HMAC - Hash-Based Message Authentication Code

Giriş
Açıklaması şöyle. Türkçesi "Özet Tabanlı Mesaj Doğrulama Kodu".  Açıklaması şöyle

The purpose of a Message Authentication Code (MAC), of which the HMAC is an example, is to prove both the authenticity and the integrity of the message.

Yani 

1. Mesajın belirtilen yerden gelen hakiki bir mesaj olduğunu anlamak

2. Mesajın bütünlüğünün bozulmadığını doğrulamak 

için kullanılır.

CRC vs HMAC

CRC işlemci maliyeti açısından daha ucuzdur. Açıklaması şöyle

The CRC32 does not give you any guarantees that the HMAC does not also give you. Put another way, the HMAC gives you all the guarantees the CRC32 gives you and more: the CRC32 protects against unintentional alteration due to common transmission problems such as noise and interference, the HMAC also protects against intentional alteration.

The CRC32, however, may be less compute-intensive to verify. So, if your communication channel is very noisy and your receiver device is CPU-constrained, it may make sense to use the additional CRC32 to quickly throw away corrupted packets without having to verify the more expensive HMAC and only do the expensive HMAC verification on packets you know were at least not corrupted during transmission.

This balance may tip, however, if your chosen CPU has built-in acceleration for the cryptographic primitives used in the HMAC.

In the particular case of a noisy channel, it would probably make even more sense to use an Error Correction Code or some other mechanism for Forward Error Correction like a Hamming or Reed-Solomon code instead of only a mere Error Detection Code like CRC32.

CRC sadece belli sayıda (n+1) bit değişimlerine kadar koruma sağlar. Açıklaması şöyle

Assuming you don't care about security (which would be the case if you used a 4-byte HMAC), a CRC is actually better for detecting small accidental errors. An n-bit CRC is guaranteed to detect any burst error up to n + 1 bits in length, with the sole exception of a burst error whose polynomial divides the CRC polynomial, in which case the probability of the error going undetected is 1 (i.e. always goes through undetected).

Mesajın Değiştirilmediğini Anlamak İçin Yöntemler

İki tane temel yöntem var. HMAC ikinci yöntemdir.

1. Share the hash value out-of-band: A simple example is downloading a file off a website which shows the file's hashsum on the web page next to the download link (the out-of-band channel here is the web page content being served within a different communication channel or even better served by a different web server). Once you have successfully downloaded the file, you would calculate the hash of the file independently and compare the hash to ensure integrity. This is a common practice for critical files such as an operating system image.

2. Authenticate the hash sent along with the data: this is done by using what is known as a Hashed Message Authentication Code (HMAC), which provides both the "integrity" and "authenticity" security services to your message. There are a lot of detailed answers about this topic here.

Hash vs HMAC

Mesajın sonuna Hash koymak mesajın değişmediğini garanti etmez. Tüm hash yöntemleri Length Extension Attack'e açık değildir ancak çoğunda kullanılabilir. Bu yüzden mesajın doğruluğunu garanti etmek için Hash yerine HMAC kullanılmalı. Açıklaması şöyle

Look at the code snippet below.

signature = sha256(Key + Message) 

The forum topics and related code indicate an intent to create a signature as a way to verify message authentication and integrity.   Unfortunately, most of the common hashing algorithms such as SHA256 are vulnerable to a length extension attack which, simply stated, means:

Hash(Key + Message) can be used to derive Hash(Key + Message + extra) even if the secret Key value is not known.

Potential Impact: The impact of this attack means that the receiver cannot detect if the message has been altered.  An attacker can intercept a message and signature, modify the message, derive a new signature, and forward the modified message and signature to the receiver; and the modification would not be detectable.

Not all hash functions are subject to a length extension attack, but unfortunately, the ones that include SHA256 and many of the other common hash functions.

Solution: Use the right function — HMAC.

HMAC Nedir?

HMAC mesajla birlikte gönderilir. HMAC iki kullanıcı tarafından bilinen bir key kullanılır ve simetrik şifreleme yapar.

Hash-based Message Authentication Codes (HMACs) enable one to use a secret plus a cryptographic hash function to generate a MAC.  This can be used to demonstrate that whoever generated the MAC was in possession of the MAC key.  

Açıklaması şöyle.

HMAC was defined with two nested function hash function calls

HMAC Yöntemleri
3 tane yöntem var. Bunlar şöyle.

- Encrypt-then-MAC: encrypt the message, then attach the MAC of the ciphertext.
- MAC-then-encrypt: attach the MAC of the plaintext, then encrypt everything.
- Encrypt-and-MAC: encrypt the message, then attach the MAC of the plaintext.

Sadece Encrypt-then-MAC yönteminin kullanılması tavsiye ediliyor.

Encrypt-then-MAC Yöntemi
Formül olarak şöyle. Şifrelemek için key1 kullanılıyor. HMAC için farklı bir key yani key2 kullanılıyor. Aynı key kullanılmamalı.

CipherText = IV|| AES(key1,iv,message)  
tag = hmac(key2,ciphertext)

key2 için için key1'in SHA hash'ini almak yeterli. Açıklaması şöyle.

You should use a different key for the HMAC. In practice tacking the sha1 sum of your encryption key is good enough.

IPSec
HMAC sanırım IPSec ile de kullanılıyor.

HMAC: Keyed-Hashing for Message Authentication (RFC2104). (Required for IPSec.)

Java
Mac Sınıfı kullanılır.