Running Head: H-MAC vs.

MAC 1

H-MAC vs. MAC

LaRon Walker

Master of Information Technology and Internet Security

April, 2010
 2

ABSTRACT

There are many ways to encrypt different data types so they cannot be easily read if intercepted by

unauthorized parties. For encrypting messages the two most commonly used methods are Message

Authentication Codes (MAC) and Hashed-Based Message Authentication Codes (HMAC). In both of

these methods, a secret key is shared between a sender and a recipient, and the information that is

being transmitted cannot be deciphered unless the recipient has the correct shared key. However, using

the HMAC method, additional encryption may be used along with the shared key, which can provide

more security for messages. In this document, I will compare the differences between MAC and HMAC,

how HMAC method is more secure than using the MAC method, and examples of scenarios where MAC

and HMAC methodologies are used.

 3

H-MAC vs. MAC

LaRon Walker

Master of Information Technology and Internet Security

April, 2010

Communication via the Internet is becoming a very common method in which people interact

with each other. Due to the growing amount of information being transmitted over the Internet, the

security of this data has become a concern. If not addressed, the information that is contained in these

transmissions may be intercepted and deciphered, due to most information is sent over the Internet is

in plain text if proper security steps are not taken. This is especially important when sending messages.

There are many different methods to secure these types of communications, however the more

commonly used technique is via Message Authentication Codes (MAC).

Message Authentication Code (MAC)

Message Authentication Codes (MAC) is a method in which the integrity of data is checked using

a secret key that is shared between a sender and a recipient. This method can also apply to a single

sender sending data to multiple recipients. Per Bond (2002) Message Authentication Code standard is

“a cryptographic checksum that results from passing data through a message authentication algorithm.”

Generally, this means that the message authentication codes are used between senders and recipients

that share a secret key to validate the information being transmitted. Although the MAC method is

solid, due to the development of sniffer and packet capturing applications, these shared keys became

easily decipherable, which has created the need for a more modern security approach.
 4

Keyed-Hash Message Authentication Code (HMAC)

Keyed Hash Message Authentication Codes (HMAC) is a method that uses the same concept as

MAC by means of a secret shared key, but also uses other cryptographic hash functions (e.g. HMAC-

SHA1,HMAC-MD5, HMAC-RIPEMD, etc), which adds additional integrity check functionality to the data

being transmitted, and helps ensure it is reaching the correct destination. HMAC was introduced in

2002 by the Federal Information Processing Standard (FIPS) and the National Institute of Standards and

Technology (NIST) as a Computer Security Standard. Per Krawczyk (1997), the theory behind using the

secret keys in conjunction with cryptographic hash functions is:

 To use, without modifications, available hash functions. In particular, hash functions that

perform well in software, and for which code is freely and widely available.

 To preserve the original performance of the hash function without incurring a significant

degradation.

 To use and handle keys in a simple way.

 To have a well understood cryptographic analysis of the strength of the authentication

mechanism based on reasonable assumptions on the underlying hash function.

 To allow for easy replaceability of the underlying hash function in case that faster or more

secure hash functions are found or required.

Although using HMAC is a reliable method for securing message transmissions, it still has its

drawbacks. The more commonly used cryptographic hash functions used in conjunction with HMAC

are MD5 and SHA-1. The MD5 cryptographic hash function is vulnerable to collision search attacks

(Dobb), however this attack does not comprise its use with HMAC. Using SHA-1 is known to be more

cryptographically sound and are not subject to these types of attacks, however does not match the
 5

performance of using MD5. Due to this, most choose the MD5 hash function along with HMAC

where MD5 performance is critical.

Using either MD5 or SHA-1 hash functions in conjunction with HMAC both are secure techniques

when transmitting messages. Both hash-function methods offer additional security when using

message authentication codes and shared, and both have their pros and cons. Although MD5 out

performs SHA-1, SHA-1 is more secure. In the end, using either hash-function methods requires

constant monitoring, maintenance, and updates to maintain security integrity.

 6

References

Bellare, M., Canetti, R., Krawczyk, H. (1997). RFC2104 – HMAC: Keyed-Hashing for Message

Authentication. Retrieved April 17, 2010 from http://www.faqs.org/rfcs/rfc2104.html

Bond, J. (2002, March 6). The Keyed-Hash Message Authentication Code (HMAC). Retrieved April 17,

2010 from http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf

Zarfoss, J. HMAC1, The Keyed Hash-Based MAC Function. Retrieved April 17, 2010 from

http://upe.acm.jhu.edu/member_sites/zarfoss/HMAC.html#HMAC