Hash-Based MACs (HMAC)

The most widely used MAC system today is Hash-MAC (HMAC). It uses a keyless Merkle-Damgård hash function built from a compression function .

The construction itself is byte-oriented - the inputs for the underlying Merkle-Damgård function are assumed to be bytes in length. HMAC uses a key of arbitrary length to derive two keys . The keys and are derived by XOR-ing the master key with two constants ipad and opad.

The constant ipad ("inner pad") is the byte 0x36 repeated to match the key's length in bytes, and, similarly, opad ("outer pad") is the byte 0x5C repeated to match 's byte length, too.

The MAC's signing algorithm is then defined as follows:

The first "inner key" is prepended to the message and this concatenation is hashed with the Merkle-Damgård function . Subsequently, the "outer key" is prepended to the resulting digest and is passed to one last time to produce the tag for the message . When "expanded" into its Merkle-Damgård implementation, the algorithm looks like following.

Since this is a deterministic MAC system, the canonical verification algorithm can be used.

Security of HMAC

Using a collision resistant hash function is actually not enough to prove that HMAC is a secure MAC. However, HMAC can be proven strongly unforgeable if the Merkle-Damgård function uses a compression function that is a pseudorandom function (PRF), for example a Davies-Meyer function.

An HMAC construction is strongly unforgeable, as long as the underlying compression function $h$ is a pseudorandom function.
TO BE FOUND