Professional Documents
Culture Documents
LaRon Walker - H-MAC vs. MAC
LaRon Walker - H-MAC vs. MAC
MAC 1
LaRon Walker
April, 2010
2
ABSTRACT
There are many ways to encrypt different data types so they cannot be easily read if intercepted by
unauthorized parties. For encrypting messages the two most commonly used methods are Message
Authentication Codes (MAC) and Hashed-Based Message Authentication Codes (HMAC). In both of
these methods, a secret key is shared between a sender and a recipient, and the information that is
being transmitted cannot be deciphered unless the recipient has the correct shared key. However, using
the HMAC method, additional encryption may be used along with the shared key, which can provide
more security for messages. In this document, I will compare the differences between MAC and HMAC,
how HMAC method is more secure than using the MAC method, and examples of scenarios where MAC
LaRon Walker
April, 2010
Communication via the Internet is becoming a very common method in which people interact
with each other. Due to the growing amount of information being transmitted over the Internet, the
security of this data has become a concern. If not addressed, the information that is contained in these
transmissions may be intercepted and deciphered, due to most information is sent over the Internet is
in plain text if proper security steps are not taken. This is especially important when sending messages.
There are many different methods to secure these types of communications, however the more
Message Authentication Codes (MAC) is a method in which the integrity of data is checked using
a secret key that is shared between a sender and a recipient. This method can also apply to a single
sender sending data to multiple recipients. Per Bond (2002) Message Authentication Code standard is
“a cryptographic checksum that results from passing data through a message authentication algorithm.”
Generally, this means that the message authentication codes are used between senders and recipients
that share a secret key to validate the information being transmitted. Although the MAC method is
solid, due to the development of sniffer and packet capturing applications, these shared keys became
easily decipherable, which has created the need for a more modern security approach.
4
Keyed Hash Message Authentication Codes (HMAC) is a method that uses the same concept as
MAC by means of a secret shared key, but also uses other cryptographic hash functions (e.g. HMAC-
SHA1,HMAC-MD5, HMAC-RIPEMD, etc), which adds additional integrity check functionality to the data
being transmitted, and helps ensure it is reaching the correct destination. HMAC was introduced in
2002 by the Federal Information Processing Standard (FIPS) and the National Institute of Standards and
Technology (NIST) as a Computer Security Standard. Per Krawczyk (1997), the theory behind using the
To use, without modifications, available hash functions. In particular, hash functions that
perform well in software, and for which code is freely and widely available.
To preserve the original performance of the hash function without incurring a significant
degradation.
To allow for easy replaceability of the underlying hash function in case that faster or more
Although using HMAC is a reliable method for securing message transmissions, it still has its
drawbacks. The more commonly used cryptographic hash functions used in conjunction with HMAC
are MD5 and SHA-1. The MD5 cryptographic hash function is vulnerable to collision search attacks
(Dobb), however this attack does not comprise its use with HMAC. Using SHA-1 is known to be more
cryptographically sound and are not subject to these types of attacks, however does not match the
5
performance of using MD5. Due to this, most choose the MD5 hash function along with HMAC
Using either MD5 or SHA-1 hash functions in conjunction with HMAC both are secure techniques
when transmitting messages. Both hash-function methods offer additional security when using
message authentication codes and shared, and both have their pros and cons. Although MD5 out
performs SHA-1, SHA-1 is more secure. In the end, using either hash-function methods requires
References
Bellare, M., Canetti, R., Krawczyk, H. (1997). RFC2104 – HMAC: Keyed-Hashing for Message
Bond, J. (2002, March 6). The Keyed-Hash Message Authentication Code (HMAC). Retrieved April 17,
Zarfoss, J. HMAC1, The Keyed Hash-Based MAC Function. Retrieved April 17, 2010 from
http://upe.acm.jhu.edu/member_sites/zarfoss/HMAC.html#HMAC