HMAC-SHA1-96 is just a weakened HMAC-SHA1

HMAC-SHA1-96 truncates the 160 bits digest of HMAC-SHA1 to 96 bits:

RFC2202(not only HMAC-SHA1-96, but also HMAC-MD5-96):

HMAC-MD5
key = 0x0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c
key_len = 16
data = “Test With Truncation”
data_len = 20
digest = 0x56461ef2342edc00f9bab995690efd4c
digest-96 0x56461ef2342edc00f9bab995

HMAC-SHA-1
key = 0x0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c
key_len = 20
data = “Test With Truncation”
data_len = 20
digest = 0x4c1a03424b55e07fe7f27be1d58bb9324a9a5a04
digest-96 = 0x4c1a03424b55e07fe7f27be1

HMAC-SHA-1
key = 0xaa repeated 80 times
key_len = 80
data = “Test Using Larger Than Block-Size Key and Larger Than One Block-Size Data”
data_len = 73
digest = 0xe8e99d0f45237d786d6bbaa7965c7808bbff1a91
data_len = 20
digest = 0x4c1a03424b55e07fe7f27be1d58bb9324a9a5a04
digest-96 = 0x4c1a03424b55e07fe7f27be1

2 Comments

  • jb说道:

    We use hmac-*-96 in SSH. Dunno why people would want a truncated hash, apart from places like mobile devices.

  • Shunya Fantadox说道:

    The max actual security of 96 bits hash is 48 bits, which satisfies the limitation of the legacy US weapon exporting law. Now it’s just for backward compatible.