Keyed hashing algorithms address
the problem of Eve intercepting and replacing both the message and
the hash code that Alice sent to Bob. Keyed hashing algorithms mix a
secret key in with the message data blocks when creating a hash code,
as illustrated in Figure 1. Eve cannot replace a
keyed hash code, because she does not know the secret key.
1. Creating the Keyed Hash Code
There are two
main approaches to creating keyed hash codes, also known as Message
Authentication Codes (MACs). The first, and most commonly used,
approach is to combine the secret key and the message data together,
and use a normal cryptographic hashing algorithm to create a hash
code for the combination. The details of how to combine the key and
the message depend on your choice of algorithm, but one commonly used
approach is the HMAC standard, which we discuss in the following
section.
The second approach does not involve a hashing algorithm at all. The
message data is encrypted with a symmetrical algorithm, and all but
the last few bits of the encrypted data are discarded—what
remains is used as the keyed hash code. Note that even though a
normal hashing algorithm is not used, the protocol of using
encryption to create a keyed hash code is still classified as a keyed
hashing algorithm.
1.1. HMAC algorithms
The HMAC standard specifies how the message
data and the secret key are combined, but does not specify which
hashing algorithm should be used to create the hash code, meaning
that the standard can be applied to any algorithm. It is customary to
refer to HMAC algorithms by including the name of the hashing
algorithm that was used. Therefore, HMAC-SHA-1 is the combination of
the key and message, using the HMAC standard and the SHA-1 algorithm
to create the hash code.
The HMAC standard specifies that the key is used as the first data
block processed by the hash function, as shown in Figure 2. This is equivalent to adding the key to the
front of the message before it is processed.
1.2. Block cipher hash codes
Block cipher hash codes are generated by encrypting
the message data and discarding all but the last few bytes. For
example, if you wanted to create a 64-bit hash code, you would
encrypt the data and discard all but the last 8 bytes of data, as
shown in Figure 3. In some schemes, you would
encrypt the retained data again.
The word "block" refers to the fact
that the encryption algorithm works by breaking the message into
fixed-sized blocks, in the same way that normal hashing algorithms
operate (not all encryption algorithms work in this way, meaning that
they cannot be used to create secure hash codes).
2. The .NET Framework Keyed Hashing Algorithms
The .NET Framework includes only two keyed hashing
algorithms, but they are the most commonly used ones. The HMAC-SHA-1
algorithm combines the HMAC standard with the SHA-1 hashing
algorithm. This is the most popular combination for commercial
software and communications security.
The MAC-Triple-DES algorithm uses the Triple-DES encryption algorithm
to create a block cipher hash code. This technique has been widely
used to protect the integrity of financial transactions, but is
gradually being replaced by HMAC hash codes.
