RFC 2104 - HMAC: Keyed-Hashing for Message Authentication

Overview

RFC 2104 defines HMAC, a mechanism for message authentication using cryptographic hash functions. HMAC can be used with any iterative cryptographic hash function (MD5, SHA-1, SHA-256, SHA-3, etc.) in combination with a secret shared key.

Official Reference

• Document: RFC 2104
• Title: HMAC: Keyed-Hashing for Message Authentication
• URL: https://www.rfc-editor.org/rfc/rfc2104
• Authors: H. Krawczyk, M. Bellare, R. Canetti
• Date: February 1997

Related Standards

• FIPS 198-1: The Keyed-Hash Message Authentication Code (HMAC)
  • URL: https://csrc.nist.gov/pubs/fips/198-1/final
• RFC 4231: Identifiers and Test Vectors for HMAC-SHA-224, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512
  • URL: https://www.rfc-editor.org/rfc/rfc4231

Implementation Status

Algorithm	Hash	MAC Size	Status	Class
HMAC-SHA-256	SHA-256	32 bytes	✅ Implemented	HmacSha256
HMAC-SHA-384	SHA-384	48 bytes	✅ Implemented	HmacSha384
HMAC-SHA-512	SHA-512	64 bytes	✅ Implemented	HmacSha512
HMAC-SHA3-256	SHA3-256	32 bytes	✅ Implemented	HmacSha3_256
HMAC-SHA-1	SHA-1	20 bytes	✅ Implemented (legacy)	HmacSha1
HMAC-MD5	MD5	16 bytes	✅ Implemented (legacy)	HmacMd5

Algorithm

Definition

HMAC is defined as:

HMAC(K, m) = H((K' ⊕ opad) ‖ H((K' ⊕ ipad) ‖ m))

Where:

• H is a cryptographic hash function
• K is the secret key
• K' is the key derived from K:
  • If |K| > B: K' = H(K) (hash the key)
  • If |K| ≤ B: K' = K ‖ 0^(B - |K|) (pad with zeros)
• B is the block size of the hash function in bytes
• ipad = 0x36 repeated B times
• opad = 0x5c repeated B times
• ‖ denotes concatenation
• ⊕ denotes bitwise XOR

Parameters by Hash Function

Hash	Block Size (B)	Output Size (L)	Security
SHA-256	64 bytes	32 bytes	256 bits
SHA-384	128 bytes	48 bytes	384 bits
SHA-512	128 bytes	64 bytes	512 bits
SHA3-256	136 bytes	32 bytes	256 bits
SHA-1	64 bytes	20 bytes	160 bits
MD5	64 bytes	16 bytes	128 bits

Pseudocode

function HMAC(key, message):
    if length(key) > blockSize:
        key = hash(key)
    
    key = key ‖ zeros(blockSize - length(key))
    
    ipadKey = key ⊕ repeat(0x36, blockSize)
    opadKey = key ⊕ repeat(0x5c, blockSize)
    
    innerHash = hash(ipadKey ‖ message)
    return hash(opadKey ‖ innerHash)

---

Security Properties

• PRF Security: HMAC is a pseudorandom function if the underlying hash function's compression function is a PRF.
• Key Length: The recommended minimum key length is equal to the hash output size (L bytes).
• Truncation: HMAC output may be truncated, but not to less than half the hash output or 80 bits (whichever is larger).
• Collision Resistance: HMAC security does not depend on collision resistance of the hash function. Even with SHA-1's broken collision resistance, HMAC-SHA-1 remains secure for authentication.

---

References

1. RFC 2104: https://www.rfc-editor.org/rfc/rfc2104
2. RFC 4231: https://www.rfc-editor.org/rfc/rfc4231
3. FIPS 198-1: https://csrc.nist.gov/pubs/fips/198-1/final
4. NIST SP 800-107 Rev.1: Recommendation for Applications Using Approved Hash Algorithms