[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Question about truncating output length of HMAC computation
Hi,
In section 5 of rfc 2104 (HMAC: Keyed-Hashing for message Authentication),
it has the following information:
Applications of HMAC can choose to truncate the output of HMAC by
outputting the t leftmost bits of the HMAC computation. We recommend
that the output length t be not less than half the length of the hash
output and not less than 80 bits. We propose denoting a realization of
HMAC that uses a hash function H with t bits of output as HMAC-H-t.
For example, HMAC-SHA1-80 denotes HMAC computed using the SHA-1 function
and with the output truncated to 80 bits. (If the parameter t is not
specified, e.g. HMAC-MD5, then it is assumed that all the bits of the
hash are output.)
When I was searching for RFCs about HMAC-MD5-t and HMAC-SHA1-t under the
ipsec working group of IETF homepage, I only found two relevant RFCs. One
is "The Use of HMAC-MD5-96 with ESP and AH" and the other is "The Use of
HMAC-SAH-1-96 with ESP and AH".
My question is that by default, what do we MUST support for the output
length if we implement SHA-1 and MD5? Do we must support truncating output
length to 96 bits or outputing all length (no truncating)? Which one is
more preferred and widely supported?
Loretta.