Menu
We are using the below code to generate a HMac hash against a sensitive value in C#
public string GenerateHMac(string key, string message)
{
var decodedKey = Convert.FromBase64String(key);
var hasher = new HMACSHA256(decodedKey);
var messageBytes = Encoding.Default.GetBytes(message);
var hash = hasher.ComputeHash(messageBytes);
return Convert.ToBase64String(hash);
}
The key passed in is a 256 bit base 64 encoded string. A question was raised as to whether we should be using HMACSHA256, HMACSHA384 or HMACSHA512 to hash the value.
As a side note; does the decodedKey value I am passing into the constructor need to be a 512 bit key if I use HMACSHA512?
943
HMACSHA512 is a type of keyed hash algorithm that is constructed from the SHA-512 hash function and used as a Hash-based Message Authentication Code (HMAC). The HMAC process mixes a secret key with the message data and hashes the result. The hash value is mixed with the secret key again, and then hashed a second time.
HMACSHA256 is a type of keyed hash algorithm that is constructed from the SHA-256 hash function and used as a Hash-based Message Authentication Code (HMAC).
To the best of our knowledge, there is essentially no security difference between HMAC-SHA256 and HMAC-SHA1; with a sufficiently long key, both are impervious to brute force, and with a reasonably long tag, both will catch any forged messages with the expected probability.
HMAC-SHA256 is extremely safe. In the question's use, the key is large (48 characters, likely >160 bits of entropy). From a theoretical standpoint, everything checks. HMAC is demonstrably resistant (to 128-bit level) even if an adversary can obtain the MAC of chosen messages, under weak hypothesis for SHA-256 (see M.
TL;DR: use HMAC-SHA512 for optimum speed, security and OK compatibility. HMAC-SHA256 is also very secure and could be useful on CPU's with 32 bit operations. Moreover, it is accelerated on many of the latest CPU's.
To see the strength of the hash methods themselves, please take a look at the keylength.com website. You will see that even SHA-256 has quite a large security margin.
What's more, the HMAC algorithm is pretty much oblivious to attacks on the underlying hash algorithm. HMAC is impervious to the birthday problem which halves the key strength to half of the hash output. It doesn't apply simply because the adversary doesn't hold the secret key and can therefore not try to create collisions. This is why even HMAC-SHA1 is pretty secure.
Now the speed of the hash depends on the execution environment. But in general you can make the following assumptions:
Use SHA-1 if you are expecting compatibility issues. Otherwise you may as well go for SHA-512 (and cut the result to a reasonable number of bits). The internal state and higher security of SHA-512 may be a slight advantage. I've ran into issues with customers not accepting any form of SHA-1 because of general issues with the algorithm; in other words, the fact that it is not secure in general may hinder acceptance.
Note that SHA-384 and the less well known SHA-512/256 and SHA-512/224 hash methods are a special form of SHA-512, cut to 384, 256 and 224 bits output. So the speed of these algorithms is identical. The only difference apart from the output size is that these special forms use different initial values internally. Otherwise SHA-512 cut to 384 bit is as secure and as fast as SHA-512/384. You should however use SHA-384 to remain compatible - if you require that particular output size.
SHA-384 and SHA-512/256 and SHA-512/224 use different initial values so that the output of either of them is different from SHA-512 and each other; a feature called domain separation. The domain separation makes it impossible to use attack or (partially) predict hash results of the other, related hash functions.
The input key size is not dependent on the underlying hash function. The key is first XOR-masked and then hashed by the underlying hash function; hash algorithms can take virtually unlimited amounts of data as input.
It is advisable to use a key size that is at least the size of the hash method used, otherwise you may degrade the security margin provided by the HMAC method. There may be a minor performance penalty if the key size forces the hash algorithm to hash multiple blocks.
You could also use the (upcoming) SHA-3 standard in the sense that it would be secure. HMAC-SHA-3 currently doesn't make too much sense though. HMAC is actually overkill for SHA-3 (Keccak); SHA-3 should be secure even without the HMAC construct. By now KMAC has been standardized as MAC construct for SHA-3.
The SHA-2 constructs have - somewhat surprisingly - shown pretty good resistance against crypt-analysis during the SHA-3 competition. So there is no pressing need to upgrade to KMAC / SHA-3.
148
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
