-
hmac
- Chinese name
- hash message authentication code
- foreign name
- Hash-based Message Authentication Code
- abbreviated Write
- HMAC
- Overview
- HMAC is Key related hash operation
- Operation function
- Verify the number of authorizations accepted by TPM
< /dl>
Catalog
- 1 Introduction
- ? Calculation function
- ? Algorithm representation
- ? HMAC calculation steps
- ? HMAC application
- 2 Typical applications
- ? Certification process
- ? Security analysis
< /div>
Introduction
Operation function
algorithm representation
< div class="para"> B represents the size of the block processed in H. This size is the size of the processed block, not the size of the output hash.
HMAC operation steps
< /div>
HMAC application
Typical applications
Certification process
Security analysis
HMAC is a key-related hash operation message authentication code. HMAC operation uses a hash algorithm, takes a key and a message as input, and generates a message digest as output.
- Chinese name
- Hash message authentication code
- foreign name
- Hash-based Message Authentication Code dd>
- Write down
- HMAC dd>
- Overview
- HMAC is a key-related hash operation
- Operation function
- Verify the number of authorizations accepted by TPM
Catalog
- 1< span class="text">Introduction
- ? Calculation function
- ? Algorithm representation
- ? HMAC calculation steps< /span>
- ? HMAC application
- 2 Typical applications
- ? Certification process
- ? Security analysis
Catalog
- 1 Introduction
- ? Calculation function
- ? Algorithm representation
- ? HMAC calculation steps
- ? HMAC application
- 2 typical Application
- ? Certification process
- ? Security analysis
- 1 Introduction span>
- ? Calculation function
- ? Algorithm representation
- < span class="index">? HMAC calculation steps
- ? HMAC application
- 2 Typical application span>
- ? Certification process span>
- ? Security analysis
Introduction
Calculation function
(1) Verify the authorization data and authentication data accepted by the TPM;
(2) Confirm that the command request received by the TPM has been Authorized request, and the command has not been changed during transmission.
Define HMAC requires an encryption hash function (represented as H, which can be MD5 or SHA-1) and a key K. We use B to represent the number of bytes in the data block. (The segmented data block of the hash function mentioned above has a word length of B=64), and L is used to represent the number of output data bytes of the hash function (L=16 in MD5, L=20 in SHA-1). The length of the authentication key can be any positive integer value less than or equal to the word length of the data block. If the key length used in the application is larger than B, first use the hash function H to act on it, and then use the L-length character string output by H as the key actually used in HMAC. In general, the recommended minimum key K length is L bytes.
Algorithm expression
Algorithm formula: HMAC(K,M)=H(K ⊕opad∣H(K⊕ipad∣M)) [1]
H represents the HASH algorithm used (such as SHA-256)
K represents the authentication password
Ko represents the cipher text of the HASH algorithm
M represents A message input
B represents the block size processed in H. This size is the processed block size, not the output hash size.
For example, SHA-1 and SHA-256 B = 64
SHA-384 and SHA-512 B = 128
L represents the size of the hash
Opad repeats B times with 0x5c
Ipad repeats B times with 0x36
Apad repeats (L/4) times with 0x878FE1F3
HMAC operation Step
First-Hash = H(Ko XOR Ipad || (data to auth))
Second-Hash = H(Ko XOR Opad || First-Hash )
(1) Add 0 after the key K to create a string of word length B. (For example, if the word length of K is 20 bytes and B=64 bytes, 44 zero bytes 0x00 will be added after K)
(2) Change the word length of B generated in the previous step XOR operation between string and ipad.
(3) Fill the data stream text into the result string of the second step.
(4) Use H to act on the data stream generated in the third step.
(5) XOR the B-length character string generated in the first step with opad.
(6) Then fill the result of the fourth step into the result of the fifth step.
(7) Use H to act on the data stream generated in the sixth step to output the final result
HMAC The application of hmac
hmac is mainly used in authentication, and its use is as follows:
(1) The client sends a login request (assuming it is a browser GET request)
(2) The server returns a random value and records this random value in the session
(3) The client uses the random value as the key and the user password Hmac operation, and then submitted to the server
(4) The server reads the user password in the user database and the random value sent in step 2 to do the same hmac operation as the client, and then compares with the result sent by the user , If the results are consistent, verify that the user is legal
In this process, the random value sent by the server and the hmac result sent by the user may be attacked. For hackers who intercepted these two values, These two values are meaningless, and there is no possibility of obtaining user passwords. The introduction of random values makes hmac only valid in the current session, which greatly enhances security and practicability. Most languages have implemented the hmac algorithm, such as php’s mhash, python’s hmac.py, and java’s MessageDigest class. It is also feasible to use hmac in web authentication, and the speed of md5 operations with js is also relatively fast.
Typical applications
A typical application of HMAC is used in “Challenge/Response” (Challenge/Response) authentication.
Authentication process
(1) First, the client sends a verification request to the server .
(2) After receiving this request, the server generates a random number and transmits it to the client via the network (this is a questioning).
(3) The client provides the received random number to ePass, and ePass uses the random number to perform HMAC-MD5 operation with the key stored in ePass and obtains a result as authentication evidence. Server (this is a response).
(4) At the same time, the server also uses the random number and the client key stored in the server database to perform HMAC-MD5 calculations. If the calculation result of the server matches the response result returned by the client The same, the client is considered to be a legitimate user
security analysis
From the above introduction, we can see that the HMAC algorithm is more like an encryption algorithm. It introduces a key, and its security does not completely depend on the HASH algorithm used. The security is mainly guaranteed by the following points: p>
(1) The key used is agreed by both parties in advance, and it is impossible for a third party to know it. From the application process introduced in 3.2, it can be seen that as a third party who illegally intercepts information, the only information that can be obtained is the random number as a “challenge” and the HMAC result as a “response”, and the key cannot be calculated based on these two data. Since the key is not known, a consistent response cannot be faked.
WordPress database error: [Table 'yf99682.wp_s6mz6tyggq_comments' doesn't exist]SELECT SQL_CALC_FOUND_ROWS wp_s6mz6tyggq_comments.comment_ID FROM wp_s6mz6tyggq_comments WHERE ( comment_approved = '1' ) AND comment_post_ID = 1131 ORDER BY wp_s6mz6tyggq_comments.comment_date_gmt ASC, wp_s6mz6tyggq_comments.comment_ID ASC