The Use of HMAC-SHA-1-96 within ESP and AH
Embed This Widget
Add the script tag and a data attribute to embed this widget.
Embed via iframe for maximum compatibility.
<iframe src="https://ipfyi.com/iframe/entity//" width="420" height="400" frameborder="0" style="border:0;border-radius:10px;max-width:100%" loading="lazy"></iframe>Paste this URL in WordPress, Medium, or any oEmbed-compatible platform.
https://ipfyi.com/entity//Add a dynamic SVG badge to your README or docs.
[](https://ipfyi.com/entity//)Use the native HTML custom element.
C. Madson, R. Glenn · 1998-11
Abstract
This document describes the use of the HMAC algorithm in conjunction with the SHA-1 algorithm as an authentication mechanism within the revised IPSEC Encapsulating Security Payload (ESP) and the Authentication Header (AH) protocols. HMAC-SHA-1-96 produces a 96-bit authenticator value that is truncated from a 160-bit HMAC-SHA-1 output.
Why This RFC Matters
RFC 2404 established HMAC-SHA-1-96 as a mandatory-to-implement integrity algorithm for IPsec, providing a standardized method for authenticating IP datagrams without encryption. By truncating the HMAC output to 96 bits, the specification balances security strength against the overhead added to each packet. This RFC formed a foundational building block for IPsec deployments throughout the 2000s and informed the design of later integrity transforms such as HMAC-SHA-256-128 defined in RFC 4868.