- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
06-09-2009 04:06 AM - edited 08-23-2017 12:54 PM
Description
Hash-based Message Authentication Code (HMAC)
What is an HMAC?
A Hashed Message Authentication Code (HMAC) is a cryptographic artifact for determining the authenticity and integrity of a message object, using a symmetric key and a hash (message-digest). The HMAC can be based on message digest algorithms such as the MD5, SHA1, SHA256, etc. Possession of an HMAC value does not compromise the sensitive data as HMACs are not reversible artifacts.
What is the HMAC key in the StrongKey appliance used for?
The HMAC key in the appliance is a 256-bit key, and is used with the SHA256 hashing algorithm to create HMACs of sensitive data. The appliance automatically generates and uses a single symmetric HMAC key for a calendar year. It is used to generate HMACs for sensitive data sent to the appliance during that calendar year. This HMAC is stored in the database along with other meta-data and the ciphertext of the sensitive object.
When data is decrypted (based on a decryption request), the appliance regenerates a new HMAC with the decrypted data, using the HMAC key originally used during the encryption process, to determine if the data has not only been unmodified since it was last stored in the database, but to also determine if decryption process was successful. Without this test, the appliance would have no way of knowing if the encrypted object was modified/corrupted in the database.
RFCs
- HMAC: Keyed-Hashing for Message Authentication - RFC 2104
- HMAC-MD5 and HMAC-SHA1 Test Vectors, HMAC-SHA1 implementation in C - RFC 2104
- US Secure Hash Algorithms (SHA and HMAC-SHA) -- includes an improved SHA-1 implementation as well as SHA-224, SHA-256, SHA-384, and SHA-512 - RFC 4634
- The Use of HMAC-MD5-96 within ESP and AH — RFC 2403
- The Use of HMAC-SHA-1-96 within ESP and AH — RFC 2404
- The AES-XCBC-MAC-96 Algorithm and Its Use With IPsec - RFC 33566
- The AES-CBC Cipher Algorithm and Its Use with IPsec - RFC 3602
- The AES-CMAC Algorithm - RFC 4493
Also See:
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
I found HMAC Generator tool helpful to test and generate HMAC data based on key and algorithms.
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
The link to RFC "The AES-XCBC-MAC-96 Algorithm and Its Use With IPsec" should be RFC3566 [