cryptography mac hmac - ghdrako/doc_snipets GitHub Wiki

Hashes are great, so long as you take care to distribute the hash and the message over different channels. If I can intercept your message and change both the message and the accompanying hash, the hash is useless. That’s where we need a Message Authentication Code, or MAC.

A MAC is a hash encrypted with a symmetric encryption key known only to the sender and the recipient.

A Hashed Message Authentication Code, or HMAC, is specific method of using a particular cryptographic hash to create a MAC. You’ll see HMAC names like HMAC-MD5 and HMAC-SHA256, built on those hash methods. An HMAC provides both integrity and authentication. Only someone with the symmetric key can encrypt or decrypt the hash.

Message authentication codes (MACs), also known as authentication tags. MACs are used in popular secure network protocols, such as TLS, SSH, and IPsec in order to establish both the integrity and authenticity of the transmitted data. They are also used in proprietary network protocols, for example, in financial software, for the same purpose.Another application of MAC is as the basis of some key derivation functions, such as PBKDF2.

A MAC is a short array of bits, for example, 256 bits, that authenticates a message. Message authentication means that the receiver of the message can verify that the message is coming from the stated sender and has not been changed during the transfer. In order to generate a MAC, the sender needs a message and a secret key. In order to verify the MAC, the receiver requires the message and the same secret key. A MAC is produced by a MAC function. The difference between a MAC and a message digest is that a message digest is not protected against forgery; however, a MAC does have such protection.

If both the message and its digest are transmitted over an unprotected network, an attacker can change the message and recalculate its digest so that the changed digest will match the changed message. On the other hand, if a message is transmitted with its MAC, an attacker cannot recalculate the MAC for the changed message in the same way. This is because they do not possess the secret key. Therefore, it is widely agreed that message digests only provide message integrity, but MACs provide both integrity and authenticity.

MACs are different from digital signatures. Digital signatures use asymmetric cryptography so that the signer and the verifier of the signature use different keys of the same keypair. Only the signer can produce the signature because only they possess the private key. Hence, digital signatures provide non-repudiation, meaning that the signer cannot deny that they possessed information that they signed. When using MACs, both the sender and the receiver use the same secret key. Therefore, both the sender and the receiver can generate a MAC for any information that they possess, and it is difficult for a third party to determine which of them has generated the MAC. Hence, MACs, unlike digital signatures, do not provide non-repudiation.

There are different types of MAC functions, and the one that is used most often in secure network protocols is HMAC.

Hash-based Message Authentication Code (HMAC) is a MAC that is generated by the HMAC function. The HMAC function uses a cryptographic hash function and a secret key.

HMAC(K, message) = H(K' XOR opad ‖ H(K' XOR ipad ‖ message))

Here, the following can be understood:

  • Message: This is the message to be authenticated.
  • H: This is the hash function, for example, SHA3-256.
  • K: This is the secret key.
  • K': This is a block-sized key derived from K depending on the hash function’s internal block size, B.
  • ipad: This is the inner padding, consisting of byte 0x36, which is repeated B times.
  • opad: This is the outer padding, consisting of byte 0x5C, which is repeated B times.
  • ‖: This refers to a concatenation. Note that K' is derived from K, as follows:
  • If the length of K is less than or equal to B, then K' is K padded with 0x00 bytes up to the length of B.
  • If the length of K is greater than B, then K' is H(K) padded with 0x00 bytes up to the length of B. Note that the hash function’s internal block size, B, is not the same as the produced hash length. As a rule, the hash length is less than B. For example, the hash length of the SHA-256 function is 256 bits, but its internal block size is 1088 bits.