RFC 2104 (rfc2104) - Page 2 of 11


HMAC: Keyed-Hashing for Message Authentication



Alternative Format: Original Text Document



RFC 2104                          HMAC                     February 1997


   HMAC can be used in combination with any iterated cryptographic hash
   function. MD5 and SHA-1 are examples of such hash functions. HMAC
   also uses a secret key for calculation and verification of the
   message authentication values. The main goals behind this
   construction are

   * To use, without modifications, available hash functions.
     In particular, hash functions that perform well in software,
     and for which code is freely and widely available.

   * To preserve the original performance of the hash function without
     incurring a significant degradation.

   * To use and handle keys in a simple way.

   * To have a well understood cryptographic analysis of the strength of
     the authentication mechanism based on reasonable assumptions on the
     underlying hash function.

   * To allow for easy replaceability of the underlying hash function in
     case that faster or more secure hash functions are found or
     required.

   This document specifies HMAC using a generic cryptographic hash
   function (denoted by H). Specific instantiations of HMAC need to
   define a particular hash function. Current candidates for such hash
   functions include SHA-1 [SHA], MD5 [MD5], RIPEMD-128/160 [RIPEMD].
   These different realizations of HMAC will be denoted by HMAC-SHA1,
   HMAC-MD5, HMAC-RIPEMD, etc.

   Note: To the date of writing of this document MD5 and SHA-1 are the
   most widely used cryptographic hash functions. MD5 has been recently
   shown to be vulnerable to collision search attacks [Dobb].  This
   attack and other currently known weaknesses of MD5 do not compromise
   the use of MD5 within HMAC as specified in this document (see
   [Dobb]); however, SHA-1 appears to be a cryptographically stronger
   function. To this date, MD5 can be considered for use in HMAC for
   applications where the superior performance of MD5 is critical.   In
   any case, implementers and users need to be aware of possible
   cryptanalytic developments regarding any of these cryptographic hash
   functions, and the eventual need to replace the underlying hash
   function. (See section 6 for more information on the security of
   HMAC.)








Krawczyk, et. al.            Informational