Inspired slightly by the Encrypt-then-MAC question. The most obvious message aut
ID: 651255 • Letter: I
Question
Inspired slightly by the Encrypt-then-MAC question. The most obvious message authentication code is probably HMAC or RFC 2104 which is basically a hash of the input, an xor with a key... you get the idea.
However, I've also discovered UMAC which sounds very much like a hash function/lookup table to select an appropriate hash for use in a MAC, via, crucially, "some secret process".
Is selecting an algorithm secretly in this way secure? Is the only secret in UMAC the algorithm in use, or does it combine some known secret as HMAC does? In other words, is it HMAC with a random H?
Finally, is this being used anywhere? HMAC has its own RFC whereas UMAC does not appear to have yet been so well adopted.
Explanation / Answer
This doesn't exactly address the question, but I thought I would toss my hat into the ring: HMAC uses crypto hash functions like MD5, SHA1, etc. Those are (relatively) slow.
There is another class of MACs that use Universal Hash Function families. These families are not cryptographic; they have a simple combinatorial property, and so they tend to be much faster than a crypto hash function. At the heart of UMAC is the family NH which was tuned to run fast on commodity processors and run blistering fast on processor with SIMD instructions. Poly1305 is another very fast hash family that does better or worse than NH depending on platform details.
As Thomas points out, a hash family by itself is easy to break (ie, easy to forge messages against), so you have to do some simple post-processing (like run AES on it, eg), but in general these things are still much faster than HMAC which has to use two calls to a crypto hash function.
And yes, the universal-hash-based MACs like NH (UMAC), and Poly1305 aren't widely used because they are newfangled compared to old workhorses like CBCMAC.