[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Key lengths for HMAC prf's




When I'm using the HMAC version of the Hash function as my pseudo-random
number generator, what key length do I use.  A quick search of the
ISAKMP/Oakley document reveals nothing.  Am I supposed to infer a length
from the following portion of RFC2104?

2. Definition of HMAC

   The definition of HMAC requires a cryptographic hash function, which
   we denote by H, and a secret key K. We assume H to be a cryptographic
   hash function where data is hashed by iterating a basic compression
   function on blocks of data.   We denote by B the byte-length of such
   blocks (B=64 for all the above mentioned examples of hash functions),
   and by L the byte-length of hash outputs (L=16 for MD5, L=20 for
   SHA-1).  The authentication key K can be of any length up to B, the
   block length of the hash function.  Applications that use keys longer
   than B bytes will first hash the key using H and then use the
   resultant L byte string as the actual key to HMAC. In any case the
   minimal recommended length for K is L bytes (as the hash output
   length). See section 3 for more information on keys.

[snip]

3. Keys

   The key for HMAC can be of any length (keys longer than B bytes are
   first hashed using H).  However, less than L bytes is strongly
   discouraged as it would decrease the security strength of the
   function.  Keys longer than L bytes are acceptable but the extra
   length would not significantly increase the function strength. (A
   longer key may be advisable if the randomness of the key is
   considered weak.)

If so, what should I infer?

Dan, can you please add this to IO-RES?  If I've once again missed the
reference, can you put it somewhere near the text 'prf' or
'pseud-random' so we can do a text search for it?


thanks,

ben



Follow-Ups: