Do I understand HMAC-SHA-xxx and HMAC-SHA-xxx-yyy correctly?
Clash Royale CLAN TAG#URR8PPP
up vote
2
down vote
favorite
I've recently started looking at HMAC, and there a few things that I'm not 100% sure that I'm understanding correctly. Am I right about these three things?
HMAC-SHA-xxx has an output length of xxx bits
HMAC-SHA-xxx-yyy has an output length of yyy bits
If I have a function that generates HMAC-SHA-xxx output, then I can create a function that generates HMAC-SHA-xxx-yyy output simply by returning the first yyy bits of HMAC-SHA-xxx output.
If I am misunderstanding any of them, how so?
hmac
New contributor
add a comment |Â
up vote
2
down vote
favorite
I've recently started looking at HMAC, and there a few things that I'm not 100% sure that I'm understanding correctly. Am I right about these three things?
HMAC-SHA-xxx has an output length of xxx bits
HMAC-SHA-xxx-yyy has an output length of yyy bits
If I have a function that generates HMAC-SHA-xxx output, then I can create a function that generates HMAC-SHA-xxx-yyy output simply by returning the first yyy bits of HMAC-SHA-xxx output.
If I am misunderstanding any of them, how so?
hmac
New contributor
add a comment |Â
up vote
2
down vote
favorite
up vote
2
down vote
favorite
I've recently started looking at HMAC, and there a few things that I'm not 100% sure that I'm understanding correctly. Am I right about these three things?
HMAC-SHA-xxx has an output length of xxx bits
HMAC-SHA-xxx-yyy has an output length of yyy bits
If I have a function that generates HMAC-SHA-xxx output, then I can create a function that generates HMAC-SHA-xxx-yyy output simply by returning the first yyy bits of HMAC-SHA-xxx output.
If I am misunderstanding any of them, how so?
hmac
New contributor
I've recently started looking at HMAC, and there a few things that I'm not 100% sure that I'm understanding correctly. Am I right about these three things?
HMAC-SHA-xxx has an output length of xxx bits
HMAC-SHA-xxx-yyy has an output length of yyy bits
If I have a function that generates HMAC-SHA-xxx output, then I can create a function that generates HMAC-SHA-xxx-yyy output simply by returning the first yyy bits of HMAC-SHA-xxx output.
If I am misunderstanding any of them, how so?
hmac
hmac
New contributor
New contributor
edited 3 hours ago
New contributor
asked 6 hours ago
Jan
133
133
New contributor
New contributor
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
3
down vote
accepted
- HMAC-SHA-xxx has an output length of xxx bits
That's right, the output of the HMAC function is identical to the output of the hash by default. This is obvious if you take the design of HMAC in consideration.
- HMAC-SHA-xxx-yyy has an output length of yyy bits
Certainly. It has been defined that way in the venerable RFC 2104 - HMAC: Keyed-Hashing for Message Authentication, section 5: Truncated output.
Not many implementations will allow you to specify the output size, so you may have to truncate yourself. Also note that using a standardized, truncated version of SHA-2 should be preferred (e.g. SHA-224 is already a truncated version of SHA-256).
- If I have a function that generates HMAC-SHA-xxx output, then I can create a function that generates HMAC-SHA-xxx-yyy output simply by returning the first yyy bytes of HMAC-SHA-xxx output.
Yes, you'd use the leftmost bits / bytes. yyy would be in bits, so you'd have to devide by 8 (and I would only allow multiples of 8 for yyy).
Beware that the authors of the RFC talk about "recommend" and "propose" in section 5, so the implementation of HMAC-<hash>-yyy seems strictly optional.
1
What justifies "that using a standardized, truncated version of SHA-2 should be preferred (e.g. SHA-224 is already a truncated version of SHA-256)" ? I see no benefit compared to using full-width hash and truncating in the end, and never met that. Further, that would always reduce the amount of hashed data making it from the data hash of HMAC to the final hash; and, if the HMAC key is larger than 512-bit, that would get hashed to 224-bit rather than 256-bit as the key hash of HMAC, reducing the effective key size (admittedly, to a width that still seems large enough).
â fgrieu
1 hour ago
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
3
down vote
accepted
- HMAC-SHA-xxx has an output length of xxx bits
That's right, the output of the HMAC function is identical to the output of the hash by default. This is obvious if you take the design of HMAC in consideration.
- HMAC-SHA-xxx-yyy has an output length of yyy bits
Certainly. It has been defined that way in the venerable RFC 2104 - HMAC: Keyed-Hashing for Message Authentication, section 5: Truncated output.
Not many implementations will allow you to specify the output size, so you may have to truncate yourself. Also note that using a standardized, truncated version of SHA-2 should be preferred (e.g. SHA-224 is already a truncated version of SHA-256).
- If I have a function that generates HMAC-SHA-xxx output, then I can create a function that generates HMAC-SHA-xxx-yyy output simply by returning the first yyy bytes of HMAC-SHA-xxx output.
Yes, you'd use the leftmost bits / bytes. yyy would be in bits, so you'd have to devide by 8 (and I would only allow multiples of 8 for yyy).
Beware that the authors of the RFC talk about "recommend" and "propose" in section 5, so the implementation of HMAC-<hash>-yyy seems strictly optional.
1
What justifies "that using a standardized, truncated version of SHA-2 should be preferred (e.g. SHA-224 is already a truncated version of SHA-256)" ? I see no benefit compared to using full-width hash and truncating in the end, and never met that. Further, that would always reduce the amount of hashed data making it from the data hash of HMAC to the final hash; and, if the HMAC key is larger than 512-bit, that would get hashed to 224-bit rather than 256-bit as the key hash of HMAC, reducing the effective key size (admittedly, to a width that still seems large enough).
â fgrieu
1 hour ago
add a comment |Â
up vote
3
down vote
accepted
- HMAC-SHA-xxx has an output length of xxx bits
That's right, the output of the HMAC function is identical to the output of the hash by default. This is obvious if you take the design of HMAC in consideration.
- HMAC-SHA-xxx-yyy has an output length of yyy bits
Certainly. It has been defined that way in the venerable RFC 2104 - HMAC: Keyed-Hashing for Message Authentication, section 5: Truncated output.
Not many implementations will allow you to specify the output size, so you may have to truncate yourself. Also note that using a standardized, truncated version of SHA-2 should be preferred (e.g. SHA-224 is already a truncated version of SHA-256).
- If I have a function that generates HMAC-SHA-xxx output, then I can create a function that generates HMAC-SHA-xxx-yyy output simply by returning the first yyy bytes of HMAC-SHA-xxx output.
Yes, you'd use the leftmost bits / bytes. yyy would be in bits, so you'd have to devide by 8 (and I would only allow multiples of 8 for yyy).
Beware that the authors of the RFC talk about "recommend" and "propose" in section 5, so the implementation of HMAC-<hash>-yyy seems strictly optional.
1
What justifies "that using a standardized, truncated version of SHA-2 should be preferred (e.g. SHA-224 is already a truncated version of SHA-256)" ? I see no benefit compared to using full-width hash and truncating in the end, and never met that. Further, that would always reduce the amount of hashed data making it from the data hash of HMAC to the final hash; and, if the HMAC key is larger than 512-bit, that would get hashed to 224-bit rather than 256-bit as the key hash of HMAC, reducing the effective key size (admittedly, to a width that still seems large enough).
â fgrieu
1 hour ago
add a comment |Â
up vote
3
down vote
accepted
up vote
3
down vote
accepted
- HMAC-SHA-xxx has an output length of xxx bits
That's right, the output of the HMAC function is identical to the output of the hash by default. This is obvious if you take the design of HMAC in consideration.
- HMAC-SHA-xxx-yyy has an output length of yyy bits
Certainly. It has been defined that way in the venerable RFC 2104 - HMAC: Keyed-Hashing for Message Authentication, section 5: Truncated output.
Not many implementations will allow you to specify the output size, so you may have to truncate yourself. Also note that using a standardized, truncated version of SHA-2 should be preferred (e.g. SHA-224 is already a truncated version of SHA-256).
- If I have a function that generates HMAC-SHA-xxx output, then I can create a function that generates HMAC-SHA-xxx-yyy output simply by returning the first yyy bytes of HMAC-SHA-xxx output.
Yes, you'd use the leftmost bits / bytes. yyy would be in bits, so you'd have to devide by 8 (and I would only allow multiples of 8 for yyy).
Beware that the authors of the RFC talk about "recommend" and "propose" in section 5, so the implementation of HMAC-<hash>-yyy seems strictly optional.
- HMAC-SHA-xxx has an output length of xxx bits
That's right, the output of the HMAC function is identical to the output of the hash by default. This is obvious if you take the design of HMAC in consideration.
- HMAC-SHA-xxx-yyy has an output length of yyy bits
Certainly. It has been defined that way in the venerable RFC 2104 - HMAC: Keyed-Hashing for Message Authentication, section 5: Truncated output.
Not many implementations will allow you to specify the output size, so you may have to truncate yourself. Also note that using a standardized, truncated version of SHA-2 should be preferred (e.g. SHA-224 is already a truncated version of SHA-256).
- If I have a function that generates HMAC-SHA-xxx output, then I can create a function that generates HMAC-SHA-xxx-yyy output simply by returning the first yyy bytes of HMAC-SHA-xxx output.
Yes, you'd use the leftmost bits / bytes. yyy would be in bits, so you'd have to devide by 8 (and I would only allow multiples of 8 for yyy).
Beware that the authors of the RFC talk about "recommend" and "propose" in section 5, so the implementation of HMAC-<hash>-yyy seems strictly optional.
edited 5 hours ago
answered 6 hours ago
Maarten Bodewes
49.7k569182
49.7k569182
1
What justifies "that using a standardized, truncated version of SHA-2 should be preferred (e.g. SHA-224 is already a truncated version of SHA-256)" ? I see no benefit compared to using full-width hash and truncating in the end, and never met that. Further, that would always reduce the amount of hashed data making it from the data hash of HMAC to the final hash; and, if the HMAC key is larger than 512-bit, that would get hashed to 224-bit rather than 256-bit as the key hash of HMAC, reducing the effective key size (admittedly, to a width that still seems large enough).
â fgrieu
1 hour ago
add a comment |Â
1
What justifies "that using a standardized, truncated version of SHA-2 should be preferred (e.g. SHA-224 is already a truncated version of SHA-256)" ? I see no benefit compared to using full-width hash and truncating in the end, and never met that. Further, that would always reduce the amount of hashed data making it from the data hash of HMAC to the final hash; and, if the HMAC key is larger than 512-bit, that would get hashed to 224-bit rather than 256-bit as the key hash of HMAC, reducing the effective key size (admittedly, to a width that still seems large enough).
â fgrieu
1 hour ago
1
1
What justifies "that using a standardized, truncated version of SHA-2 should be preferred (e.g. SHA-224 is already a truncated version of SHA-256)" ? I see no benefit compared to using full-width hash and truncating in the end, and never met that. Further, that would always reduce the amount of hashed data making it from the data hash of HMAC to the final hash; and, if the HMAC key is larger than 512-bit, that would get hashed to 224-bit rather than 256-bit as the key hash of HMAC, reducing the effective key size (admittedly, to a width that still seems large enough).
â fgrieu
1 hour ago
What justifies "that using a standardized, truncated version of SHA-2 should be preferred (e.g. SHA-224 is already a truncated version of SHA-256)" ? I see no benefit compared to using full-width hash and truncating in the end, and never met that. Further, that would always reduce the amount of hashed data making it from the data hash of HMAC to the final hash; and, if the HMAC key is larger than 512-bit, that would get hashed to 224-bit rather than 256-bit as the key hash of HMAC, reducing the effective key size (admittedly, to a width that still seems large enough).
â fgrieu
1 hour ago
add a comment |Â
Jan is a new contributor. Be nice, and check out our Code of Conduct.
Jan is a new contributor. Be nice, and check out our Code of Conduct.
Jan is a new contributor. Be nice, and check out our Code of Conduct.
Jan is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f63251%2fdo-i-understand-hmac-sha-xxx-and-hmac-sha-xxx-yyy-correctly%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password