HMAC算法(中文翻译)

文档的内容原样摘自IETF RFC 2104
 
 
Network Working Group                    H. Krawczyk
Request for Comments: 2104                     IBM
Category: Informational                   M. Bellare
                                  UCSD
                               R. Canetti
                                  IBM
                             February 1997
 
 
       HMAC: Keyed-Hashing for Message Authentication
 
Status of This Memo
[译]当前备忘录的状态
 
  This memo provides information for the Internet community. This memo
  does not specify an Internet standard of any kind. Distribution of
  this memo is unlimited.
  [译]当前备忘录为互联网社区提供信息;并不代表任何互联网标准。对此文档的分发没有任何限制。
 
Abstract
摘要
 
  This document describes HMAC, a mechanism for message authentication
  using cryptographic hash functions. HMAC can be used with any
  iterative cryptographic hash function, e.g., MD5, SHA-1, in
  combination with a secret shared key. The cryptographic strength of
  HMAC depends on the properties of the underlying hash function.
  [译]当前文档描述了HMAC,一种使用哈希加密函数对消息进行认证的机制。HMAC可以使用在任何迭代哈希函数(例如MD5,SHA-1,等)上,使用时配合一个共享密钥限可。HMAC输出的密码长度依赖于所使用的哈希函数的属性。
 
1. Introduction
1. 简介
 
  Providing a way to check the integrity of information transmitted
  over or stored in an unreliable medium is a prime necessity in the
  world of open computing and communications. Mechanisms that provide
  such integrity check based on a secret key are usually called
  “message authentication codes” (MAC). Typically, message
  authentication codes are used between two parties that share a secret
  key in order to validate information transmitted between these
  parties. In this document we present such a MAC mechanism based on
  cryptographic hash functions. This mechanism, called HMAC, is based
  on work by the authors [BCK1] where the construction is presented and
  cryptographically analyzed. We refer to that work for the details on
  the rationale and security analysis of HMAC, and its comparison to
  other keyed-hash methods.
  [译]本文档提供了一种方法,用来验证在公开的计算或通信环境下,通过不可靠的媒介传输或存储信息的合法性。提供这种合法性验证的原理是基于一个被称为消息认证码的密钥。通常情况下,
 
 
 
 
 
 
 
 
 
 
 
Krawczyk, et. al.      Informational           [Page 1]


RFC 2104             HMAC           February 1997
 
 
  HMAC can be used in combination with any iterated cryptographic hash
  function. MD5 and SHA-1 are examples of such hash functions. HMAC
  also uses a secret key for calculation and verification of the
  message authentication values. The main goals behind this
  construction are
  [译]HMAC可以和任何迭代密码散列算法结合使用。例如MD5和SHA-1散列算法。HMAC使用密钥来计算和验证认证消息数据。采用这种结构的主要目的是:
 
  * To use, without modifications, available hash functions.
   In particular, hash functions that perform well in software,
   and for which code is freely and widely available.
 
  * To preserve the original performance of the hash function without
   incurring a significant degradation.
 
  * To use and handle keys in a simple way.
  [译]以一种简单的方式来使用和处理密钥。
 
  * To have a well understood cryptographic analysis of the strength of
   the authentication mechanism based on reasonable assumptions on the
   underlying hash function.
 
  * To allow for easy replaceability of the underlying hash function in
   case that faster or more secure hash functions are found or
   required.
  [译]提供了一种简单替换当前散列算法的能力,在发现了更快捷或更安全
  的散列算法时用以替换。
 
  This document specifies HMAC using a generic cryptographic hash
  function (denoted by H). Specific instantiations of HMAC need to
  define a particular hash function. Current candidates for such hash
  functions include SHA-1 [SHA], MD5 [MD5], RIPEMD-128/160 [RIPEMD].
  These different realizations of HMAC will be denoted by HMAC-SHA1,
  HMAC-MD5, HMAC-RIPEMD, etc.
 
  Note: To the date of writing of this document MD5 and SHA-1 are the
  most widely used cryptographic hash functions. MD5 has been recently
  shown to be vulnerable to collision search attacks [Dobb]. This
  attack and other currently known weaknesses of MD5 do not compromise
  the use of MD5 within HMAC as specified in this document (see
  [Dobb]); however, SHA-1 appears to be a cryptographically stronger
  function. To this date, MD5 can be considered for use in HMAC for
  applications where the superior performance of MD5 is critical.  In
  any case, implementers and users need to be aware of possible
  cryptanalytic developments regarding any of these cryptographic hash
  functions, and the eventual need to replace the underlying hash
  function. (See section 6 for more information on the security of
  HMAC.)
 
 
 
 
 
 
 
 
Krawczyk, et. al.      Informational           [Page 2]


RFC 2104             HMAC           February 1997
 
 
2. Definition of HMAC
2. HMAC定义
 
  The definition of HMAC requires a cryptographic hash function, which
  we denote by H, and a secret key K. We assume H to be a cryptographic
  hash function where data is hashed by iterating a basic compression
  function on blocks of data.  We denote by B the byte-length of such
  blocks (B=64 for all the above mentioned examples of hash functions),
  and by L the byte-length of hash outputs (L=16 for MD5, L=20 for
  SHA-1). The authentication key K can be of any length up to B, the
  block length of the hash function. Applications that use keys longer
  than B bytes will first hash the key using H and then use the
  resultant L byte string as the actual key to HMAC. In any case the
  minimal recommended length for K is L bytes (as the hash output
  length). See section 3 for more information on keys.
  [译]HMAC的定义需要使用到一个加密哈希函数和一个密钥,我们使用字母H表示哈希函数,使用字母K表示密钥。假设H是加密哈希函数,其中数据是通过一个基本压缩函数对数据块进行迭代哈希的结果。我们使用字母B表示这个数据块的长度(约定上面所有的哈希函数的示例中B=64),使用字母L表示哈希函数的输出(约定MD5算法中L=16,SHA-1算法中L=20)认证密钥K的长度要小于等于B。如果应用程序使用的密钥长度比B大,使用H对密钥进行哈希计算,然后将计算结果L作为新的密钥传给HMAC。建议K的长度不小于L的长度。关于密钥的更多信息参照第3章。
 
  We define two fixed and different strings ipad and opad as follows
  (the ‘i’ and ‘o’ are mnemonics for inner and outer):
  [译]我们定义两个固定而又不同的字符串代表 ipad 和 opad,如下(字母i代表输入,字母o代表输出)
 
          ipad = the byte 0x36 repeated B times
         opad = the byte 0x5C repeated B times.
 
  To compute HMAC over the data `text’ we perform
  [译]对数据`text’执行HMAC算法
 
          H(K XOR opad, H(K XOR ipad, text))
 
  Namely,
  [译]说明,
 
  (1) append zeros to the end of K to create a B byte string
    (e.g., if K is of length 20 bytes and B=64, then K will be
     appended with 44 zero bytes 0x00)
  [译] 在K的末尾追加零来创建一个B字节长度的字符串(假设K的长度是20,B=64,那么K的末尾需要追加44个字节的0x00)
  (2) XOR (bitwise exclusive-OR) the B byte string computed in step
    (1) with ipad
  [译] 使用第(1)步生成的B字节的字符串和 ipad 做异或运算
  (3) append the stream of data ‘text’ to the B byte string resulting
    from step (2)
  [译] 把’text’数据追加到第(2)步生成的B字节的字符串后面
  (4) apply H to the stream generated in step (3)
  [译] 对第(3)步生成的结果使用H算法
  (5) XOR (bitwise exclusive-OR) the B byte string computed in
    step (1) with opad
  [译] 使用第(1)步生成的B字节的字符串和 opad 做异或运算
  (6) append the H result from step (4) to the B byte string
    resulting from step (5)
  [译] 把第(4)步生成的H算法的结果追加到第(5)步生成的B字节的字符串后面
  (7) apply H to the stream generated in step (6) and output
    the result
  [译] 对第(6)步生成的结果使用H算法
 
  For illustration purposes, sample code based on MD5 is provided as an
  appendix.
  [译]作为演示,在附录中提供了一个基于MD5算法的示例代码。
 
 
 
 
 
 
 
Krawczyk, et. al.      Informational           [Page 3]


RFC 2104             HMAC           February 1997
 
 
3. Keys
[译]3. 密钥
 
  The key for HMAC can be of any length (keys longer than B bytes are
  first hashed using H). However, less than L bytes is strongly
  discouraged as it would decrease the security strength of the
  function. Keys longer than L bytes are acceptable but the extra
  length would not significantly increase the function strength. (A
  longer key may be advisable if the randomness of the key is
  considered weak.)
 
  Keys need to be chosen at random (or using a cryptographically strong
  pseudo-random generator seeded with a random seed), and periodically
  refreshed. (Current attacks do not indicate a specific recommended
  frequency for key changes as these attacks are practically
  infeasible. However, periodic key refreshment is a fundamental
  security practice that helps against potential weaknesses of the
  function and keys, and limits the damage of an exposed key.)
 
4. Implementation Note
[译]4. 实践注意事项
 
  HMAC is defined in such a way that the underlying hash function H can
  be used with no modification to its code. In particular, it uses the
  function H with the pre-defined initial value IV (a fixed value
  specified by each iterative hash function to initialize its
  compression function). However, if desired, a performance
  improvement can be achieved at the cost of (possibly) modifying the
  code of H to support variable IVs.
 
  The idea is that the intermediate results of the compression function
  on the B-byte blocks (K XOR ipad) and (K XOR opad) can be precomputed
  only once at the time of generation of the key K, or before its first
  use. These intermediate results are stored and then used to
  initialize the IV of H each time that a message needs to be
  authenticated. This method saves, for each authenticated message,
  the application of the compression function of H on two B-byte blocks
  (i.e., on (K XOR ipad) and (K XOR opad)). Such a savings may be
  significant when authenticating short streams of data. We stress
  that the stored intermediate values need to be treated and protected
  the same as secret keys.
 
  Choosing to implement HMAC in the above way is a decision of the
  local implementation and has no effect on inter-operability.
 
 
 
 
 
 
 
 
 
Krawczyk, et. al.      Informational           [Page 4]


RFC 2104             HMAC           February 1997
 
 
5. Truncated output
 
  A well-known practice with message authentication codes is to
  truncate the output of the MAC and output only part of the bits
  (e.g., [MM, ANSI]). Preneel and van Oorschot [PV] show some
  analytical advantages of truncating the output of hash-based MAC
  functions. The results in this area are not absolute as for the
  overall security advantages of truncation. It has advantages (less
  information on the hash result available to an attacker) and
  disadvantages (less bits to predict for the attacker). Applications
  of HMAC can choose to truncate the output of HMAC by outputting the t
  leftmost bits of the HMAC computation for some parameter t (namely,
  the computation is carried in the normal way as defined in section 2
  above but the end result is truncated to t bits). We recommend that
  the output length t be not less than half the length of the hash
  output (to match the birthday attack bound) and not less than 80 bits
  (a suitable lower bound on the number of bits that need to be
  predicted by an attacker). We propose denoting a realization of HMAC
  that uses a hash function H with t bits of output as HMAC-H-t. For
  example, HMAC-SHA1-80 denotes HMAC computed using the SHA-1 function
  and with the output truncated to 80 bits. (If the parameter t is not
  specified, e.g. HMAC-MD5, then it is assumed that all the bits of the
  hash are output.)
 
6. Security
[译]6. 安全
 
  The security of the message authentication mechanism presented here
  depends on cryptographic properties of the hash function H: the
  resistance to collision finding (limited to the case where the
  initial value is secret and random, and where the output of the
  function is not explicitly available to the attacker), and the
  message authentication property of the compression function of H when
  applied to single blocks (in HMAC these blocks are partially unknown
  to an attacker as they contain the result of the inner H computation
  and, in particular, cannot be fully chosen by the attacker).
 
  These properties, and actually stronger ones, are commonly assumed
  for hash functions of the kind used with HMAC. In particular, a hash
  function for which the above properties do not hold would become
  unsuitable for most (probably, all) cryptographic applications,
  including alternative message authentication schemes based on such
  functions. (For a complete analysis and rationale of the HMAC
  function the reader is referred to [BCK1].)
 
 
 
 
 
 
 
 
Krawczyk, et. al.      Informational           [Page 5]


RFC 2104             HMAC           February 1997
 
 
  Given the limited confidence gained so far as for the cryptographic
  strength of candidate hash functions, it is important to observe the
  following two properties of the HMAC construction and its secure use
  for message authentication:
 
  1. The construction is independent of the details of the particular
  hash function H in use and then the latter can be replaced by any
  other secure (iterative) cryptographic hash function.
 
  2. Message authentication, as opposed to encryption, has a
  “transient” effect. A published breaking of a message authentication
  scheme would lead to the replacement of that scheme, but would have
  no adversarial effect on information authenticated in the past. This
  is in sharp contrast with encryption, where information encrypted
  today may suffer from exposure in the future if, and when, the
  encryption algorithm is broken.
 
  The strongest attack known against HMAC is based on the frequency of
  collisions for the hash function H (“birthday attack”) [PV,BCK2], and
  is totally impractical for minimally reasonable hash functions.
 
  As an example, if we consider a hash function like MD5 where the
  output length equals L=16 bytes (128 bits) the attacker needs to
  acquire the correct message authentication tags computed (with the
  _same_ secret key K!) on about 2**64 known plaintexts. This would
  require the processing of at least 2**64 blocks under H, an
  impossible task in any realistic scenario (for a block length of 64
  bytes this would take 250,000 years in a continuous 1Gbps link, and
  without changing the secret key K during all this time). This attack
  could become realistic only if serious flaws in the collision
  behavior of the function H are discovered (e.g. collisions found
  after 2**30 messages). Such a discovery would determine the immediate
  replacement of the function H (the effects of such failure would be
  far more severe for the traditional uses of H in the context of
  digital signatures, public key certificates, etc.).
 
  Note: this attack needs to be strongly contrasted with regular
  collision attacks on cryptographic hash functions where no secret key
  is involved and where 2**64 off-line parallelizable (!) operations
  suffice to find collisions. The latter attack is approaching
  feasibility [VW] while the birthday attack on HMAC is totally
  impractical. (In the above examples, if one uses a hash function
  with, say, 160 bit of output then 2**64 should be replaced by 2**80.)
 
 
 
 
 
 
 
 
Krawczyk, et. al.      Informational           [Page 6]


RFC 2104             HMAC           February 1997
 
 
  A correct implementation of the above construction, the choice of
  random (or cryptographically pseudorandom) keys, a secure key
  exchange mechanism, frequent key refreshments, and good secrecy
  protection of keys are all essential ingredients for the security of
  the integrity verification mechanism provided by HMAC.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Krawczyk, et. al.      Informational           [Page 7]


RFC 2104             HMAC           February 1997
 
 
Appendix -- Sample Code
[译]附录 – 示例代码
 
  For the sake of illustration we provide the following sample code for
  the implementation of HMAC-MD5 as well as some corresponding test
  vectors (the code is based on MD5 code as described in [MD5]).
 
/*
** Function: hmac_md5
*/
 
void
hmac_md5(text, text_len, key, key_len, digest)
unsigned char* text;        /* pointer to data stream */
int       text_len;      /* length of data stream */
unsigned char* key;         /* pointer to authentication key */
int       key_len;       /* length of authentication key */
caddr_t     digest;       /* caller digest to be filled in */
 
{
    MD5_CTX context;
    unsigned char k_ipad[65];  /* inner padding -
                   * key XORd with ipad
                   */
    unsigned char k_opad[65];  /* outer padding -
                   * key XORd with opad
                   */
    unsigned char tk[16];
    int i;
    /* if key is longer than 64 bytes reset it to key=MD5(key) */
    if (key_len > 64) {
 
        MD5_CTX   tctx;
 
        MD5Init(&tctx);
        MD5Update(&tctx, key, key_len);
        MD5Final(tk, &tctx);
 
        key = tk;
        key_len = 16;
    }
 
    /*
     * the HMAC_MD5 transform looks like:
     *
     * MD5(K XOR opad, MD5(K XOR ipad, text))
     *
     * where K is an n byte key
     * ipad is the byte 0x36 repeated 64 times
 
 
 
Krawczyk, et. al.      Informational           [Page 8]


RFC 2104             HMAC           February 1997
 
 
     * opad is the byte 0x5c repeated 64 times
     * and text is the data being protected
     */
 
    /* start out by storing key in pads */
    bzero( k_ipad, sizeof k_ipad);
    bzero( k_opad, sizeof k_opad);
    bcopy( key, k_ipad, key_len);
    bcopy( key, k_opad, key_len);
 
    /* XOR key with ipad and opad values */
    for (i=0; i<64; i++) {
        k_ipad[i] ^= 0x36;
        k_opad[i] ^= 0x5c;
    }
    /*
     * perform inner MD5
     */
    MD5Init(&context);          /* init context for 1st
                       * pass */
    MD5Update(&context, k_ipad, 64)   /* start with inner pad */
    MD5Update(&context, text, text_len); /* then text of datagram */
    MD5Final(digest, &context);     /* finish up 1st pass */
    /*
     * perform outer MD5
     */
    MD5Init(&context);          /* init context for 2nd
                       * pass */
    MD5Update(&context, k_opad, 64);   /* start with outer pad */
    MD5Update(&context, digest, 16);   /* then results of 1st
                       * hash */
    MD5Final(digest, &context);     /* finish up 2nd pass */
}
 
Test Vectors (Trailing ‘\0’ of a character string not included in test):
 
 key =     0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
 key_len =   16 bytes
 data =    “Hi There”
 data_len =  8 bytes
 digest =   0x9294727a3638bb1c13f48ef8158bfc9d
 
 key =     “Jefe”
 data =    “what do ya want for nothing?”
 data_len =  28 bytes
 digest =   0x750c783e6ab0b503eaa86e310a5db738
 
 key =     0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 
 
 
Krawczyk, et. al.      Informational           [Page 9]


RFC 2104             HMAC           February 1997
 
 
 key_len    16 bytes
 data =    0xDDDDDDDDDDDDDDDDDDDD...
        ..DDDDDDDDDDDDDDDDDDDD...
        ..DDDDDDDDDDDDDDDDDDDD...
        ..DDDDDDDDDDDDDDDDDDDD...
        ..DDDDDDDDDDDDDDDDDDDD
 data_len =  50 bytes
 digest =   0x56be34521d144c88dbb8c733f0e8b3f6
 
Acknowledgments
 
  Pau-Chen Cheng, Jeff Kraemer, and Michael Oehler, have provided
  useful comments on early drafts, and ran the first interoperability
  tests of this specification. Jeff and Pau-Chen kindly provided the
  sample code and test vectors that appear in the appendix. Burt
  Kaliski, Bart Preneel, Matt Robshaw, Adi Shamir, and Paul van
  Oorschot have provided useful comments and suggestions during the
  investigation of the HMAC construction.
 
References
 
  [ANSI] ANSI X9.9, “American National Standard for Financial
      Institution Message Authentication (Wholesale),” American
      Bankers Association, 1981.  Revised 1986.
 
  [Atk]  Atkinson, R., “IP Authentication Header”, RFC 1826, August
      1995.
 
  [BCK1] M. Bellare, R. Canetti, and H. Krawczyk,
      “Keyed Hash Functions and Message Authentication”,
      Proceedings of Crypto’96, LNCS 1109, pp. 1-15.
      (http://www\.research\.ibm\.com/security/keyed\-md5\.html\)
 
  [BCK2] M. Bellare, R. Canetti, and H. Krawczyk,
      “Pseudorandom Functions Revisited: The Cascade Construction”,
      Proceedings of FOCS’96.
 
  [Dobb] H. Dobbertin, “The Status of MD5 After a Recent Attack”,
      RSA Labs’ CryptoBytes, Vol. 2 No. 2, Summer 1996.
      http://www\.rsa\.com/rsalabs/pubs/cryptobytes\.html
 
  [PV]  B. Preneel and P. van Oorschot, “Building fast MACs from hash
      functions”, Advances in Cryptology -- CRYPTO’95 Proceedings,
      Lecture Notes in Computer Science, Springer-Verlag Vol.963,
      1995, pp. 1-14.
 
  [MD5]  Rivest, R., “The MD5 Message-Digest Algorithm”,
      RFC 1321, April 1992.
 
 
 
Krawczyk, et. al.      Informational           [Page 10]


RFC 2104             HMAC           February 1997
 
 
  [MM]  Meyer, S. and Matyas, S.M., Cryptography, New York Wiley,
      1982.
 
  [RIPEMD] H. Dobbertin, A. Bosselaers, and B. Preneel, “RIPEMD-160: A
      strengthened version of RIPEMD”, Fast Software Encryption,
      LNCS Vol 1039, pp. 71-82.
      ftp://ftp\.esat\.kuleuven\.ac\.be/pub/COSIC/bosselae/ripemd/\.
 
  [SHA]  NIST, FIPS PUB 180-1: Secure Hash Standard, April 1995.
 
  [Tsu]  G. Tsudik, “Message authentication with one-way hash
      functions”, In Proceedings of Infocom’92, May 1992.
      (Also in “Access Control and Policy Enforcement in
      Internetworks”, Ph.D. Dissertation, Computer Science
      Department, University of Southern California, April 1991.)
 
  [VW]  P. van Oorschot and M. Wiener, “Parallel Collision
      Search with Applications to Hash Functions and Discrete
      Logarithms”, Proceedings of the 2nd ACM Conf. Computer and
      Communications Security, Fairfax, VA, November 1994.
 
Authors’ Addresses
 
  Hugo Krawczyk
  IBM T.J. Watson Research Center
  P.O.Box 704
  Yorktown Heights, NY 10598
 
  EMail: hugo@watson.ibm.com
 
  Mihir Bellare
  Dept of Computer Science and Engineering
  Mail Code 0114
  University of California at San Diego
  9500 Gilman Drive
  La Jolla, CA 92093
 
  EMail: mihir@cs.ucsd.edu
 
  Ran Canetti
  IBM T.J. Watson Research Center
  P.O.Box 704
  Yorktown Heights, NY 10598
 
  EMail: canetti@watson.ibm.com
 
 
 
 
 
 
Krawczyk, et. al.      Informational           [Page 11]