0

I have trouble finding information on the security strength of HMAC-SHA256 against key recovery attacks with respect to the key size.

To fit a certain application I must use a 128-bits key with a HMAC-SHA256 function. All the documentation I read about HMAC-SHA256 advise or impose a 256-bits key, but the reason given for that is that less-than-256-bit keys would "lower the security strength", without much more details.

The HMAC is used to generate deterministic pseudorandom tags from a public message. I actually do not care about collisions, pre-image, forgery, etc : my only constraint is that the key must remain a secret. As stated, the only attack model that interests me is the key recovery attack, and I'd like to know if there is any literature on the influence of the key size, or if I could simply assume that against recovery attacks on HMAC-SHA256, the security strength when used with a 128-bits key is simply 128 bits.

Thank you,

dragonfire2000
  • 1
  • 2
  • @kelalaka Thank you for answering. You will realize that those are not duplicates and do not answer my question at all. The first link is about a 256-bits key, which is textbook HMAC-SHA256 and is already heavily documented. The second link is about 256 to 512-bits key, which is also well documented and not my issue. And I use HMAC to generate deterministic random numbers, as mentioned – dragonfire2000 Sep 17 '23 at 13:54
  • Ok, in this case, is there a specific reason not to use 256 bit key and better use NIST Special Publication 800-90A There there are HMAC based HMAC_DRBG that is well analyzed and published as standard? – kelalaka Sep 17 '23 at 14:39
  • @kelalaka, thank you for answering again. I had already read the document you mentioned. The reason for the 128-bits key is that it has to fit a specific application which use a 128-bits token attributed to each user. Simply changing it's size would require a redesign of the application. Of course, I'd love to work with 256 bits, I wouldn't have had to scratch my head so much – dragonfire2000 Sep 17 '23 at 15:24
  • How many tags do you need from one public information? You can use HKDF to derive those by the public parameter in the Expand part. Do you really need to use HMAC? CTR_DRBG supports 128-bit key with AES. They have back and forward prediction resistance with the AES-128 security. The security analysis of HMAC-SHA256 that uses 128-bit key is not easy task, even the HMAC security analysis.. – kelalaka Sep 17 '23 at 18:38
  • 1
    Have a look at NIST SP 800-107 Rev. 1 section 5.3. That should answer your question. The security of HMAC depends on the key size, the hash function, and the tag size. – samuel-lucas6 Sep 17 '23 at 20:02

0 Answers0