cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
16816
Views
0
Helpful
2
Comments
ITA Terms
Community Member

 

Description

Hash-based Message Authentication Code (HMAC)

 

What is an HMAC?

 

A Hashed Message Authentication Code (HMAC) is a cryptographic artifact for determining the authenticity and integrity of a message object, using a symmetric key and a hash (message-digest). The HMAC can be based on message digest algorithms such as the MD5, SHA1, SHA256, etc. Possession of an HMAC value does not compromise the sensitive data as HMACs are not reversible artifacts.

 

 

 

What is the HMAC key in the StrongKey appliance used for?

 

The HMAC key in the appliance is a 256-bit key, and is used with the SHA256 hashing algorithm to create HMACs of sensitive data. The appliance automatically generates and uses a single symmetric HMAC key for a calendar year. It is used to generate HMACs for sensitive data sent to the appliance during that calendar year. This HMAC is stored in the database along with other meta-data and the ciphertext of the sensitive object.

 

When data is decrypted (based on a decryption request), the appliance regenerates a new HMAC with the decrypted data, using the HMAC key originally used during the encryption process, to determine if the data has not only been unmodified since it was last stored in the database, but to also determine if decryption process was successful. Without this test, the appliance would have no way of knowing if the encrypted object was modified/corrupted in the database.

 

 

RFCs

  • HMAC: Keyed-Hashing for Message Authentication - RFC 2104
  • HMAC-MD5 and HMAC-SHA1 Test Vectors, HMAC-SHA1 implementation in C - RFC 2104
  • US Secure Hash Algorithms (SHA and HMAC-SHA) -- includes an improved SHA-1 implementation as well as SHA-224, SHA-256, SHA-384, and SHA-512 - RFC 4634
  • The Use of HMAC-MD5-96 within ESP and AH — RFC 2403
  • The Use of HMAC-SHA-1-96 within ESP and AH — RFC 2404
  • The AES-XCBC-MAC-96 Algorithm and Its Use With IPsec - RFC 33566
  • The AES-CBC Cipher Algorithm and Its Use with IPsec - RFC 3602
  • The AES-CMAC Algorithm - RFC 4493

 

Also See:

Comments
Jimmy5
Cisco Employee
Cisco Employee

I found HMAC Generator tool helpful to test and generate HMAC data based on key and algorithms. 

cparekh
Cisco Employee
Cisco Employee

@ITA Terms 

 

The link to  RFC  "The AES-XCBC-MAC-96 Algorithm and Its Use With IPsec" should be RFC3566 [

https://tools.ietf.org/rfc/rfc3566.txt]

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: