Re: HMAC -NMAC security
From: Mark Wooding (mdw_at_nsict.org)
Date: 30 Jun 2003 10:52:13 GMT
whoami <email@example.com> wrote:
> I don't understand why we need to hide the result of the inner
> function h(K2||x). I know that because of the extension attack one
> can easily find h(K2||x||y) no matter what y is but does this give
> some information on h(K1||h(K2||x||y)) which is the result of HMAC
> over x||y?
Quick overview of the thinking behind HMAC:
* The inner layer is intended to be collision resistant. The key is
present at this layer because finding collisions with an unknown
initialization vector is harder than finding them if the IV is
* The outer layer is intended to be a pseudorandom function, with
fixed-length input and output. It's this layer which really
provides the security of the construction.
* As long as the output from the inner layer is different for
different input messages, an adversary can't predict the tag for a
message (because the outer layer is effectively random). If he
finds a collision in the inner layer, he can request a tag for one
of the colliding pair, and present the other other as his forgery.
* Keeping the intermediate value $H(K_2 \cat x)$ secret makes it
harder for an adversary to know whether he's found a collision.
 The proof that NMAC is a decent MAC only assumes that the outer
layer works as a MAC on fixed-length inputs. However, it's the
PRF-like property of the outer layer that means you can get away
with things like truncating the tag.