Quiz Entry - updated: 2026.07.14
How does HMAC (RFC 2104) work, and what are the inner and outer keys?
HMAC applies the hash function twice with two derived keys: $HMAC_k(x) = h(k_O \| h(k_I \| x))$, where $k_I$ and $k_O$ are derived by XORing the key with fixed padding constants.
* Two keys derived from one (via ipad/opad) wrap a nested inner-then-outer hash. *
Key derivation:
- Key $k'$ is padded with zeros to 512 bits (the hash block size) → $k$
- Inner key: $k_I = k \oplus ipad$ where $ipad$ = byte
0x36repeated 64 times - Outer key: $k_O = k \oplus opad$ where $opad$ = byte
0x5Crepeated 64 times
Computation:
- Compute inner hash: $h(k_I \| x)$ — hash the inner key concatenated with the message
- Compute outer hash: $h(k_O \| \text{inner hash})$ — hash the outer key with the inner result
- Optionally truncate to 96 bits (e.g., HMAC-96)
Key properties:
- Key $k'$ can be up to 512 bits
- Only SHA-2 and SHA-3 are approved by BSI as the underlying hash function
- Widely used in TLS, IPSec, SSH, WireGuard
- Truncation to 96 bits is a known (minor) weakness but not mandatory
Tip: The seemingly arbitrary constants 0x36 and 0x5C aren't explained in the RFC — their purpose is simply to produce two sufficiently different keys from one master key.
Go deeper:
RFC 2104 — HMAC: Keyed-Hashing for Message Authentication — the original spec defining ipad/opad and the nested construction.
HMAC (Wikipedia) — the definition, security proof sketch and its resistance to length-extension.