0

I'm trying to calculate HMAC with iv (without any additional key). I need to pass it at the 'init' level. I know that usually there is no need in passing the iv, since there are default ivs for hmac/sha. But if I don't want to use the defaults, and want to supply my own iv how is it possible to implement in java? I've tried using javax, but it's MAC init accepts only the signing key.

For example:

Mac hmac = Mac.getInstance("HmacSHA1");
byte[] hmacKeyBytes = key.getBytes();
SecretKeySpec secretKey = new SecretKeySpec(hmacKeyBytes, "HmacSHA1");
hmac.init(secretKey);
  • I want to init with some iv value. But don't know how.

I'm referring to initial value used to start the hash/hmac iterated process. Usually it is some arbitrary number, not exposed to the user. I want to be able to change this default initialization vector for hash functions/ find some way to supply my own iv. How can I do it?

Thank you!

user3698979
  • 103
  • 1
  • 9
  • 1
    It is totally unclear why one would want to do that, what is the advantage? – Henry Jun 13 '17 at 10:00
  • It allows to create a custom algorithm, similar to HMAC-SHA1, without the need of finding an open source implementation of one, and modifying it. – user3698979 Jun 13 '17 at 10:54
  • How would this IV enter the algorithm? Adding some bytes to the key or to the message just has the same effect. – Henry Jun 13 '17 at 11:22
  • You mean that if I concatenate the iv to the plaintext, I will have the same outcome as if I've begun with my own iv at the first place? – user3698979 Jun 13 '17 at 11:57
  • 1
    More or less yes. HMAC does not use an IV so one cannot say where it would go. – Henry Jun 13 '17 at 11:59
  • Be aware of creating your own algorithm, you shall know what are you doing to keep your MAC safe (collision resistant, good avalanche effect, resistant to linear analysis, etc). Appending/prepending IV ( random known plain message) would randomize the output. IV is mostly used for encryption. What is your reason for using IV for HMAC? – gusto2 Jun 13 '17 at 21:24
  • If you're using HMAC to authenticate a ciphertext, then you **must** apply it to the IV as well. (See solution below. I wrote a little pseudocode ... if you post your encryption code, I'll help you work it into a working example.) – tweaksp Jun 20 '17 at 21:36

2 Answers2

1

The HMAC takes the initial parameter only the key. Effectively - the same content should have the same authentication tag, so IV is not needed/desired by definition.

As far I recall from my cryptography classes having non-static IV would lead to vulnerabilities with MAC/HMAC for some algorithm implementations, but I don't recall details anymore (you could ask in the Cryptography section of the stackoverflow https://crypto.stackexchange.com/).

If you really want having a sort of IV, you can still prepend the IV to the content.

gusto2
  • 11,210
  • 2
  • 17
  • 36
0

HMAC-SHA1 is called a message authentication code (MAC). This object takes as input a key K, and an arbitrary-length message X, and outputs a tag T. Basically, a MAC is secure if it's hard to find a new input X and a tag T such that HMAC-SHA1(K, M) = T, for an unknown key K.

My guess is that you're wondering what to do with the IV, because you're ushing HMAC-SHA1 with some sort of encryption scheme? AES-CTR encryption, for example, uses an IV. In this case, you must encrypt the ciphertext and IV. So in pseudocode: 

(IV, C) := AES-CTR(K1, M) # Maybe the output is a string with the IV prepended
T := HMAC-SHA1(K2, (IV, C))
return (IV, C, T)

By the way, HMAC-SHA1 is no longer considered secure. Consider using something like HMAC-SHA256.

tweaksp
  • 601
  • 5
  • 14