key refreshments, and good secrecy protection of keys are all essential ingredients for the security of the integrity verification mechanism provided byHMAC-MD5.HMAC. Krawczyk,Bellare & Canetti Expires September 1996et. al. Informational [Page4] INTERNET-DRAFT HMAC-MD5 March 19967] RFC 2104 HMAC February 1997 Appendix -- Sample CodeTheFor the sake of illustration we provide the following sample code for the implementation of HMAC-MD5andas well as some corresponding test vectorsare provided for the sake of illustration only.(the code is based on MD5 code as described in [MD5]). /* ** Function: hmac_md5 */ void hmac_md5(text, text_len, key, key_len, digest) unsigned char* text; /* pointer to data stream */ int text_len; /* length of data stream */ unsigned char* key; /* pointer to authentication key */ int key_len; /* length of authentication key */ caddr_t digest; /* caller digest to be filled in */ { MD5_CTX context; unsigned char k_ipad[65]; /* inner padding - * key XORd with ipad */ unsigned char k_opad[65]; /* outer padding - * key XORd with opad */ unsigned char tk[16]; int i; /*sanity check parameters */ if ((text == NULL) || (key == NULL) || (digest == NULL)) /* most heinous, probably should log something */ return; /*if key is longer than 64 bytes reset it to key=MD5(key) */ if (key_len > 64) { MD5_CTX tctx; MD5Init(&tctx); MD5Update(&tctx, key, key_len); MD5Final(tk, &tctx); key = tk; key_len = 16; } /* * the HMAC_MD5 transform looks like: * * MD5(K XOR opad, MD5(K XOR ipad, text)) * * where K is an n byte key * ipad is the byte 0x36 repeated 64 times Krawczyk, et. al. Informational [Page 8] RFC 2104 HMAC February 1997 * opad is the byte 0x5c repeated 64 times * and text is the data being protected */Krawczyk, Bellare & Canetti Expires September 1996 [Page 5] INTERNET-DRAFT HMAC-MD5 March 1996/* start out by storing key in pads */ bzero( k_ipad, sizeof k_ipad); bzero( k_opad, sizeof k_opad); bcopy( key, k_ipad, key_len); bcopy( key, k_opad, key_len); /* XOR key with ipad and opad values */ for (i=0; i<64; i++) { k_ipad[i] ^= 0x36; k_opad[i] ^= 0x5c; } /* * perform inner MD5 */ MD5Init(&context); /* init context for 1st * pass */ MD5Update(&context, k_ipad, 64) /* start with inner pad */ MD5Update(&context, text, text_len); /* then text of datagram */ MD5Final(digest, &context); /* finish up 1st pass */ /* * perform outer MD5 */ MD5Init(&context); /* init context for 2nd * pass */ MD5Update(&context, k_opad, 64); /* start with outer pad */ MD5Update(&context, digest, 16); /* then results of 1st * hash */ MD5Final(digest, &context); /* finish up 2nd pass */ } TestVectors:Vectors (Trailing '\0' of a character string not included in test): key = 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b key_len = 16 bytes data = "Hi There" data_len = 8 bytes digest = 0x9294727a3638bb1c13f48ef8158bfc9d key = "Jefe" data = "what do ya want for nothing?" data_len = 28 bytes digest = 0x750c783e6ab0b503eaa86e310a5db738 key = 0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Krawczyk, et. al. Informational [Page 9] RFC 2104 HMAC February 1997 key_len 16 bytes data = 0xDDDDDDDDDDDDDDDDDDDD... ..DDDDDDDDDDDDDDDDDDDD... ..DDDDDDDDDDDDDDDDDDDD... ..DDDDDDDDDDDDDDDDDDDD... ..DDDDDDDDDDDDDDDDDDDD data_len = 50 bytes digest = 0x56be34521d144c88dbb8c733f0e8b3f6Krawczyk, Bellare & Canetti Expires September 1996 [Page 6] INTERNET-DRAFT HMAC-MD5 March 1996AcknowledgmentsAdi Shamir has suggested the use of the XOR-based padding technique as adopted in this draft instead of the previous concatenation pads.Pau-Chen Cheng, Jeff Kraemer, and Michael Oehler, have provided useful comments onthe draft,early drafts, and ran the first interoperability tests of this specification. Jeff and Pau-Chen kindly provided the sample code and test vectors that appear in the appendix. Burt Kaliski, Bart Preneel, Matt Robshaw, Adi Shamir, and Paul van Oorschot have provided useful comments and suggestions during the investigation of the HMAC construction. References[RFC-1826] R.[ANSI] ANSI X9.9, "American National Standard for Financial Institution Message Authentication (Wholesale)," American Bankers Association, 1981. Revised 1986. [Atk] Atkinson, R., "IP Authentication Header",RFC-1826,RFC 1826, August 1995. [BCK1] M. Bellare, R. Canetti, and H. Krawczyk,"Cascaded Pseudorandomness"Keyed Hash Functions andIts Concrete Security", manuscript.Message Authentication", Proceedings of Crypto'96, LNCS 1109, pp. 1-15. (http://www.research.ibm.com/security/keyed-md5.html) [BCK2] M. Bellare, R. Canetti, and H. Krawczyk,"Keyed Hash"Pseudorandom Functionsand Message Authentication", presented at the 1996 RSA Data Security Conference, San Francisco, Jan. 1996. (http://www.research.ibm.com/security/keyed-md5.html) [KR] B. Kaliski and M. Robshaw, "Message Authentication with MD5",Revisited: The Cascade Construction", Proceedings of FOCS'96. [Dobb] H. Dobbertin, "The Status of MD5 After a Recent Attack", RSA Labs' CryptoBytes, Vol.12 No.1, Spring 1995. (http://www.rsa.com/rsalabs/cryptobytes/) [PV1]2, Summer 1996. http://www.rsa.com/rsalabs/pubs/cryptobytes.html [PV] B.PrennelPreneel and P. van Oorschot, "Building fast MACs from hash functions", Advances in Cryptology -- CRYPTO'95 Proceedings, Lecture Notes in Computer Science, Springer-Verlag Vol.963, 1995, pp. 1-14.[PV2] B. Prennel and P. van Oorschot, "On the security of two MAC algorithms", to appear Eurocrypt'96. [RFC-1321] Ronald[MD5] Rivest, R., "The MD5 Message-Digest Algorithm",RFC-1321, DDN Network Information Center,RFC 1321, April 1992. Krawczyk, et. al. Informational [Page 10] RFC 2104 HMAC February 1997 [MM] Meyer, S. and Matyas, S.M., Cryptography, New York Wiley, 1982. [RIPEMD] H. Dobbertin, A. Bosselaers, and B. Preneel, "RIPEMD-160: A strengthened version of RIPEMD", Fast Software Encryption, LNCS Vol 1039, pp. 71-82. ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/bosselae/ripemd/. [SHA] NIST, FIPS PUB180:180-1: Secure Hash Standard,May 1993.April 1995. [Tsu] G. Tsudik, "Message authentication with one-way hash functions", In Proceedings ofInfocom~92,Infocom'92, May 1992. (Also in "Access Control and Policy Enforcement in Internetworks", Ph.D. Dissertation, Computer Science Department, University of Southern California, April 1991.) [VW] P. van Oorschot and M. Wiener, "Parallel Collision Search with Applications to Hash Functions and Discrete Logarithms", Proceedings of the 2nd ACM Conf. Computer and Communications Security, Fairfax, VA, November 1994.Krawczyk, Bellare & Canetti Expires September 1996 [Page 7] INTERNET-DRAFT HMAC-MD5 March 1996 Authors AddressAuthors' Addresses Hugo Krawczyk IBM T.J. Watson Research Center P.O.Box 704 Yorktown Heights, NY 10598 EMail: hugo@watson.ibm.com Mihir Bellare Dept of Computer Science and Engineering Mail Code 0114 University of California at San Diego 9500 Gilman Drive La Jolla, CA 92093 EMail: mihir@cs.ucsd.edu Ran CanettiLaboratory for Computer Science MIT 545 Technology Square Cambridge, Ma 02139 canetti@theory.lcs.mit.edu Krawczyk Expires September 1996IBM T.J. Watson Research Center P.O.Box 704 Yorktown Heights, NY 10598 EMail: canetti@watson.ibm.com Krawczyk, et. al. Informational [Page8]11] ----