_same_ secret key K!) on about 2**64 known plaintexts.  This would   require the processing of at least 2**64 blocks under H, an   impossible task in any realistic scenario (for a block length of 64   bytes this would take 250,000 years in a continuous 1Gbps link, and   without changing the secret key K during all this time).  This attack   could become realistic only if serious flaws in the collision   behavior of the function H are discovered (e.g.  collisions found   after 2**30 messages). Such a discovery would determine the immediate   replacement of the function H (the effects of such failure would be   far more severe for the traditional uses of H in the context of   digital signatures, public key certificates, etc.).   Note: this attack needs to be strongly contrasted with regular   collision attacks on cryptographic hash functions where no secret key   is involved and where 2**64 off-line parallelizable (!) operations   suffice to find collisions.  The latter attack is approaching   feasibility [VW] while the birthday attack on HMAC is totally   impractical.  (In the above examples, if one uses a hash function   with, say, 160 bit of output then 2**64 should be replaced by 2**80.)Krawczyk, et. al.            Informational                      [Page 6]RFC 2104                          HMAC                     February 1997   A correct implementation of the above construction, the choice of   random (or cryptographically pseudorandom) keys, a secure key   exchange mechanism, frequent key refreshments, and good secrecy   protection of keys are all essential ingredients for the security of   the integrity verification mechanism provided by HMAC.Krawczyk, et. al.            Informational                      [Page 7]RFC 2104                          HMAC                     February 1997Appendix -- Sample Code   For the sake of illustration we provide the following sample code for   the implementation of HMAC-MD5 as well as some corresponding test   vectors (the code is based on MD5 code as described in [MD5])./*** Function: hmac_md5*/voidhmac_md5(text, text_len, key, key_len, digest)unsigned char*  text;                /* pointer to data stream */int             text_len;            /* length of data stream */unsigned char*  key;                 /* pointer to authentication key */int             key_len;             /* length of authentication key */caddr_t         digest;              /* caller digest to be filled in */{        MD5_CTX context;        unsigned char k_ipad[65];    /* inner padding -                                      * key XORd with ipad                                      */        unsigned char k_opad[65];    /* outer padding -                                      * key XORd with opad                                      */        unsigned char tk[16];        int i;        /* if key is longer than 64 bytes reset it to key=MD5(key) */        if (key_len > 64) {                MD5_CTX      tctx;                MD5Init(&tctx);                MD5Update(&tctx, key, key_len);                MD5Final(tk, &tctx);                key = tk;                key_len = 16;        }        /*         * the HMAC_MD5 transform looks like:         *         * MD5(K XOR opad, MD5(K XOR ipad, text))         *         * where K is an n byte key         * ipad is the byte 0x36 repeated 64 timesKrawczyk, et. al.            Informational                      [Page 8]RFC 2104                          HMAC                     February 1997         * opad is the byte 0x5c repeated 64 times         * and text is the data being protected         */        /* start out by storing key in pads */        bzero( k_ipad, sizeof k_ipad);        bzero( k_opad, sizeof k_opad);        bcopy( key, k_ipad, key_len);        bcopy( key, k_opad, key_len);        /* XOR key with ipad and opad values */        for (i=0; i<64; i++) {                k_ipad[i] ^= 0x36;                k_opad[i] ^= 0x5c;        }        /*         * perform inner MD5         */        MD5Init(&context);                   /* init context for 1st                                              * pass */        MD5Update(&context, k_ipad, 64)      /* start with inner pad */        MD5Update(&context, text, text_len); /* then text of datagram */        MD5Final(digest, &context);          /* finish up 1st pass */        /*         * perform outer MD5         */        MD5Init(&context);                   /* init context for 2nd                                              * pass */        MD5Update(&context, k_opad, 64);     /* start with outer pad */        MD5Update(&context, digest, 16);     /* then results of 1st                                              * hash */        MD5Final(digest, &context);          /* finish up 2nd pass */}Test Vectors (Trailing '\0' of a character string not included in test):  key =         0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b  key_len =     16 bytes  data =        "Hi There"  data_len =    8  bytes  digest =      0x9294727a3638bb1c13f48ef8158bfc9d  key =         "Jefe"  data =        "what do ya want for nothing?"  data_len =    28 bytes  digest =      0x750c783e6ab0b503eaa86e310a5db738  key =         0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKrawczyk, et. al.            Informational                      [Page 9]RFC 2104                          HMAC                     February 1997  key_len       16 bytes  data =        0xDDDDDDDDDDDDDDDDDDDD...                ..DDDDDDDDDDDDDDDDDDDD...                ..DDDDDDDDDDDDDDDDDDDD...                ..DDDDDDDDDDDDDDDDDDDD...                ..DDDDDDDDDDDDDDDDDDDD  data_len =    50 bytes  digest =      0x56be34521d144c88dbb8c733f0e8b3f6Acknowledgments   Pau-Chen Cheng, Jeff Kraemer, and Michael Oehler, have provided   useful comments on early drafts, and ran the first interoperability   tests of this specification. Jeff and Pau-Chen kindly provided the   sample code and test vectors that appear in the appendix.  Burt   Kaliski, Bart Preneel, Matt Robshaw, Adi Shamir, and Paul van   Oorschot have provided useful comments and suggestions during the   investigation of the HMAC construction.References   [ANSI]  ANSI X9.9, "American National Standard for Financial           Institution Message Authentication (Wholesale)," American           Bankers Association, 1981.   Revised 1986.   [Atk]   Atkinson, R., "IP Authentication Header", RFC 1826, August           1995.   [BCK1]  M. Bellare, R. Canetti, and H. Krawczyk,           "Keyed Hash Functions and Message Authentication",           Proceedings of Crypto'96, LNCS 1109, pp. 1-15.           (http://www.research.ibm.com/security/keyed-md5.html)   [BCK2]  M. Bellare, R. Canetti, and H. Krawczyk,           "Pseudorandom Functions Revisited: The Cascade Construction",           Proceedings of FOCS'96.   [Dobb]  H. Dobbertin, "The Status of MD5  After a Recent Attack",           RSA Labs' CryptoBytes, Vol. 2 No. 2, Summer 1996.           http://www.rsa.com/rsalabs/pubs/cryptobytes.html   [PV]    B. Preneel and P. van Oorschot, "Building fast MACs from hash           functions", Advances in Cryptology -- CRYPTO'95 Proceedings,           Lecture Notes in Computer Science, Springer-Verlag Vol.963,           1995, pp. 1-14.   [MD5]   Rivest, R., "The MD5 Message-Digest Algorithm",           RFC 1321, April 1992.Krawczyk, et. al.            Informational                     [Page 10]RFC 2104                          HMAC                     February 1997   [MM]    Meyer, S. and Matyas, S.M., Cryptography, New York Wiley,           1982.   [RIPEMD] H. Dobbertin, A. Bosselaers, and B. Preneel, "RIPEMD-160: A            strengthened version of RIPEMD", Fast Software Encryption,            LNCS Vol 1039, pp. 71-82.            ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/bosselae/ripemd/.   [SHA]   NIST, FIPS PUB 180-1: Secure Hash Standard, April 1995.   [Tsu]   G. Tsudik, "Message authentication with one-way hash           functions", In Proceedings of Infocom'92, May 1992.           (Also in "Access Control and Policy Enforcement in            Internetworks", Ph.D. Dissertation, Computer Science            Department, University of Southern California, April 1991.)   [VW]    P. van Oorschot and M. Wiener, "Parallel Collision           Search with Applications to Hash Functions and Discrete           Logarithms", Proceedings of the 2nd ACM Conf. Computer and           Communications Security, Fairfax, VA, November 1994.Authors' Addresses   Hugo Krawczyk   IBM T.J. Watson Research Center   P.O.Box 704   Yorktown Heights, NY 10598   EMail: hugo@watson.ibm.com   Mihir Bellare   Dept of Computer Science and Engineering   Mail Code 0114   University of California at San Diego   9500 Gilman Drive   La Jolla, CA 92093   EMail: mihir@cs.ucsd.edu   Ran Canetti   IBM T.J. Watson Research Center   P.O.Box 704   Yorktown Heights, NY 10598   EMail: canetti@watson.ibm.comKrawczyk, et. al.            Informational                     [Page 11]