HMAC: Keyed-Hashing for Message Authentication
RFC 2104

Document Type RFC - Informational (February 1997; Errata)
Updated by RFC 6151
Authors Hugo Krawczyk  , Mihir Bellare  , Ran Canetti 
Last updated 2020-01-21
Stream IETF
Formats plain text html pdf htmlized with errata bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 2104 (Informational)
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                       H. Krawczyk
Request for Comments: 2104                                          IBM
Category: Informational                                      M. Bellare
                                                             R. Canetti
                                                          February 1997

             HMAC: Keyed-Hashing for Message Authentication

Status of This Memo

   This memo provides information for the Internet community.  This memo
   does not specify an Internet standard of any kind.  Distribution of
   this memo is unlimited.


   This document describes HMAC, a mechanism for message authentication
   using cryptographic hash functions. HMAC can be used with any
   iterative cryptographic hash function, e.g., MD5, SHA-1, in
   combination with a secret shared key.  The cryptographic strength of
   HMAC depends on the properties of the underlying hash function.

1. Introduction

   Providing a way to check the integrity of information transmitted
   over or stored in an unreliable medium is a prime necessity in the
   world of open computing and communications. Mechanisms that provide
   such integrity check based on a secret key are usually called
   "message authentication codes" (MAC). Typically, message
   authentication codes are used between two parties that share a secret
   key in order to validate information transmitted between these
   parties. In this document we present such a MAC mechanism based on
   cryptographic hash functions. This mechanism, called HMAC, is based
   on work by the authors [BCK1] where the construction is presented and
   cryptographically analyzed. We refer to that work for the details on
   the rationale and security analysis of HMAC, and its comparison to
   other keyed-hash methods.

Krawczyk, et. al.            Informational                      [Page 1]
RFC 2104                          HMAC                     February 1997

   HMAC can be used in combination with any iterated cryptographic hash
   function. MD5 and SHA-1 are examples of such hash functions. HMAC
   also uses a secret key for calculation and verification of the
   message authentication values. The main goals behind this
   construction are

   * To use, without modifications, available hash functions.
     In particular, hash functions that perform well in software,
     and for which code is freely and widely available.

   * To preserve the original performance of the hash function without
     incurring a significant degradation.

   * To use and handle keys in a simple way.

   * To have a well understood cryptographic analysis of the strength of
     the authentication mechanism based on reasonable assumptions on the
     underlying hash function.

   * To allow for easy replaceability of the underlying hash function in
     case that faster or more secure hash functions are found or

   This document specifies HMAC using a generic cryptographic hash
   function (denoted by H). Specific instantiations of HMAC need to
   define a particular hash function. Current candidates for such hash
   functions include SHA-1 [SHA], MD5 [MD5], RIPEMD-128/160 [RIPEMD].
   These different realizations of HMAC will be denoted by HMAC-SHA1,

   Note: To the date of writing of this document MD5 and SHA-1 are the
   most widely used cryptographic hash functions. MD5 has been recently
   shown to be vulnerable to collision search attacks [Dobb].  This
   attack and other currently known weaknesses of MD5 do not compromise
   the use of MD5 within HMAC as specified in this document (see
   [Dobb]); however, SHA-1 appears to be a cryptographically stronger
   function. To this date, MD5 can be considered for use in HMAC for
   applications where the superior performance of MD5 is critical.   In
   any case, implementers and users need to be aware of possible
   cryptanalytic developments regarding any of these cryptographic hash
   functions, and the eventual need to replace the underlying hash
   function. (See section 6 for more information on the security of

Krawczyk, et. al.            Informational                      [Page 2]
RFC 2104                          HMAC                     February 1997

2. Definition of HMAC

   The definition of HMAC requires a cryptographic hash function, which
   we denote by H, and a secret key K. We assume H to be a cryptographic
   hash function where data is hashed by iterating a basic compression
   function on blocks of data.   We denote by B the byte-length of such
   blocks (B=64 for all the above mentioned examples of hash functions),
   and by L the byte-length of hash outputs (L=16 for MD5, L=20 for
   SHA-1).  The authentication key K can be of any length up to B, the
Show full document text