4

Can we use two different hash functions in single hmac..for ex' for inner layer hash function md5 and for outer layer hash function sha1

Sahal Naz
  • 41
  • 1

1 Answers1

5

This is exactly what was done in early versions of HMAC. Of course, there would be no reason to do this with an already broken hash function. Note that MD5 is completely broken and SHA1 is close to, so neither of these are great choices.

Yehuda Lindell
  • 27,820
  • 1
  • 66
  • 83
  • MD5-HMAC and SHA1-HMAC can still be used as MAC. Quoting RFC6151: The attacks on HMAC-MD5 do not seem to indicate a practical vulnerability when used as a message authentication code. ... Therefore, it may not be urgent to remove HMAC-MD5 from the existing protocols. However, since MD5 must not be used for digital signatures, for a new protocol design, a ciphersuite with HMAC-MD5 should not be included. – kludg Oct 07 '16 at 13:33
  • I haven't seen an early version of HMAC which used different hash function in the inner/outer layers; the original HMAC paper (Bellare et al) implied you use the same hash for both. Are you sure someone actually did that? – poncho Oct 07 '16 at 15:34
  • @poncho See https://tools.ietf.org/html/rfc6101: section F.1.5 for the design principle and section 6.2.2 for an exact description of the usage. In Sectin 5.2.3.1 it is also hinted at but I wasn't sure without reading more details. – Yehuda Lindell Oct 08 '16 at 16:44
  • @kludg I am fully aware that there are no practical attacks on HMAC-MD5 or HMAC-SHA1. However, it is really not smart to use HMAC-MD5 today (MD5 is so broken that you our confidence in HMAC-MD5 is severely shaken, even if no attacks are currently known). Also, as you yourself quoted: if you are doing something new then you should certainly NOT use HMAC-MD5; I go further to say use HMAC-SHA256 and not even HMAC-SHA1. – Yehuda Lindell Oct 08 '16 at 18:22
  • @YehudaLindell: SSLv3 doesn't use separate hashes for the inner/outer HMAC computations; instead, section F.1.5 and section 6.2.2 is talking about the key derivation function, which really isn't HMAC at all. I don't know what you see as a 'hint' in section 5.2.3.1 (which does talk about the SSLv3 variant of HMACs) – poncho Oct 16 '16 at 02:56