Abstract.
HMAC is the most widely-deployed cryptographic-hash-function-based
message authentication code. First, we describe a security issue
that arises because of
inconsistencies in the standards and the published literature
regarding keylength. We prove a separation result between two
versions of HMAC, which we denote 
and
, the former being the real-world version
standardized by Bellare et al. in 1997 and the latter being the
version described in Bellare's proof of security in his Crypto 2006 paper.
Second, we describe how 
(the FIPS version standardized
by NIST), while provably secure (in the single-user setting), succumbs to
a practical attack in the multi-user setting. Third, we describe a
fundamental defect from a practice-oriented standpoint
in Bellare's 2006 security result for HMAC, and show that because of
this defect his proof gives a security guarantee that is
of little value in practice. We give a new proof of NMAC security
that gives a stronger result for NMAC and HMAC and we discuss why
even this stronger result by itself fails to give
convincing assurance of HMAC security.
© 2013 by Walter de Gruyter Berlin Boston
This article is distributed under the terms of the Creative Commons Attribution Non-Commercial License, which permits unrestricted non-commercial use, distribution, and reproduction in any medium, provided the original work is properly cited.
