Skip to content

Commit 2195fab

Browse files
drbruced12drbruced12
committed
cleanup HMAC description
1 parent f85192d commit 2195fab

File tree

1 file changed

+61
-58
lines changed

1 file changed

+61
-58
lines changed

crypto.rst

Lines changed: 61 additions & 58 deletions
Original file line numberDiff line numberDiff line change
@@ -458,10 +458,10 @@ fundamentally inseparable. It is not much use to say that a message came from a
458458
certain participant if the contents of the message have been modified
459459
after that participant created it.
460460

461-
An *message authentication code* is a value, to be included in a transmitted message,
461+
A *message authentication code* is a value, to be included in a transmitted message,
462462
that can be used to verify simultaneously the authenticity and the data
463463
integrity of a message. We will see later how such codes can be used in
464-
protocols. For now, we focus on the algorithms that can generated and verify
464+
protocols. For now, we focus on the algorithms that can generate and verify
465465
authentication codes.
466466

467467
When data is stored or transmitted, it is routine to use
@@ -485,7 +485,7 @@ For simplicity, let's assume initially that the original message need
485485
not be confidential—that a transmitted message will consist of the
486486
plaintext of the original message plus some additional code to support
487487
authentication. Later we will consider the case where confidentiality
488-
is desired.
488+
is also desired.
489489

490490
One common build block of message authentication is a
491491
*cryptographic hash function*. Cryptographic hash algorithms are
@@ -503,7 +503,8 @@ larger than the space of possible message digests, there will be many
503503
different input messages that produce the same message digest, like
504504
collisions in a hash table. An important property of cryptographic
505505
hash functions is that such collisions may not be produced
506-
deliberately under the control of the attacker.
506+
deliberately under the control of the attacker. We will see why this
507+
is so in a moment.
507508

508509
A message authentication code can be created by encrypting the message
509510
digest with some key. That key could be the private key of an
@@ -543,74 +544,76 @@ same digest much more easily than this, which would reduce the
543544
security of the algorithm. So a random distribution of hash outputs is
544545
an important property for these algorithms.
545546

546-
If you were instead just trying to find any
547-
*collision*—any two messages that produce the same digest—then you
548-
would need to compute the digests of only 2\ :sup:`64` messages, on
549-
average. This surprising fact is the basis of the “birthday
550-
attack” mentioned above.
547+
If you were instead just trying to find any *collision*—any two
548+
messages that produce the same digest—then you would need to compute
549+
the digests of only 2\ :sup:`64` messages, on average. This
550+
surprising fact is the basis of the “birthday attack” mentioned above.
551551

552552
There have been several common cryptographic hash algorithms over the
553553
years, including Message Digest 5 (MD5) and the Secure Hash Algorithm
554554
(SHA) family. Weaknesses of MD5 and earlier versions of SHA have been
555555
known for some time, which led NIST to recommend a family of
556556
algorithms known as SHA-3 in 2015.
557557

558-
AS noted above, the encryption of the message digest can be performed using
559-
either a secret-key cipher or a public-key cipher. If a public-key
560-
cipher is used, the digest is encrypted using the sender’s private
561-
key, and the
562-
receiver—or anyone else—could decrypt the digest using the sender’s
563-
public key. If a secret-key cipher is used, the sender and receiver
564-
have to agree on the secret key ahead of time using some other means.
565-
566-
A digest encrypted with a public-key algorithm using the private
567-
key of the sender
568-
is called a *digital signature* because it provides nonrepudiation
569-
similar to that of
570-
a written signature. The receiver of a message with a digital signature
571-
can prove to any third party that the sender really sent that message,
572-
because the third party can use the sender’s public key to check for
573-
herself. Secret-key encryption of a digest does not have this property
574-
because only the two participants know the key; furthermore, since both
575-
participants know the key, the alleged receiver could have created the
576-
message herself. Any public-key cipher can be used for digital
577-
signatures. NIST has produced a series of *Digital Signature
578-
Standards* (DSS). The most recent standard at the time of writing
579-
allows for the use of three public-key ciphers, one based on RSA,
580-
another based on elliptic curves, and
581-
and a third called the *Edwards-Curve Digital Signature Algorithm*.
582-
583-
.. should check the above for updates
584-
585-
An alternative approach to encrypting a
586-
hash is to use a hash function that takes a secret value (known
587-
only to the sender and the receiver) as an input parameter. Such a function outputs a
588-
message authentication code that is a function of both the secret key
589-
and the message contents. The sender
590-
appends the code to the plaintext message. The receiver recomputes the
591-
authentication code using the plaintext and the secret value and compares that
592-
recomputed code to the code received in the message.
593-
594-
.. _fig-macAndHmac:
595-
.. figure:: figures/f08-05-modified.png
558+
As noted above, the encryption of the message digest can be performed
559+
using either a secret-key cipher or a public-key cipher. If a
560+
public-key cipher is used, the digest is encrypted using the sender’s
561+
private key, and the receiver—or anyone else—could decrypt the digest
562+
using the sender’s public key. If a secret-key cipher is used, the
563+
sender and receiver have to agree on the secret key ahead of time
564+
using some other means.
565+
566+
A digest encrypted with a public-key algorithm using the private key
567+
of the sender is called a *digital signature* because it provides
568+
nonrepudiation similar to that of a written signature. The receiver of
569+
a message with a digital signature can prove to any third party that
570+
the sender really sent that message, because the third party can use
571+
the sender’s public key to check for herself. Secret-key encryption of
572+
a digest does not have this property because only the two participants
573+
know the key; furthermore, since both participants know the key, the
574+
alleged receiver could have created the message herself. Any
575+
public-key cipher can be used for digital signatures. NIST has
576+
produced a series of *Digital Signature Standards* (DSS). The most
577+
recent standard at the time of writing allows for the use of three
578+
public-key ciphers, one based on RSA, another based on elliptic
579+
curves, and a third called the *Edwards-Curve Digital Signature
580+
Algorithm*.
581+
582+
583+
An widely used alternative approach to encrypting a hash is to use a
584+
hash function that takes a secret value (a key known only to the
585+
sender and the receiver) as an input parameter in addition to the
586+
message text. Such a function outputs a message authentication code
587+
that is a function of both the secret key and the message
588+
contents. The sender appends the calculated message authentication
589+
code to the plaintext message. The receiver recomputes the
590+
authentication code using the plaintext and the secret value and
591+
compares that recomputed code to the code received in the message. The
592+
most common approaches to generating these codes are called HMACs or
593+
keyed-hash message authentication codes.
594+
595+
HMACs can use any hash function of the sort described above, but the
596+
also include the key as part of the material to be hashed, so that a
597+
HMAC is a function of both the key and the input text. An approach to
598+
calculating HMACs has been standardized by NIST and takes the
599+
following form:
600+
601+
HMAC = H((K⊕opad) || H((K⊕ipad) || text))
602+
603+
H is the hash function, K is the key, and opad (output pad) and ipad
604+
(input pad) are well-known strings that are XORed (⊕) with the key. ||
605+
represents concatenation.
606+
607+
.. let's delete this incorrect pic for now
608+
.. _fig-macAndHmac:
609+
.. figure:: figures/f08-05-modified.png
596610
:width: 300px
597611
:align: center
598612
599613
Computing a hashed message authentication code (HMAC).
600614
601615
.. this appears to be out of date, see https://en.wikipedia.org/wiki/HMAC#Design_principles
602616
603-
One way to implement the approach just described is to apply a cryptographic hash (such as
604-
SHA-3) to the concatenation of the plaintext message and the
605-
secret value, as illustrated in :numref:`Figure %s
606-
<fig-macAndHmac>`. The resulting digest is called a *hashed message
607-
authentication code* (HMAC). The HMAC,
608-
but not the secret value, is appended to the plaintext. Only a receiver
609-
who knows the secret value can compute the correct HMAC to compare
610-
with the received HMAC. If it weren’t for the one-way property of the
611-
hash, an adversary might be able to find the input that generated the
612-
HMAC and compare it to the plaintext message to determine the secret
613-
value.
614617
615618
Up to this point, we have been assuming that the message wasn’t
616619
confidential, so the original message could be transmitted as plaintext.

0 commit comments

Comments
 (0)