Editing HMAC (section)

==Security==
The cryptographic strength of the HMAC depends upon the size of the secret key that is used and the security of the underlying hash function used. It has been proven that the security of an HMAC construction is directly related to security properties of the hash function used. The most common attack against HMACs is brute force to uncover the secret key. HMACs are substantially less affected by collisions than their underlying hashing algorithms alone.<ref name=":1" /><ref>{{cite web |author=Schneier |first=Bruce |date=August 2005 |title=SHA-1 Broken |url=http://www.schneier.com/blog/archives/2005/02/sha1_broken.html |access-date=9 January 2009 |quote=''although it doesn't affect applications such as HMAC where collisions aren't important''}}
</ref><ref name=rfc2104.6>{{Ref RFC|2104|ref=no|section=6|quote=The strongest attack known against HMAC is based on the frequency of collisions for the hash function H ("birthday attack") [PV,BCK2], and is totally impractical for minimally reasonable hash functions.}}</ref>
In particular, Mihir Bellare proved that HMAC is a [[Pseudorandom function family|pseudo-random function]] (PRF) under the sole assumption that the compression function is a PRF.<ref>{{cite conference
| first=Mihir
| last=Bellare
| title=New Proofs for NMAC and HMAC: Security without Collision-Resistance
| book-title=Journal of Cryptology
| url=https://eprint.iacr.org/2006/043.pdf
| quote=This paper proves that HMAC is a [[Pseudo-random function|PRF]] under the sole assumption that the compression function is a PRF. This recovers a proof based guarantee since no known attacks compromise the pseudorandomness of the compression function, and it also helps explain the resistance-to-attack that HMAC has shown even when implemented with hash functions whose (weak) collision resistance is compromised.
| access-date=2021-12-15}}
</ref> Therefore, HMAC-MD5 does not suffer from the same weaknesses that have been found in MD5.{{Ref RFC|6151}}

RFC 2104 requires that "keys longer than ''B'' bytes are first hashed using ''H''" which leads to a confusing pseudo-collision: if the key is longer than the hash block size (e.g. 64 bytes for SHA-1), then <code>HMAC(k, m)</code> is computed as <code>HMAC(H(k), m)</code>. This property is sometimes raised as a possible weakness of HMAC in password-hashing scenarios: it has been demonstrated that it's possible to find a long ASCII string and a random value whose hash will be also an ASCII string, and both values will produce the same HMAC output.<ref>{{Cite web|url=https://mathiasbynens.be/notes/pbkdf2-hmac|title=PBKDF2+HMAC hash collisions explained · Mathias Bynens|website=mathiasbynens.be|access-date=2019-08-07}}</ref><ref>{{Cite web|url=https://pthree.org/2016/07/29/breaking-hmac/|title=Aaron Toponce : Breaking HMAC|language=en-US|access-date=2019-08-07}}</ref><ref>{{Cite web|url=https://www.rfc-editor.org/errata/eid4809|title=RFC 2104 Errata Held for Document Update · Erdem Memisyazici|website=www.rfc-editor.org|access-date=2016-09-23}}</ref>

In 2006, [[Jongsung Kim]], [[Alex Biryukov]], [[Bart Preneel]], and [[Seokhie Hong]] showed how to distinguish HMAC with reduced versions of MD5 and SHA-1 or full versions of [[HAVAL]], [[MD4]], and [[SHA-1#SHA-0|SHA-0]] from a [[random function]] or HMAC with a random function. Differential distinguishers allow an attacker to devise a forgery attack on HMAC. Furthermore, differential and rectangle distinguishers can lead to [[preimage attack|second-preimage attacks]]. HMAC with the full version of MD4 can be [[forgery (Cryptography)|forged]] with this knowledge. These attacks do not contradict the security proof of HMAC, but provide insight into HMAC based on existing cryptographic hash functions.<ref>
{{cite journal

| journal=SCN 2006

| publisher=Springer-Verlag

| last = Jongsung
| first = Kim |author2=Biryukov, Alex |author3=Preneel, Bart |author4=Hong, Seokhie
| year = 2006
| title = On the Security of HMAC and NMAC Based on HAVAL, MD4, MD5, SHA-0 and SHA-1
| url=http://eprint.iacr.org/2006/187.pdf
}}</ref>

In 2009, [[Xiaoyun Wang]] ''et al.'' presented a distinguishing attack on HMAC-MD5 without using related keys. It can distinguish an instantiation of HMAC with MD5 from an instantiation with a random function with 2<sup>97</sup> queries with probability 0.87.<ref>
{{cite journal
| last = Wang
| first = Xiaoyun|author2=Yu, Hongbo |author3=Wang, Wei |author4=Zhang, Haina |author5=Zhan, Tao
| year = 2009
| title = Cryptanalysis on HMAC/NMAC-MD5 and MD5-MAC
| url=https://www.iacr.org/archive/eurocrypt2009/54790122/54790122.pdf
| access-date=15 June 2015
}}</ref>

In 2011 an informational RFC 6151 was published to summarize security considerations in [[MD5]] and HMAC-MD5. For HMAC-MD5 the RFC summarizes that – although the security of the [[MD5]] hash function itself is severely compromised – the currently known ''"attacks on HMAC-MD5 do not seem to indicate a practical vulnerability when used as a message authentication code"'', but it also adds that ''"for a new protocol design, a ciphersuite with HMAC-MD5 should not be included"''.{{Ref RFC|6151}}

In May 2011, RFC 6234 was published detailing the abstract theory and source code for SHA-based HMACs.{{Ref RFC|6234}}