- why is it called MAC?
MACs seems to be used for:
- authentication and integrity
- randomness, if used as a PRF (not all MACs are PRFs, HMAC is)
- key derivation, if used as a PRF in a KDF (HKDF)
- 1997 - CBC-MAC
- 2013 - Matthew Green - Why I hate CBC-MAC
- AES-CCM (part of TLS 1.3) makes use of CBC-MAC
- 2005 - Rogaway - CMAC is a simple variant of the CBC MAC
Whereas the basic CBC MAC is only secure on messages of one fixed length (and that length must be a multiple of the block size), CMAC takes and is secure across messages of any bit length. CMAC is a variant of the mode called XCBC that was invented and analyzed by John Black and Phillip Rogaway. It enjoys provable-security, with the conventional bounds.
- one-time MACs like GMAC, Poly1305
SHA-256(k || m || k)
is proven to be secure- whereas
SHA-256(k || m)
is vulnerable to length-extension attacks
- whereas
HMAC = HASH(k1 || HASH( k2 || m))
- NMAC is defined with HMAC, but requires modification to the underlying hash function so nobody uses it
- Dan Boneh on HMAC
KMAC = SHAKE(k || padding || m)
for Keccak-MAC is defined in FIPS 180- siphash seems to be good/fast with short inputs
- HMAC, KMAC and CMAC are NIST/FIPS approved
- RFCs that reference HMAC
- HMAC papers
- 1996 - M. Bellare, R. Canetti, and H. Krawczyk - Keying hash functions for message authentication
- 1996 - M. Bellare, R. Canetti, and H. Krawczyk - Message authentication using hash functions: The HMAC construction
- 1997 - H. Krawczyk, M. Bellare, and R. Canetti - HMAC: Keyed-Hashing for Message Authentication
- 1997 - H. Krawczyk, M. Bellare, and R. Canetti - RFC 2104: HMAC: Keyed-Hashing for Message Authentication
- 2011 - NIST & IECA - Updated Security Considerations for the MD5 Message-Digest and the HMAC-MD5 Algorithms
- 2006 - M. Bellare - New Proofs for NMAC and HMAC: Security without Collision-Resistance
- HMAC needs an iterated hash function?
- they are resistant to authentication tag forgery
- PRFs are MACs, but the reverse is not always true.
- having said that, HMAC, KMAC and Siphash are all considered PRF
Authentication in TLS. HMAC is used to authenticate the transcript and to derive keys in HKDF. There's also the NULL ciphers in TLS which is basically an authenticated but non-encrypted session.
Symmetric Authentication in Time-Based One-Time Password (TOTP). TOTP(key, time) = HMAC(key, time)
where time is in seconds but incremented as to keep the same value for some period of time (60s for example)
Symmetric Authentication in HMAC-Based One-Time Password (HOTP). HOTP(key, counter) = HMAC(key, counter)
Integrity of Cookies. To track user browser sessions you can send them a random string (associated to their metadata) OR send them the metadata directly attached with an authentication tag so that they can't modify the metadata. Google has pushed this to the limit with Macaroons
Authentication/Authorization/Access Tokens. Same thing as cookies. This is used in JWT, SAML, OAUTH, OpenID, SSO, etc. I don't think it is great practice though as asymmetric primitives like signatures would be better.
to check:
- Global Platform/ISO 7816 Secure Messaging, which uses C-MAC.
- snmp
- borg backup
- ipsec-ah
- s3 authentication
- encryption is forbidden on HAM bands
- macaroons
- bip32
- hawk
- oauth 1.0
incomplete list
-
2019 - Efficient Message Authentication Codes with Combinatorial Group Testing
-
2003 - Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan
-
2017 - Sergey Agievich - EHE: nonce misuse-resistant message authentication
-
2013 - Bin Wang and Xiaojing Hong - Sequential message authentication code without random oracles
-
2009 - L. H. Nguyen and A. W. Roscoe - Separating two roles of hashing in one-way message authentication