13.3 Keyed Hashing Algorithms Explained

Keyed hashing algorithms address the problem of Eve intercepting and replacing both the message and the hash code that Alice sent to Bob. Keyed hashing algorithms mix a secret key in with the message data blocks when creating a hash code, as illustrated in Figure 13-4. Eve cannot replace a keyed hash code, because she does not know the secret key.

Figure 13-4. Using a secret key to create a hash code

13.3.1 Creating the Keyed Hash Code

There are two main approaches to creating keyed hash codes, also known as Message Authentication Codes (MACs). The first, and most commonly used, approach is to combine the secret key and the message data together, and use a normal cryptographic hashing algorithm to create a hash code for the combination. The details of how to combine the key and the message depend on your choice of algorithm, but one commonly used approach is the HMAC standard, which we discuss in the following section.

The second approach does not involve a hashing algorithm at all. The message data is encrypted with a symmetrical algorithm, and all but the last few bits of the encrypted data are discardedwhat remains is used as the keyed hash code. Note that even though a normal hashing algorithm is not used, the protocol of using encryption to create a keyed hash code is still classified as a keyed hashing algorithm. HMAC algorithms

The HMAC standard specifies how the message data and the secret key are combined, but does not specify which hashing algorithm should be used to create the hash code, meaning that the standard can be applied to any algorithm. It is customary to refer to HMAC algorithms by including the name of the hashing algorithm that was used. Therefore, HMAC-SHA-1 is the combination of the key and message, using the HMAC standard and the SHA-1 algorithm to create the hash code.

The HMAC standard specifies that the key is used as the first data block processed by the hash function, as shown in Figure 13-5. This is equivalent to adding the key to the front of the message before it is processed.

Figure 13-5. The HMAC standard specifies that the secret key is the first data block processed by the hash function
figs/pdns_1305.gif Block cipher hash codes

Block cipher hash codes are generated by encrypting the message data and discarding all but the last few bytes. For example, if you wanted to create a 64-bit hash code, you would encrypt the data and discard all but the last 8 bytes of data, as shown in Figure 13-6. In some schemes, you would encrypt the retained data again.

Figure 13-6. MACs are created by encrypting the message and discarding all but the last few bytes

The word "block" refers to the fact that the encryption algorithm works by breaking the message into fixed-sized blocks, in the same way that normal hashing algorithms operate (not all encryption algorithms work in this way, meaning that they cannot be used to create secure hash codes). See Chapter 14 and Chapter 15 for more information about encryption.

13.3.2 The .NET Framework Keyed Hashing Algorithms

The .NET Framework includes only two keyed hashing algorithms, but they are the most commonly used ones. The HMAC-SHA-1 algorithm combines the HMAC standard with the SHA-1 hashing algorithm. This is the most popular combination for commercial software and communications security.

The MAC-Triple-DES algorithm uses the Triple-DES encryption algorithm to create a block cipher hash code. This technique has been widely used to protect the integrity of financial transactions, but is gradually being replaced by HMAC hash codes. See Chapter 14 for more information about Triple-DES encryption.

    Part V: API Quick Reference