Understanding HMAC hash message authentication code||MAC||MIC

• Overview

  python module : cryptography hmac

  Crypto 101

  The Cryptopals Crypto Challenges

  RFC 2104：HMAC: Keyed-Hashing for Message Authentication

  RFC6476 : Using Message Authentication Code (MAC) Encryption in the Cryptographic Message Syntax (CMS)

• MAC message authentication code

  理解integrity&authentication code on cryptography message

  In cryptography, a message authentication code (MAC, also known as digital authenticator), sometimes known as a tag, is a short piece of information used to authenticate a message - in other words, to confirm that the message came from the stated sender (its authenticity) and has not been changed.

  The MAC value protests a message’s data integrity, as well as its authenticity, by allowing verifiers to detect any changes to the message content.

  The MAC is sent or stored with the data.

• Definitions or Algorithms Used to Generate MACs

  MAC algorithm is a symmetric key cryptographic techinique to provide message authentication.

  For establishing MAC process, the sender and receiver

  Informally, a message authentication code system consists of three algorithms:

  • A key generation algorithm(G) selects a key from the key space uniformly at random
  • A signing algorithm(S) efficiently returns a tag given the key and the message
  • A verifying algorithm(V) efficiently verifies the authenticity of the message given the key and the tag.

• Limitations of MAC

  There are two major limitations of MAC, both due to its symmetric nature of operation：

  1. Establishment of Shared Secret

     It can provide message authentication among pre-decided legitimate users who have shared key.

     This requires estabilishment of shared secret prioer to use of MAC.

  2. Inability to Provide Non-Repudiation

     Non-repudiation is the assurance that a message originator cannot deny any previously sent messages and commitments or actions.

     MAC technique does not provide a non-repudiation service.

• Non-repudiation

  Non-repudiation refers to a situation where a statement’s author cannot successfully dispute its authorship or the validity of an associated contract.

• MIC

  Message Intergrity Code (MIC) is frquently substituted for the term MAC, especially in communications, to distringuish it from the use of MAC meaning MAC address.

  MAC address (media access control address) is a unique identifier assigned to a network interface controller (NIC) for use as a network address in communications within a network segment.

  Network Interface Controller (NIC, also known as a network interface card, network adapter, LAN adapter or physical network interface) is a computer hardware component that connects a computer to a computer network.

• Approved Algorithms

  Currently, there are three approved general purpose algorithms: HMAC, KMAC, CMAC

• HMAC(Hash-based Message Authentication Code)

  FIPS 198-1, The Keyed-Hash Message Authentication Code (HMAC) (July 2008), specifies a mechanism for message authentication using an approved hash function. The approved hash functions are specified in FIPS 180-4, Secure Hash Standard and FIPS 202, SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. Specific guidelines in connection with HMAC’s security properties are provided in NIST SP 107 Revision 1, Recommendation for Applications Using Approved Hash Algorithms.

  Hash-based message authentication codes (or HMACs) are a tool for calculating message authentication codes using a cryptographic hash function coupled with a secret key.

  From Nordic Semiconductor, Hash-based message authentication code (HMAC) is a mechanism for message authentication using a cryptographic hash function and a secret key. The algorithm takes a key and data of any length as input, and produces HMAC code with length defined by the underlying hash function.

  The HMAC standard is described in RFC 2104.

  This class of MAC tags is produced via algorithms that have an underlying hash function. Any well-known hash function may be used for example SHA, MD, Whirlpool, etc.

  《理解SHA vs MD vs Whirlpool vs SHA-256》

• KMAC(Keccak Message Authentication Code)

  KMAC is specified in SP 800-185, SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash and ParallelHash (December 2016). KMAC is a keyed hash function based on KECCAK, which is specified in FIPS 202, SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. There are two variants of KECCAK, KMAC128 and KMAC256.

• CMAC

  CMAC is specified in SP 800-38B, Recommendation for Block Cipher Modes of Operation: the CMAC Mode for Authentication (May 2005). The CMAC mode is constructed from an approved block cipher (e.g., AES, as specified in FIPS 197, The Advanced Encryption Standard).

• References

1. Key hash message authentication code
2. Investopedia : MAC
3. IBM : Message Authentication Codes (MACs)
4. Nist : Message Authentication Codes MAC
5. Tutorialspoint : Cryptography Tutorial
6. What Is Hash-Based Message Authentication?
7. How and when do I use HMAC?
8. GeeksforGeeks : What is HMAC(Hash based Message Authentication Code)?