HMAC

• opad -- blok vida ( 0x5c 0x5c 0x5c ... 0x5c), gde bait 0x5c povtoriaetsia b raz; 0x5c -- konstanta, magicheskoe chislo, privedionnoe v RFC 2104; <> ot <>^[1];
• text -- soobshchenie (dannye), kotoroe budet peredavat'sia otpravitelem i podlinnost' kotorogo budet proveriat'sia poluchatelem;
• n -- dlina soobshcheniia text v bitakh.

Algoritm HMAC mozhno zapisat' v vide odnoi formuly^[1]: ${\displaystyle \operatorname {HMAC} _{K}(text)=\operatorname {H} {\Bigg (}(K_{0}\oplus opad)\|\operatorname {H} {\Big (}(K_{0}\oplus ipad)\|text{\Big )}{\Bigg )},}$ gde:

• <<${\displaystyle \oplus }$>> -- operatsiia <iskliuchaiushchee ILI>> ili <>;
• <<${\displaystyle \|}$>> -- operatsiia <<skleika strok>> (posledovatel'nostei bait).

Skhema raboty algoritma HMAC privedena na risunkakh.

Etapy raboty algoritm HMAC perechislennye nizhe.

1. Poluchit' K0 putiom umen'sheniia ili uvelicheniia kliucha K do razmera bloka (do b bait).

1.1. Esli dlina kliucha K ravna razmeru bloka, to kopiruem K v K0 bez izmenenii i perekhodim k shagu 2.

1.2. Esli dlina kliucha K bol'she razmera bloka, to k kliuchu K primeniaem khesh-funktsiiu H, poluchaem stroku razmerom v L bait, dobavliaem nuli k pravoi chasti etoi stroki dlia sozdaniia stroki razmerom v b bait, kopiruem rezul'tat v K0 i perekhodim k shagu 2.

1.3. Esli dlina kliucha K men'she razmera bloka, to dobavliaem nuli k pravoi chasti K dlia sozdaniia stroki razmerom v b bait, kopiruem rezul'tat v K0 (naprimer, esli length( K ) = 20 (v baitakh) i b = 64 (v baitakh), to k pravoi chasti K budet dobavleno 64 - 20 = 44 nulevykh baita (0x00)) i perekhodim k shagu 2.

2. Poluchit' blok Si razmerom v b bait s pomoshch'iu operatsii <iskliuchaiushchee ILI>> (<>, <<${\displaystyle \oplus }$>>):

3. Poluchit' blok So razmerom v b bait s pomoshch'iu operatsii <iskliuchaiushchee ILI>>:

4. Razbit' soobshchenie (dannye, nabor bait) text na bloki razmerom b bait.
5. Skleit' stroku (posledovatel'nost' bait) Si s kazhdym blokom soobshcheniia M.
6. K stroke, poluchennoi na proshlom shage, primenit' khesh-funktsiiu N.
7. Skleit' stroku So so strokoi, poluchennoi ot khesh-funktsii H na proshlom shage.
8. K stroke, poluchennoi na proshlom shage, primenit' khesh-funktsiiu N.

Kliuchi razmerom men'she L bait, schitaiutsia^[1] nebezopasnymi (angl. strongly discouraged). Rekomenduetsia^[1] vybirat' kliuchi sluchainym obrazom i reguliarno ikh meniat'. Kliuchi razmerom bol'she L bait, sushchestvenno ne uvelichivaiut^[1] stoikost' funktsii, mogut ispol'zovat'sia, esli imeiutsia somneniia v sluchainosti dannykh, ispol'zuemykh dlia sozdaniia kliucha i poluchaemykh ot generatora sluchainykh chisel.

Razmer kliucha K dolzhen byt' bol'she ili raven L/2 bait^{[istochnik ne ukazan 3983 dnia]}.

Na risunke pokazana bolee effektivnaia^[utochnit'] realizatsiia algoritma HMAC-MD5. Realizatsiia otlichaetsia ispol'zovaniem funktsii F. Ispol'zovanie etoi realizatsii tselesoobrazno, esli bol'shinstvo soobshchenii, dlia kotorykh vychisliaetsia MAC, korotkie. Funktsiia F -- funktsiia szhatiia dlia khesh-funktsii H. V kachestve argumentov F prinimaet peremennuiu n i blok dlinoi v b bait. F proizvodit razbienie bloka na tsepochku zven'ev s dlinoi kazhdogo zvena v n bait. Funktsiia F vyzyvaetsia dlia kazhdogo novogo kliucha odin raz.

Dalee privedion primer realizatsii HMAC na psevdokode:

Primer realizatsii algoritma HMAC-MD5 s pomoshch'iu funktsii standartnoi biblioteki iazyka Python^[3]:

Odna iz vozmozhnykh realizatsii algoritma HMAC-MD5 na iazyke PHP^[4]:

Prodemonstriruem primer raboty algoritma dlia razlichnykh vkhodnykh dannykh.

Pervyi parametr -- kliuch K razmerom v 160 bit (20 bait). Vtoroi parametr -- soobshchenie text, kotoroe budet peredavat'sia otpravitelem i podlinnost' kotorogo budet proveriat'sia poluchatelem. Na vykhode my poluchaem kod autentifikatsii razmerom v 160 bit.

Bolee podrobno rassmotrim algoritm HMAC-SHA1 s kliuchom razmerom v 20 bait.

Imeem: tekstovoe soobshchenie text = "Hello World" i 20-baitovyi kliuch v shestnadtsaterichnom vide K = 0x707172737475767778797a7b7c7d7e7f80818283

Shag 1. Dopolniaem kliuch K nulevymi baitami do razmera bloka. Razmer bloka khesh-funktsii SHA-1 raven 64 baitam.

K0:
70717273 74757677 78797a7b 7c7d7e7f
80818283 00000000 00000000 00000000
00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000

Shag 2. Vypolniaem operatsiiu <> c konstantoi 0x36.

K0 ${\displaystyle \oplus }$ ipad :
46474445 42434041 4e4f4c4d 4a4b4849
b6b7b4b5 36363636 36363636 36363636
36363636 36363636 36363636 36363636
36363636 36363636 36363636 36363636

Shag 3. Vypolniaem skleiku iskhodnogo soobshcheniia so strokoi, poluchennoi na shage 2.

( K ${\displaystyle \oplus }$ ipad ) || text :
46474445 42434041 4e4f4c4d 4a4b4849
b6b7b4b5 36363636 36363636 36363636
36363636 36363636 36363636 36363636
36363636 36363636 36363636 36363636
48656c6c 6f20576f 726c64

Shag 4. Primenim khesh-funktsiiu SHA-1 k stroke, poluchennoi na proshlom shage.

H( ( K ${\displaystyle \oplus }$ ipad ) || text ) :
0d42b899 d804e19e bfd86fc4 4f414045 dfc9e39a

Shag 5. Vypolnim operatsiiu <> c konstantoi 0x5c.

K0 ${\displaystyle \oplus }$ opad :
2c2d2e2f 28292a2b 24252627 20212223
dcdddedf 5c5c5c5c 5c5c5c5c 5c5c5c5c
5c5c5c5c 5c5c5c5c 5c5c5c5c 5c5c5c5c
5c5c5c5c 5c5c5c5c 5c5c5c5c 5c5c5c5c

Shag 6. Skleika stroki, poluchennoi na shage 4, so strokoi, poluchennoi na shage 5.

( K0 ${\displaystyle \oplus }$ opad ) || H( ( K ${\displaystyle \oplus }$ ipad ) || text ) :
2c2d2e2f 28292a2b 24252627 20212223
dcdddedf 5c5c5c5c 5c5c5c5c 5c5c5c5c
5c5c5c5c 5c5c5c5c 5c5c5c5c 5c5c5c5c
5c5c5c5c 5c5c5c5c 5c5c5c5c 5c5c5c5c
0d42b899 d804e19e bfd86fc4 4f414045
dfc9e39a

Shag 7. Primenim khesh-funktsiiu SHA-1 k stroke, poluchennoi na proshlom shage.

HMAC( K, text ) = H( ( K0 ${\displaystyle \oplus }$ opad ) || H( ( K ${\displaystyle \oplus }$ ipad ) || text ) ) :
2e492768 aa339e32 a9280569 c5d02626 2b912431

Itog.

Poluchili stroku HMAC( K, text ) razmerom v 20 bait.

Poluchennyi kod autentichnosti pozvoliaet ubedit'sia v tom, chto dannye ne izmenialis' kakim by to ni bylo sposobom s tekh por, kak oni byli sozdany, peredany ili sokhraneny doverennym istochnikom. Dlia takogo roda proverki neobkhodimo, chtoby, naprimer, dve doveriaiushchie drug drugu storony zaranee dogovorilis' ob ispol'zovanii sekretnogo kliucha, kotoryi izvesten tol'ko im. Tem samym garantiruetsia autentichnost' istochnika i soobshcheniia. Nedostatok takogo podkhoda ocheviden -- neobkhodimo nalichie dvukh doveriaiushchikh drug drugu storon.

Bezopasnost' liuboi funktsii MAC na osnove vstroennykh khesh-funktsii zavisit ot kriptostoikosti bazovoi khesh-funktsii. Privlekatel'nost' HMAC -- v tom, chto ego sozdateli smogli dokazat' tochnoe sootnoshenie mezhdu stoikost'iu vstroennykh khesh-funktsii i stoikost'iu HMAC.

Bezopasnost' funktsii imitovstavki (MAC) obychno vyrazhaetsia v terminakh veroiatnosti uspeshnogo vzloma s kolichestvom vremeni, potrachennogo na eto, a takzhe na poluchenie pary (soobshchenie -- MAC), sozdannoi s tem zhe kliuchom. V sushchnosti, eto dokazano v BELL96a, chto pri dannom urovne usiliia (vremia, soobshchenie -- MAC) na soobshchenie, sgenerirovannoe konechnym pol'zovatelem, veroiatnost' uspeshnoi ataki na HMAC ekvivalentna atake, proizvedionnoi na vstroennuiu khesh-funktsiiu:

1. V pervom tipe ataki my mozhem rassmatrivat' funktsii szhatiia F v kachestve ekvivalenta khesh-funktsii, primeniaemoi dlia soobshcheniia, sostoiashchie iz edinichnogo bloka dlinoi B bit. Dlia etogo na vkhod khesh-funktsii podaiotsia sluchainoe znachenie dlinoi N bit. Napadenie na khesh-funktsiiu trebuet ili polnogo perebora kliucha, kotoryi obladaet urovnem slozhnosti poriadka ${\displaystyle 2^{n}}$, ili s pomoshch'iu ataki <>, kotoraia iavliaetsia chastnym sluchaem vtorogo napadeniia, chto obsuzhdaetsia dalee.
2. Vo vtorom tipe ataki zloumyshlennik ishchet dva soobshcheniia M i M', kotorye poluchaiutsia ot odinakovoi khesh-funktsii: H( M ) = H( M' ). Etot tip ataki izvesten takzhe kak ataka <>. Uroven' slozhnosti dannoi ataki raven ${\displaystyle 2^{n/2}}$ dlia khesha dliny n. Iskhodia iz etogo, bezopasnost' khesh-funktsii MD5 stavitsia pod vopros, potomu chto uroven' slozhnosti dlia nego ${\displaystyle 2^{64}}$, chto uzhe ne vygliadit nevozmozhnym pri pomoshchi sovremennykh^[kogda?] tekhnologii. Oznachaet li eto, chto 128-bitnaia khesh-funktsiia, takaia, kak MD5, ne podkhodit dlia HMAC? Otvet na etot vopros -- net, chto posleduet iz sleduiushchikh argumentov^{[istochnik ne ukazan 1722 dnia]}. Pri atake na MD5 zloumyshlennik mozhet vybrat' liuboi nabor soobshchenii i rabotat' offlain nad poiskom kollizii. Tak kak zloumyshlennik znaet algoritm kheshirovaniia i nachal'nye usloviia, zloumyshlennik mozhet sozdat' khesh-kod dlia kazhdogo iz soobshchenii. Odnako, pri atake HMAC, zloumyshlennik ne smozhet generirovat' paru (<>, <>) v udalionnom (offlain) rezhime, tak kak zloumyshlennik ne znaet kliucha K. Takim obrazom, zloumyshlennik dolzhen sledit' za posledovatel'nost'iu soobshchenii, porozhdaemykh HMAC s tem zhe kliuchom, i vypolniat' ataku na nikh. Dlia khesh-koda dlinoi 128 bit trebuetsia ${\displaystyle 2^{64}}$ blokov ili ${\displaystyle 2^{72}}$ bitov, sgenerirovannykh s pomoshch'iu togo zhe kliucha. Dlia 1-Gbit soedineniia nuzhno bylo by sledit' za potokom soobshchenii, esli kliuch K ne izmeniaetsia, v techenie 150 000 let dlia togo chtoby dobit'sia uspekha. Takim obrazom, esli skorost' imeet znachenie, vpolne priemlemo ispol'zovat' MD5, a ne SHA-1 v kachestve vstroennykh khesh-funktsii dlia HMAC.

• Message authentication code (MAC)
• Protokol IPsec
• Khesh-funktsiia MD5
• RSA
• Khesh-funktsiia SHA-1
• DES

• Blek U. Internet protokoly bezopasnosti. Moskva: izdatel'stvo <>. 2001. ISBN 5-318-00002-9 (ISBN originala na angliiskom iazyke: ISBN 0-13-014249-2).
• RFC 2104. Krawczyk H., Bellare M., Canetti R. <>. Fevral' 1997.
• Stallings W. Cryptography and network security principles and practices. 2005. ISBN 0-13-187316-4.

• HMAC (angl.).
• RFC 2104. HMAC. Fevral' 1997.
• RFC 4226. M'Raihi D., Bellare M., Hoornaert F., Naccache D., Ranen O. <<HOTP: an HMAC-based one-time password algorithm>>. Dekabr' 2005.
• Generate HMAC Online. Onlain-generator HMAC.