1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
|
<pre>Network Working Group P. Cheng
Request for Comments: 2202 IBM
Category: Informational R. Glenn
NIST
September 1997
<span class="h1">Test Cases for HMAC-MD5 and HMAC-SHA-1</span>
Status of This Memo
This memo provides information for the Internet community. This memo
does not specify an Internet standard of any kind. Distribution of
this memo is unlimited.
Abstract
This document provides two sets of test cases for HMAC-MD5 and HMAC-
SHA-1, respectively. HMAC-MD5 and HMAC-SHA-1 are two constructs of
the HMAC [<a href="#ref-HMAC" title=""HMAC: Keyed-Hashing for Message Authentication"">HMAC</a>] message authentication function using the MD5 [<a href="#ref-MD5" title=""The MD5 Message-Digest Algorithm"">MD5</a>]
hash function and the SHA-1 [<a href="#ref-SHA" title="FIPS PUB 180-1: Secure Hash Standard">SHA</a>] hash function. Both constructs are
used by IPSEC [<a href="#ref-OG" title=""HMAC-MD5 IP Authentication with Replay Prevention"">OG</a>,<a href="#ref-CG" title=""HMAC-SHA IP Authentication with Replay Prevention"">CG</a>] and other protocols to authenticate messages.
The test cases and results provided in this document are meant to be
used as a conformance test for HMAC-MD5 and HMAC-SHA-1
implementations.
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
The general method for constructing a HMAC message authentication
function using a particular hash function is described in section 2
of [<a href="#ref-HMAC" title=""HMAC: Keyed-Hashing for Message Authentication"">HMAC</a>]. We will not repeat the description here. <a href="#section-5">Section 5</a> of
[<a href="#ref-HMAC" title=""HMAC: Keyed-Hashing for Message Authentication"">HMAC</a>] also discusses truncating the output of HMAC; the rule is that
we should keep the more significant bits (the bits in the left,
assuming a network byte order (big-endian)).
In sections <a href="#section-2">2</a> and <a href="#section-3">3</a> we provide test cases for HMAC-MD5 and HMAC-SHA-
1, respectively. Each case includes the key, the data, and the
result. The values of keys and data are either hexadecimal numbers
(prefixed by "0x") or ASCII character strings in double quotes. If a
value is an ASCII character string, then the HMAC computation for the
corresponding test case DOES NOT include the trailing null character
('\0') in the string.
<span class="grey">Cheng & Glenn Informational [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc2202">RFC 2202</a> Test Cases for HMAC-MD5 and HMAC-SHA-1 September 1997</span>
The C source code of the functions used to generate HMAC-SHA-1
results is listed in the Appendix. Note that these functions are
meant to be simple and easy to understand; they are not optimized in
any way. The C source code for computing HMAC-MD5 can be found in
[<a href="#ref-MD5" title=""The MD5 Message-Digest Algorithm"">MD5</a>]; or you can do a simple modification to HMAC-SHA-1 code to get
HMAC-MD5 code, as explained in the Appendix.
The test cases in this document are cross-verified by three
independent implementations, one from NIST and two from IBM Research.
One IBM implementation uses optimized code that is very different
from the code in the Appendix. An implemenation that concurs with the
results provided in this document should be interoperable with other
similar implemenations. We do not claim that such an implementation
is absolutely correct with respect to the HMAC definition in [<a href="#ref-HMAC" title=""HMAC: Keyed-Hashing for Message Authentication"">HMAC</a>].
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Test Cases for HMAC-MD5</span>
test_case = 1
key = 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
key_len = 16
data = "Hi There"
data_len = 8
digest = 0x9294727a3638bb1c13f48ef8158bfc9d
test_case = 2
key = "Jefe"
key_len = 4
data = "what do ya want for nothing?"
data_len = 28
digest = 0x750c783e6ab0b503eaa86e310a5db738
test_case = 3
key = 0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
key_len 16
data = 0xdd repeated 50 times
data_len = 50
digest = 0x56be34521d144c88dbb8c733f0e8b3f6
test_case = 4
key = 0x0102030405060708090a0b0c0d0e0f10111213141516171819
key_len 25
data = 0xcd repeated 50 times
data_len = 50
digest = 0x697eaf0aca3a3aea3a75164746ffaa79
<span class="grey">Cheng & Glenn Informational [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc2202">RFC 2202</a> Test Cases for HMAC-MD5 and HMAC-SHA-1 September 1997</span>
test_case = 5
key = 0x0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c
key_len = 16
data = "Test With Truncation"
data_len = 20
digest = 0x56461ef2342edc00f9bab995690efd4c
digest-96 0x56461ef2342edc00f9bab995
test_case = 6
key = 0xaa repeated 80 times
key_len = 80
data = "Test Using Larger Than Block-Size Key - Hash Key First"
data_len = 54
digest = 0x6b1ab7fe4bd7bf8f0b62e6ce61b9d0cd
test_case = 7
key = 0xaa repeated 80 times
key_len = 80
data = "Test Using Larger Than Block-Size Key and Larger
Than One Block-Size Data"
data_len = 73
digest = 0x6f630fad67cda0ee1fb1f562db3aa53e
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. Test Cases for HMAC-SHA-1</span>
test_case = 1
key = 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
key_len = 20
data = "Hi There"
data_len = 8
digest = 0xb617318655057264e28bc0b6fb378c8ef146be00
test_case = 2
key = "Jefe"
key_len = 4
data = "what do ya want for nothing?"
data_len = 28
digest = 0xeffcdf6ae5eb2fa2d27416d5f184df9c259a7c79
test_case = 3
key = 0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
key_len = 20
data = 0xdd repeated 50 times
data_len = 50
digest = 0x125d7342b9ac11cd91a39af48aa17b4f63f175d3
<span class="grey">Cheng & Glenn Informational [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc2202">RFC 2202</a> Test Cases for HMAC-MD5 and HMAC-SHA-1 September 1997</span>
test_case = 4
key = 0x0102030405060708090a0b0c0d0e0f10111213141516171819
key_len = 25
data = 0xcd repeated 50 times
data_len = 50
digest = 0x4c9007f4026250c6bc8414f9bf50c86c2d7235da
test_case = 5
key = 0x0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c
key_len = 20
data = "Test With Truncation"
data_len = 20
digest = 0x4c1a03424b55e07fe7f27be1d58bb9324a9a5a04
digest-96 = 0x4c1a03424b55e07fe7f27be1
test_case = 6
key = 0xaa repeated 80 times
key_len = 80
data = "Test Using Larger Than Block-Size Key - Hash Key First"
data_len = 54
digest = 0xaa4ae5e15272d00e95705637ce8a3b55ed402112
test_case = 7
key = 0xaa repeated 80 times
key_len = 80
data = "Test Using Larger Than Block-Size Key and Larger
Than One Block-Size Data"
data_len = 73
digest = 0xe8e99d0f45237d786d6bbaa7965c7808bbff1a91
data_len = 20
digest = 0x4c1a03424b55e07fe7f27be1d58bb9324a9a5a04
digest-96 = 0x4c1a03424b55e07fe7f27be1
test_case = 6
key = 0xaa repeated 80 times
key_len = 80
data = "Test Using Larger Than Block-Size Key - Hash Key
First"
data_len = 54
digest = 0xaa4ae5e15272d00e95705637ce8a3b55ed402112
test_case = 7
key = 0xaa repeated 80 times
key_len = 80
data = "Test Using Larger Than Block-Size Key and Larger
Than One Block-Size Data"
data_len = 73
digest = 0xe8e99d0f45237d786d6bbaa7965c7808bbff1a91
<span class="grey">Cheng & Glenn Informational [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc2202">RFC 2202</a> Test Cases for HMAC-MD5 and HMAC-SHA-1 September 1997</span>
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. Security Considerations</span>
This docuemnt raises no security issues. Discussion on the strength
of the HMAC construction can be found in [<a href="#ref-HMAC" title=""HMAC: Keyed-Hashing for Message Authentication"">HMAC</a>].
References
[<a id="ref-HMAC">HMAC</a>] Krawczyk, H., Bellare, M., and R. Canetti,
"HMAC: Keyed-Hashing for Message Authentication",
<a href="./rfc2104">RFC 2104</a>, February 1997.
[<a id="ref-MD5">MD5</a>] Rivest, R., "The MD5 Message-Digest Algorithm",
<a href="./rfc1321">RFC 1321</a>, April 1992.
[<a id="ref-SHA">SHA</a>] NIST, FIPS PUB 180-1: Secure Hash Standard, April 1995.
[<a id="ref-OG">OG</a>] Oehler, M., and R. Glenn,
"HMAC-MD5 IP Authentication with Replay Prevention",
<a href="./rfc2085">RFC 2085</a>, February 1997.
[<a id="ref-CG">CG</a>] Chang, S., and R. Glenn,
"HMAC-SHA IP Authentication with Replay Prevention",
Work in Progress.
<span class="grey">Cheng & Glenn Informational [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc2202">RFC 2202</a> Test Cases for HMAC-MD5 and HMAC-SHA-1 September 1997</span>
Authors' Addresses
Pau-Chen Cheng
IBM T.J. Watson Research Center
P.O.Box 704
Yorktown Heights, NY 10598
EMail: pau@watson.ibm.com
Robert Glenn
NIST
Building 820, Room 455
Gaithersburg, MD 20899
EMail: rob.glenn@nist.gov
<span class="grey">Cheng & Glenn Informational [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc2202">RFC 2202</a> Test Cases for HMAC-MD5 and HMAC-SHA-1 September 1997</span>
Appendix
This appendix contains the C reference code which implements HMAC-
SHA-1 using an existing SHA-1 library. It assumes that the SHA-1
library has similar API's as those of the MD5 code described in <a href="./rfc1321">RFC</a>
<a href="./rfc1321">1321</a>. The code for HMAC-MD5 is similar, just replace the strings
"SHA" and "sha" with "MD5" and "md5". HMAC-MD5 code is also listed in
<a href="./rfc2104">RFC 2104</a>.
#ifndef SHA_DIGESTSIZE
#define SHA_DIGESTSIZE 20
#endif
#ifndef SHA_BLOCKSIZE
#define SHA_BLOCKSIZE 64
#endif
#ifndef MD5_DIGESTSIZE
#define MD5_DIGESTSIZE 16
#endif
#ifndef MD5_BLOCKSIZE
#define MD5_BLOCKSIZE 64
#endif
/* Function to print the digest */
void
pr_sha(FILE* fp, char* s, int t)
{
int i ;
fprintf(fp, "0x") ;
for (i = 0 ; i < t ; i++)
fprintf(fp, "%02x", s[i]) ;
fprintf(fp, "0) ;
}
void truncate
(
char* d1, /* data to be truncated */
char* d2, /* truncated data */
int len /* length in bytes to keep */
)
{
int i ;
for (i = 0 ; i < len ; i++) d2[i] = d1[i];
}
<span class="grey">Cheng & Glenn Informational [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc2202">RFC 2202</a> Test Cases for HMAC-MD5 and HMAC-SHA-1 September 1997</span>
/* Function to compute the digest */
void
hmac_sha
(
char* k, /* secret key */
int lk, /* length of the key in bytes */
char* d, /* data */
int ld, /* length of data in bytes */
char* out, /* output buffer, at least "t" bytes */
int t
)
{
SHA_CTX ictx, octx ;
char isha[SHA_DIGESTSIZE], osha[SHA_DIGESTSIZE] ;
char key[SHA_DIGESTSIZE] ;
char buf[SHA_BLOCKSIZE] ;
int i ;
if (lk > SHA_BLOCKSIZE) {
SHA_CTX tctx ;
SHAInit(&tctx) ;
SHAUpdate(&tctx, k, lk) ;
SHAFinal(key, &tctx) ;
k = key ;
lk = SHA_DIGESTSIZE ;
}
/**** Inner Digest ****/
SHAInit(&ictx) ;
/* Pad the key for inner digest */
for (i = 0 ; i < lk ; ++i) buf[i] = k[i] ^ 0x36 ;
for (i = lk ; i < SHA_BLOCKSIZE ; ++i) buf[i] = 0x36 ;
SHAUpdate(&ictx, buf, SHA_BLOCKSIZE) ;
SHAUpdate(&ictx, d, ld) ;
SHAFinal(isha, &ictx) ;
/**** Outter Digest ****/
SHAInit(&octx) ;
/* Pad the key for outter digest */
<span class="grey">Cheng & Glenn Informational [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc2202">RFC 2202</a> Test Cases for HMAC-MD5 and HMAC-SHA-1 September 1997</span>
for (i = 0 ; i < lk ; ++i) buf[i] = k[i] ^ 0x5C ;
for (i = lk ; i < SHA_BLOCKSIZE ; ++i) buf[i] = 0x5C ;
SHAUpdate(&octx, buf, SHA_BLOCKSIZE) ;
SHAUpdate(&octx, isha, SHA_DIGESTSIZE) ;
SHAFinal(osha, &octx) ;
/* truncate and print the results */
t = t > SHA_DIGESTSIZE ? SHA_DIGESTSIZE : t ;
truncate(osha, out, t) ;
pr_sha(stdout, out, t) ;
}
Cheng & Glenn Informational [Page 9]
</pre>
|
