Keying Hash Functions for Message Authentication

The use of cryptographic hash functions like MD5 or SHA for message authentication has become a standard approach in many Internet applications and protocols. Though very easy to implement, these mechanisms are usually based on ad hoc techniques that lack a sound security analysis. We present new constructions of message authentication schemes based on a cryptographic hash function. Our schemes, NMAC and HMAC, are proven to be secure as long as the underlying hash function has some reasonable cryptographic strengths. Moreover we show, in a quantitative way, that the schemes retain almost all the security of the underlying hash function. In addition our schemes are e cient and practical. Their performance is essentially that of the underlying hash function. Moreover they use the hash function (or its compression function) as a black box, so that widely available library code or hardware can be used to implement them in a simple way, and replaceability of the underlying hash function is easily supported. Department of Computer Science & Engineering, Mail Code 0114, University of California at San Diego, 9500 Gilman Drive, La Jolla, CA 92093. Email: [email protected]. http://www-cse.ucsd.edu/users/mihir. y IBM T.J. Watson Research Center, PO Box 704, Yorktown Heights, New York 10598. Email: canetti@ watson.ibm.com. Work done while author was at MIT, supported by a post-doctoral grant from the Rothschild Foundation. z IBM T.J. Watson Research Center, PO Box 704, Yorktown Heights, New York 10598. Email:[email protected]. com.