HMAC (Hash-Based Message Authentication Codes) Definition | Okta (2024)

Hash-based message authentication code (or HMAC) is a cryptographic authentication technique that usesa hash function and a secret key.

With HMAC, you can achieve authentication and verify that data is correct and authentic with shared secrets, as opposed to approaches that use signatures and asymmetric cryptography.

How HMAC Works

Two parties want to communicate, but they want to ensure that the contents of their connection remain private. They also distrust the internet, and they need a way to verify that the packets they receive haven't been tampered with. HMAC is a valid solution.

HMAC keys consist of two parts. These are:

  1. Cryptographic keys. An encryption algorithm alters data, and a recipient needs a specific code (or key) to make it readable once more. HMAC relies on a shared sets of secret keys.
  2. Hash function. A hash algorithm alters or digests the message once more. HMAC uses generic cryptographic hash functions, such as SHA-1, MD5, or RIPEMD-128/60.

A pair using this system must agree on:

  • Secret keys. They must have a way to decode messages they get. A secret key handles this task, and it's meant to stay secret and hidden.
  • Algorithm. They must pick one hash function that all of their messages will move through.

When complete, the message is considered irreversible, and it's also resistant to hacking. Someone who intercepts this message won't even be able to guess at its length. The work renders the message contents absolutely useless to anyone without a key or a code.

HMAC tester tools can help demonstrate how something like this works. Imagine you're dealing with these inputs:

  • Potential message: I would like to buy 100 units.
  • Secret key: 666
  • Algorithm: MD5

The resulting message reads: " fd9f18089206e67b163771a3883185ab."

A dense layer of mathematics underlies what seems like an easy translation process. When we attempt to display what HMAC looks like mathematically, we use diagrams like this.

Understanding the math is critical for developers. If you're asked to explain your work and the protections you offer, a diagram can often showcase things better than your words ever can.

But the average computer user may never need to understand the math. To them, knowing that their messages are protected may be all they require.

HMAC (Hash-Based Message Authentication Codes) Definition | Okta (1)

How to Implement HMAC

To use HMAC, either as an individual or a web developer, you'll need three important things. And you'll need an agreement about those items with your recipients, so you're all using the same tools at the same time.

These are the two items you'll need:

  1. A shared secret
  2. A hashing tool

Only your server should know all three items for all of your users. And that data should be fiercely protected. Anyone who knows the secret keys for your members can take over your server and/or send fraudulent data.

Every website and coding environment is different, but walking through an example might be helpful. Imagine that you'd like to use HMAC on traffic that comes to your website via dynamic ads from Google. You will:

  • Build your token in Ad Manager. You'll specify details about the visit and the time. You'll use Google's authentication key to create your "secret key."
  • Implement. You can put your new token within your authorization request header, or you can pass it as a query string or form data parameter.

Google makes this process quick and easy. Developers can access a simple tutorial and copy code within minutes.

Notice that you're not asking your Google Ads visitors to memorize a code or do any decoding. The user's server understands the coding requirements within your website, and all of the token setting and translation is invisible to the user.

Even so, you should test this environment often before you deploy it. If you encounter a coding error, you could block people from accessing your site, as it will seem as though they're fraudulent actors. It pays to test any system like this on multiple devices before you set it loose on the wider world.

When Should You Use HMAC?

Nearly every company has sensitive information. If you take in payments of any sort, for example, you likely have credit card data at your fingertips. And if you have employees, you have Social Security numbers that could be stolen.

But some companies have even deeper issues. If you're in a heavily regulated environment, such as health care, or you deal with trade secrets, such as munitions, it pays to move past traditional security measures.

HMAC, with its dual levels of protection, could be ideal for companies that need to do a little more to prove that they're protecting their assets as carefully as possible.

Help From Okta

At Okta, we believe in customized security solutions to help our clients thrive. Learn how Okta uses HMAC signature algorithms to keep your organization secure.

References

HMAC: Keyed-Hashing for Message Authentication. (February 1997). Network Working Group.

HMAC and Key Derivation. Practical Cryptography for Developers.

HMAC Generator/Tester Tool. FreeFormatter.

How API Request Signing Works (And How to Implement HMAC in NodeJS). (2016). Andrew Hoang.

Implement HMAC Authentication (Beta). Google Ad Manager Help.

HMAC (Hash-Based Message Authentication Codes) Definition | Okta (2024)

FAQs

HMAC (Hash-Based Message Authentication Codes) Definition | Okta? ›

HMAC

HMAC
HMAC algorithm stands for Hashed or Hash-based Message Authentication Code. It is a result of work done on developing a MAC derived from cryptographic hash functions. HMAC is a great resistance to cryptanalysis attacks as it uses the Hashing concept twice.
https://www.geeksforgeeks.org › hmac-algorithm-in-computer...
(Hash-Based Message Authentication Code
Message Authentication Code
In cryptography, a message authentication code (MAC), sometimes known as an authentication tag, is a short piece of information used for authenticating and integrity-checking a message. In other words, to confirm that the message came from the stated sender (its authenticity) and has not been changed (its integrity).
https://en.wikipedia.org › wiki › Message_authentication_code
) is a cryptographic technique that ensures data integrity and authenticity using a hash function and a secret key. Unlike approaches based on signatures and asymmetric cryptography. Checking data integrity is necessary for the parties involved in communication.

What is HMAC hash-based message authentication codes? ›

Hash-based message authentication code (or HMAC) is a cryptographic authentication technique that uses a hash function and a secret key. With HMAC, you can achieve authentication and verify that data is correct and authentic with shared secrets, as opposed to approaches that use signatures and asymmetric cryptography.

What is the difference between a message authentication code and a hash code? ›

A message authentication code (MAC) is similar to a cryptographic hash, except that it is based on a secret key. When secret key information is included with the data that is processed by a cryptographic hash function, the resulting hash is known as an HMAC.

What is the primary difference between a hash and hashed message authentication code (HMAC)? ›

HMAC combines a cryptographic hash function (e.g., SHA-1, SHA-256) with a secret key to produce a unique hash. SHA-1, SHA-2, etc.: These are cryptographic hash functions that ensure data integrity by producing a fixed-size hash value from input data, but they do no.

What is the difference between sha256 and HMAC? ›

HMAC stands for "Hash-based Message Authentication Code," and SHA-256 refers to the Secure Hash Algorithm 256-bit variant. HMAC-SHA-256 combines the strength of SHA-256's cryptographic hashing with HMAC's ability to authenticate the integrity and source of a message.

What are the benefits of HMAC authentication? ›

The HMAC process ensures that your data isn't open to attacks and safeguards its integrity. When the HMAC process is finished the message becomes permanently hashed, meaning it can only be accessed and unlocked with the right secret key.

How does HMAC key work? ›

The client makes a unique hash (HMAC) for every request. When the client requests the server, it hashes the requested data with a private key and sends it as a part of the request. Both the message and key are hashed in separate steps making it secure. When the server receives the request, it makes its own HMAC.

What are the disadvantages of HMAC? ›

One of the main drawbacks of HMAC is that it requires both parties to share a secret key in advance, which can be challenging in some scenarios, such as public key infrastructures or distributed systems.

What is a message authentication code in simple words? ›

Message Authentication Code (MAC), also referred to as a tag, is used to authenticate the origin and nature of a message. MACs use authentication cryptography to verify the legitimacy of data sent through a network or transferred from one person to another.

How to generate HMAC secret key? ›

Create an HMAC key
  1. In the Google Cloud console, go to the Cloud Storage Settings page. Go to Settings.
  2. Select the Interoperability tab.
  3. Click add_box Create a key for a service account.
  4. Select the service account you want the HMAC key to be associated with.
  5. Click Create key.

What is the difference between HMAC and hashing? ›

An HMAC is a type of keyed hash function that can also be used in a key derivation scheme or a key stretching scheme. HMAC can provide authentication using a shared secret instead of using digital signatures with asymmetric cryptography.

What are the objectives of HMAC? ›

HMAC can be used to check for data integrity and to authenticate the parties involved in a transaction. Many communication and transfer protocols use HMAC, including HTTPS, SFTP and FTPS. The cryptographic hash function in HMAC is typically SHA-1, SHA-256, MD5 or RIPEMD-128/160.

What is the function of the hashed message authentication code HMAC algorithm in setting up an ipsec VPN? ›

A Hashed Message Authentication Codes (HMAC) method to ensure the identity of the sender, and to ensure that the message has not been modified in transit. A Diffie-Hellman group to determine the strength of the encryption-key-determination algorithm.

What is HMAC hash based message authentication code? ›

What Is HMAC (Hash-Based Message Authentication Code)? Hash-based Message Authentication Code (HMAC) is a type of message authentication code (MAC) involving a cryptographic hash function and a secret cryptographic key. HMAC makes it possible to confirm the data integrity and authenticity of a message.

How to decode HMAC? ›

You can't decode it as it's a one way encryption. To validate you need to recreate the the HMAC_SHA256 on your side from the data that has been passed and a shared secret key. You then compare your calculated value to one provided and if they match you know the data hasn't been tampered with.

What is the difference between HMAC and AES? ›

AES encryption is used to encrypt data while HMAC is used to authenticate data. Both operations use the same symmetric key, but they use the key in different ways. AES encryption uses the key to encrypt the data, while HMAC uses the key to generate a message authentication code (MAC) for the data.

What is the best authentication for HMAC? ›

So which HMAC should you use? You would normally choose an HMAC based on its underlying hash function. So, for example, you would want to use HMAC-MD5 if performance is more critical to you than security. On the other hand, if security is more critical, then you might want to use HMAC-SHA256 instead.

What is the difference between hash and hash HMAC? ›

A good cryptographic hash function provides one important property: collision resistance. It should be impractical to find two messages that result in the same digest. An HMAC also provides collision resistance. But it also provides unforgeability.

What is a MAC code? ›

Message Authentication Code (MAC), also referred to as a tag, is used to authenticate the origin and nature of a message. MACs use authentication cryptography to verify the legitimacy of data sent through a network or transferred from one person to another.

What is the difference between HMAC and MD5? ›

HMAC is a type of message authentication code that uses a cryptographic hash function to verify both the data integrity and authenticity of a message. MD5 is a widely used cryptographic hash function that produces a 128-bit hash.

Top Articles
Latest Posts
Article information

Author: Allyn Kozey

Last Updated:

Views: 5271

Rating: 4.2 / 5 (63 voted)

Reviews: 86% of readers found this page helpful

Author information

Name: Allyn Kozey

Birthday: 1993-12-21

Address: Suite 454 40343 Larson Union, Port Melia, TX 16164

Phone: +2456904400762

Job: Investor Administrator

Hobby: Sketching, Puzzles, Pet, Mountaineering, Skydiving, Dowsing, Sports

Introduction: My name is Allyn Kozey, I am a outstanding, colorful, adventurous, encouraging, zealous, tender, helpful person who loves writing and wants to share my knowledge and understanding with you.