RSA Security 5.2.2 manual Password-Based Encryption, Hash-Based Message Authentication Codes Hmac

Cryptography Overview

Hash-Based Message Authentication Codes (HMAC)

A hash-based message authentication code (HMAC) combines a secret key with a message digest to create a message authentication code. This method of creating a MAC makes it possible to update the underlying message digest if a new attack makes the original message digest unsecure. Crypto-C provides an HMAC implementation based on SHA1.

Recall that SHA1 produces a 20-byte digest; in addition, we need to know that SHA1 takes input in 64-byte blocks.

Given a message M and a key k, the HMAC of M is computed as follows:

1.Create two different fixed strings that are used in the calculation: ipad = the byte 0x36 repeated 64 times

opad = the byte 0x5C repeated 64 times

2.Extend k to 64 bytes in length by appending zeros to the end of k. For example, if k is 25 bytes, append 39 copies of the zero byte 0x00. We will call the extended key k’.

3.Compute the following:

SHA1(k’ XOR opad SHA1((k’ XOR ipad) M))

where denotes concatenation.

The same key can be used for multiple authentications, but the key should be replaced periodically. For security considerations, the key should be at least as long as the message digest output. For SHA1, this means an HMAC key should be at least 20 bytes. If the key is “weakly random”—that is, if knowing some of the key bits might help an attacker generate other key bits, then a longer key should be used.

Password-Based Encryption

Password-based encryption (PBE) generates a symmetric key from a password, and encrypts data using that generated key. Usually, though, a password will not have enough effective random bits to qualify as a candidate for a key or even a random seed to generate a key. For example, each character of an 8-byte alphanumeric password that also allows case-sensitive letters has the equivalent of slightly less than six bits of randomness. For eight-character passwords, this is far less than the required key size of a block cipher such as DES.

Therefore, a good PBE implementation not only uses the password, but mixes in a random number, known as a salt, to create the key (see Figure 3-8 on page 50).