What Is HMAC (Hash-Based Message Authentication Code)? | Frontegg (2024)

Hash-based Message Authentication Code (HMAC) is a type of message authentication code (MAC) involving a cryptographic hash function and a secret cryptographic key. HMAC makes it possible to confirm the data integrity and authenticity of a message. This is especially useful in scenarios like digital signatures, certificate authorities, and transport layer security and secure sockets layer (TLS and SSL) protocols.

HMAC authenticates messages between parties using cryptographic hashes based on shared secret keys. The HMAC process can be used together with several encryption algorithms, such as MD5 or SHA-1.

In this article:

How a Hash-Based Message Authentication Code Works

The general formula for HMAC is:

HMAC = hashFunc(secret key + message)

Let’s unpack each of the elements in this formula—the secret key and the hash function—both of which serve to protect the integrity and authenticity of the message.

Secret Key

In the HMAC process, cryptographic keys play a crucial role. The operation begins when both the sender and receiver of a message agree on a secret key. This key will be used in the hashing process, ensuring that both parties can verify the authenticity of the message. The secret key is combined with the original message to create a hash.

The secret key is not directly hashed with the message but is used in a more complex process involving a combination of XOR operations and hash functions. This ensures that even if an attacker knows the hash function used, they cannot generate the correct HMAC without the correct secret key.

Hash Function

The hash function is a crucial part of the HMAC process. Once combined with the secret key, the hash function is applied to the resulting message. This hash function can be any cryptographic hash function, such as MD5 or SHA-1. The output of the hash function is a fixed-size string of bytes—the final HMAC.

The hash function performs one-way encryption, meaning that once the message has been hashed, it cannot be unhashed. This process ensures data integrity, as any change in the message or the key will result in a different hash, allowing for easy detection of tampering.

Learn more in our detailed guide to authentication types

Benefits of Using HMAC Authentication

Combines Secret Key and Hash Function

The strength of HMAC lies in its combination of both a secret key and a hash function. The secret key adds a layer of security by ensuring that only those with the key can generate or verify an HMAC. This aspect is particularly important in scenarios where confidentiality and data integrity are critical.

The hash function, on the other hand, ensures data integrity by creating a unique output for every unique input. Any change in the input, however minor, will significantly alter the resulting hash, making any tampering evident.

Guarantees Data Integrity and Authenticity

HMAC ensures that the data has not been tampered with during transmission by creating a unique hash for each message based on its content and a secret key. This hash is then sent along with the message. Upon receipt, the receiver can generate their hash from the received message and the secret key. If the received hash matches the generated hash, the data integrity is confirmed.

Similarly, HMAC can confirm the authenticity of a message. Because the hash is generated with a secret key, a correctly computed HMAC assures the recipient that the message came from a source possessing the correct shared secret key and therefore is authentic. This double-check of both integrity and authenticity provides a high level of security for data transmission.

Resistant to Length Extension Attacks

Length extension attacks exploit properties of certain hash functions that allow an attacker to calculate the hash of input1 + input2, knowing only the hash of input1 and the length of input1. This resistance is particularly important when using hash functions like MD5 and SHA-1, which are vulnerable to such attacks.

HMAC mitigates this vulnerability by applying the hash function twice in its computation. The output hash of the first application is the input to the second application, effectively obscuring the intermediate results and thwarting length extension attacks.

Drawbacks of HMAC

HMAC is a highly effective security mechanism, but also has some drawbacks to be aware of.

Performance Overhead

One of the most significant challenges of HMAC is its performance overhead. The process of generating an HMAC involves calculating a hash function twice, which can be computationally expensive. This overhead can cause latency in systems that require real-time or near-real-time data transmission.

In addition, the computational cost of HMAC can be even higher if the data being transmitted is large. For every message, an HMAC must be calculated and appended, which can significantly slow down the data transmission process.

The performance overhead of HMAC can be particularly problematic in devices with limited computational resources, such as IoT devices.

Not Suitable for Non-Repudiation

Non-repudiation refers to the ability to prove that a particular party performed a specific action or transaction. In the context of HMAC, it means that it cannot be used to prove that a particular party sent a specific message.

The reason for this limitation is that HMAC uses a shared secret key for both the sender and the receiver. This means that both parties have the same key and can generate the same HMAC. Therefore, if a dispute arises about who sent a message, there is no way to conclusively prove it using the HMAC alone.

This limitation makes HMAC unsuitable for applications where non-repudiation is critical, such as legal transactions, financial transactions, or other high-stakes communications.

Fixed Output Length

HMAC also has a fixed output length, which can be a limitation in certain situations. The output length of an HMAC is determined by the hash function used, and it does not change regardless of the size of the input data. This means that the HMAC for a small message will have the same length as the HMAC for a large message.

The fixed output length of HMAC can lead to potential issues with data storage and transmission. For example, if a system is designed to accommodate a specific data size, appending an HMAC to the data could exceed the system’s capacity.

Best Practices for Implementing HMAC

Here are a few best practices you can use to maximize the effectiveness of HMAC in securing communications.

Use a Strong Key

The strength of an HMAC is largely dependent on the strength of the key used. A weak key can significantly undermine the security provided by HMAC, making it easier for attackers to guess the key and forge the HMAC.

A strong key should be long, random, and unpredictable. It should also be unique for each application or session, and it should not be derived from predictable data.

Secure Key Management

The key used in HMAC is a shared secret between the sender and the receiver. If this key is compromised, the security of the entire system is at risk.

Secure key management involves keeping the key confidential and ensuring it is securely transmitted between parties. The key should be encrypted when stored or transmitted, and it should be regularly updated to prevent it from being compromised.

Furthermore, secure key management also involves proper key disposal. When a key is no longer needed, it should be securely destroyed to prevent it from being recovered and used maliciously.

Select a Secure Hash Function

The choice of hash function plays a critical role in the security and performance of HMAC. A secure hash function should produce a unique output for every unique input, and it should be computationally infeasible to generate the same hash output from two different inputs.

One of the most commonly used hash functions in HMAC is SHA-256, which is considered secure and efficient. However, depending on the specific requirements of the system, other hash functions may also be suitable.

Include Timestamps or Nonces

To prevent replay attacks, it is advisable to include timestamps or nonces in the HMAC calculation. A replay attack occurs when an attacker intercepts a valid HMAC and retransmits it to impersonate the sender.

By including a timestamp or nonce in the HMAC, the receiver can verify that the HMAC is fresh and has not been replayed. A timestamp ensures that the HMAC is valid only for a specific time, while a nonce ensures that the HMAC is valid only for a specific session.

However, it is important to note that the use of timestamps or nonces requires synchronization between the sender and the receiver. If their clocks or sessions are not synchronized, the HMAC verification may fail even if the data is authentic.

Use Libraries from Trusted Sources

Implementing HMAC requires a deep understanding of cryptography and careful attention to details. Even a small mistake can significantly undermine the security of HMAC and expose the system to attacks.

To ensure the correct and secure implementation of HMAC, it is advisable to use libraries from trusted sources. These libraries have been rigorously tested and reviewed by experts, and they follow the latest standards and best practices.

User Authentication with Frontegg

Frontegg is a self-served and user-friendly User Management platform for SaaS businesses that are looking to cover both Authorization and Authentication bases with one centralized solution. There’s no need to worry about coding and implementing changes. Just manage your roles and permissions, create strong Authentication flows, and customize your Login Box, all via one dashboard.

The Complete Guide to SaaS Multi-Tenant Architecture

Read case study

What Is HMAC (Hash-Based Message Authentication Code)? | Frontegg (2024)

FAQs

What Is HMAC (Hash-Based Message Authentication Code)? | Frontegg? ›

Hash-based message authentication code

message authentication code
In cryptography, a message authentication code (MAC), sometimes known as an authentication tag, is a short piece of information used for authenticating and integrity-checking a message. In other words, to confirm that the message came from the stated sender (its authenticity) and has not been changed (its integrity).
https://en.wikipedia.org › wiki › Message_authentication_code
(or HMAC) is a cryptographic authentication technique that uses a hash function and a secret key. With HMAC, you can achieve authentication and verify that data is correct and authentic with shared secrets, as opposed to approaches that use signatures and asymmetric cryptography.

What is HMAC hash-based message authentication code? ›

What Is HMAC (Hash-Based Message Authentication Code)? Hash-based Message Authentication Code (HMAC) is a type of message authentication code (MAC) involving a cryptographic hash function and a secret cryptographic key. HMAC makes it possible to confirm the data integrity and authenticity of a message.

What is HMAC SHA256 authentication code? ›

HMACSHA256 is a type of keyed hash algorithm that is constructed from the SHA-256 hash function and used as a Hash-based Message Authentication Code (HMAC).

What is the best authentication for HMAC? ›

So which HMAC should you use? You would normally choose an HMAC based on its underlying hash function. So, for example, you would want to use HMAC-MD5 if performance is more critical to you than security. On the other hand, if security is more critical, then you might want to use HMAC-SHA256 instead.

What is the difference between hash and HMAC? ›

A message authentication code (MAC) is similar to a cryptographic hash, except that it is based on a secret key. When secret key information is included with the data that is processed by a cryptographic hash function, the resulting hash is known as an HMAC.

What are the benefits of HMAC authentication? ›

The HMAC process ensures that your data isn't open to attacks and safeguards its integrity. When the HMAC process is finished the message becomes permanently hashed, meaning it can only be accessed and unlocked with the right secret key.

How do you verify the HMAC key? ›

Enable HMAC signatures
  • In your Customer Area, go to Developers > Webhooks.
  • From the list of webhooks, select the one to configure.
  • Select Edit webhook or the edit icon .
  • Under Security, generate a new HMAC key or enter an existing HMAC key. ...
  • Select Save configuration.

How to generate HMAC key? ›

Create an HMAC key
  1. In the Google Cloud console, go to the Cloud Storage Settings page. Go to Settings.
  2. Select the Interoperability tab.
  3. Click add_box Create a key for a service account.
  4. Select the service account you want the HMAC key to be associated with.
  5. Click Create key.

What are the disadvantages of HMAC? ›

One of the main drawbacks of HMAC is that it requires both parties to share a secret key in advance, which can be challenging in some scenarios, such as public key infrastructures or distributed systems.

What is the difference between SHA-256 and HMAC? ›

HMAC stands for "Hash-based Message Authentication Code," and SHA-256 refers to the Secure Hash Algorithm 256-bit variant. HMAC-SHA-256 combines the strength of SHA-256's cryptographic hashing with HMAC's ability to authenticate the integrity and source of a message.

Where is HMAC used? ›

HMAC (Hash-Based Message Authentication Code) is a cryptographic technique that ensures data integrity and authenticity using a hash function and a secret key. It is widely used in secure communication protocols like HTTPS and SFTP.

How to decode HMAC? ›

You can't decode it as it's a one way encryption. To validate you need to recreate the the HMAC_SHA256 on your side from the data that has been passed and a shared secret key. You then compare your calculated value to one provided and if they match you know the data hasn't been tampered with.

What is the best practice of HMAC authentication? ›

3 Best practices for HMAC

To use HMAC effectively and securely, it's recommended to use a strong hash function, such as SHA-256, SHA-384, or SHA-512. A secure key should be generated randomly, stored securely, and rotated periodically. The key should be long enough to prevent brute-force attacks.

What is HMAC for dummies? ›

Hash-based message authentication code (or HMAC) is a cryptographic authentication technique that uses a hash function and a secret key. With HMAC, you can achieve authentication and verify that data is correct and authentic with shared secrets, as opposed to approaches that use signatures and asymmetric cryptography.

Why does HMAC need a key? ›

You use an HMAC key to create signatures using the HMAC-SHA256 signing algorithm. The signatures you create are then included in requests to the Cloud Storage XML API.

Is HMAC reversible? ›

Also, once the process is complete, the sent message becomes both irreversible and resistant to hacking. Even if a malicious party tries to intercept the message, they won't be able to guess its length or decrypt it because they won't have the decryption key.

What is a MAC code? ›

Message Authentication Code (MAC), also referred to as a tag, is used to authenticate the origin and nature of a message. MACs use authentication cryptography to verify the legitimacy of data sent through a network or transferred from one person to another.

How to generate HMAC secret key? ›

Create an HMAC key
  1. In the Google Cloud console, go to the Cloud Storage Settings page. Go to Settings.
  2. Select the Interoperability tab.
  3. Click add_box Create a key for a service account.
  4. Select the service account you want the HMAC key to be associated with.
  5. Click Create key.

What is the primary difference between a hash and hashed message authentication code HMAC )? ›

2. Hash and MAC: Main Differences. MAC, in turn, is an encryption process applied to a hashed message using a symmetric key. It is also called a tag or a keyed hash function since it usually uses a cryptographic hash as part of its algorithm.

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Fredrick Kertzmann

Last Updated:

Views: 5277

Rating: 4.6 / 5 (66 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: Fredrick Kertzmann

Birthday: 2000-04-29

Address: Apt. 203 613 Huels Gateway, Ralphtown, LA 40204

Phone: +2135150832870

Job: Regional Design Producer

Hobby: Nordic skating, Lacemaking, Mountain biking, Rowing, Gardening, Water sports, role-playing games

Introduction: My name is Fredrick Kertzmann, I am a gleaming, encouraging, inexpensive, thankful, tender, quaint, precious person who loves writing and wants to share my knowledge and understanding with you.