What is HMAC(Hash based Message Authentication Code)? - GeeksforGeeks (2024)

Last Updated : 01 Jul, 2024

Improve

HMAC (Hash-based Message Authentication Code) is a type of message authentication code (MAC) that is acquired by executing a cryptographic hash function on the data that is to be authenticated and a secret shared key. Like any of the MACs, it is used for both data integrity and authentication.

What is HMAC?

HMAC (Hash-Based Message Authentication Code)is a cryptographic technique that ensures data integrity and authenticity using a hash function and a secret key. Unlike approaches based on signatures and asymmetric cryptography. Checking data integrity is necessary for the parties involved in communication. HTTPS, SFTP, FTPS, and other transfer protocols use HMAC. The cryptographic hash function may be MD-5, SHA-1, or SHA-256. Digital signatures are nearly similar to HMACs i.e. they both employ a hash function and a shared key. The difference lies in the keys i.e. HMAC uses a symmetric key(same copy) while Signatures uses an asymmetric (two different keys).

What is HMAC(Hash based Message Authentication Code)? - GeeksforGeeks (1)

Working of Hash-based Message Authentication Code

HMACs provides client and server with a shared private key that is known only to them. The client makes a unique hash (HMAC) for every request. When the client requests the server, it hashes the requested data with a private key and sends it as a part of the request. Both the message and key are hashed in separate steps making it secure. When the server receives the request, it makes its own HMAC. Both the HMACS are compared and if both are equal, the client is considered legitimate.

The formula for HMAC:

 HMAC = hashFunc(secret key + message) 

There are three types of authentication functions. They are message encryption, message authentication code, and hash functions. The major difference between MAC and hash (HMAC here) is the dependence of a key. In HMAC we have to apply the hash function along with a key on the plain text. The hash function will be applied to the plain text message. But before applying, we have to compute S bits and then append it to plain text and after that apply the hash function. For generating those S bits we make use of a key that is shared between the sender and receiver.

What is HMAC(Hash based Message Authentication Code)? - GeeksforGeeks (2)

Using key K (0 < K < b), K+ is generated by padding O’s on left side of key K until length becomes b bits. The reason why it’s not padded on right is change(increase) in the length of key. b bits because it is the block size of plain text. There are two predefined padding bits called ipad and opad. All this is done before applying hash function to the plain text message.

 ipad - 00110110 
opad - 01011100

Now we have to calculate S bits:

  1. K+ is XORed with ipad and the result is S1 bits which is equivalent to b bits since both K+ and ipad are b bits. We have to append S1 with plain text messages. Let P be the plain text message.
  2. S1, p0, p1 upto Pm each is b bits. m is the number of plain text blocks. P0 is plain text block and b is plain text block size. After appending S1 to Plain text we have to apply HASH algorithm (any variant). Simultaneously we have to apply initialization vector (IV) which is a buffer of size n-bits. The result produced is therefore n-bit hashcode i.e H( S1 || M ).
  3. Similarly, n-bits are padded to b-bits And K+ is EXORed with opad producing output S2 bits. S2 is appended to the b-bits and once again hash function is applied with IV to the block. This further results into n-bit hashcode which is H( S2 || H( S1 || M )).

Summary of Calculation

  • Select K.
    • If K < b, pad 0’s on left until k=b. K is between 0 and b ( 0 < K < b )
  • EXOR K+ with ipad equivalent to b bits producing S1 bits.
  • Append S1 with plain text M
  • Apply SHA-512 on ( S1 || M )
  • Pad n-bits until length is equal to b-bits
  • EXOR K+ with opad equivalent to b bits producing S2 bits.
  • Append S2 with output of step 5.
  • Apply SHA-512 on step 7 to output n-bit hashcode.

Security in Hash-based Message Authentication Code

HMAC is more secure than MAC since the key and message are hashed in different steps:

HMAC(key, message) = H(mod1(key) || H(mod2(key) || message).

The data is initially hashed by the client using a private key before being sent to the server as part of the request. The server then creates its own HMAC. This assures that the process is not vulnerable to attacks, which could result in crucial data being disclosed as subsequent MACs are generated. Additionally, once the procedure is completed, the delivered message becomes irreversible and resistant to hackers. Even if a malicious party attempts to steal the communication, they will be unable to determine its length or decrypt it because they do not have the decryption key.

Advantages of HMAC

  • HMACs are ideal for high-performance systems like routers due to the use of hash functions which are calculated and verified quickly unlike the public key systems.
  • Digital signatures are larger than HMACs, yet the HMACs provide comparably higher security.
  • HMACs are used in administrations where public key systems are prohibited.

Disadvantagesof HMAC

  • HMACs uses shared key which may lead to non-repudiation. If either sender or receiver’s key is compromised then it will be easy for attackers to create unauthorized messages.
  • Securely managing and distributing secret keys can be challenging.
  • Although unlikely, hash collisions (where two different messages produce the same hash) can occur.
  • The security of HMAC depends on the length of the secret key. Short keys are more vulnerable to brute-force attacks.
  • The security of HMAC relies on the strength of the chosen hash function (e.g., SHA-256). If the hash function is compromised, HMAC is also affected.

Applications of HMAC

  • Verification of e-mail address during activation or creation of an account.
  • Authentication of form data that is sent to the client browser and then submitted back.
  • HMACs can be used for Internet of things (IoT) due to less cost.
  • Whenever there is a need to reset the password, a link that can be used once is sent without adding a server state.
  • It can take a message of any length and convert it into a fixed-length message digest. That is even if you got a long message, the message digest will be small and thus permits maximizing bandwidth.

Conclusion

HMAC (Hash-Based Message Authentication Code) is a cryptographic technique that ensures data integrity and authenticity using a hash function and a secret key. It is widely used in secure communication protocols like HTTPS and SFTP. HMAC provides higher security than traditional MACs due to its two-step hashing process, making it resistant to certain types of attacks. Despite challenges like key management and potential hash collisions, HMAC remains a robust and efficient method for securing data in various applications, including email verification, IoT, and password reset mechanisms.

Frequently Asked Questions on HMAC – FAQs

What is HMAC SHA1 used for?

An HMAC can be used to determine whether a message received via an insecure channel has been tampered , assuming the sender and receiver share a secret key.

Where is HMAC used?

HMAC encryption is also ideal for IoT devices, high-performance systems such as routers, and email address verification.

What is the size of the HMAC key?

The size of the HMAC key is 64 bytes.

Is HMAC reversible?

No HMAC is always irrevesible.



A

ajaychawla

Improve

Next Article

Message Authentication Codes

Please Login to comment...

What is HMAC(Hash based Message Authentication Code)? - GeeksforGeeks (2024)

FAQs

What is HMAC(Hash based Message Authentication Code)? - GeeksforGeeks? ›

Hash-based message authentication code (or HMAC) is a cryptographic authentication technique that uses a hash function and a secret key. With HMAC, you can achieve authentication and verify that data is correct and authentic with shared secrets, as opposed to approaches that use signatures and asymmetric cryptography.

What is HMAC Hash-based Message Authentication Code? ›

What Is HMAC (Hash-Based Message Authentication Code)? Hash-based Message Authentication Code (HMAC) is a type of message authentication code (MAC) involving a cryptographic hash function and a secret cryptographic key. HMAC makes it possible to confirm the data integrity and authenticity of a message.

What is HMAC SHA256 authentication code? ›

HMACSHA256 is a type of keyed hash algorithm that is constructed from the SHA-256 hash function and used as a Hash-based Message Authentication Code (HMAC).

What is the difference between hash and HMAC? ›

A message authentication code (MAC) is similar to a cryptographic hash, except that it is based on a secret key. When secret key information is included with the data that is processed by a cryptographic hash function, the resulting hash is known as an HMAC.

What is the best authentication for HMAC? ›

So which HMAC should you use? You would normally choose an HMAC based on its underlying hash function. So, for example, you would want to use HMAC-MD5 if performance is more critical to you than security. On the other hand, if security is more critical, then you might want to use HMAC-SHA256 instead.

What are the benefits of HMAC authentication? ›

The HMAC process ensures that your data isn't open to attacks and safeguards its integrity. When the HMAC process is finished the message becomes permanently hashed, meaning it can only be accessed and unlocked with the right secret key.

How do HMAC keys work? ›

An HMAC key is a type of credential associated with an account, typically a service account. You use an HMAC key to create signatures using the HMAC-SHA256 signing algorithm. The signatures you create are then included in requests to the Cloud Storage XML API.

What is the difference between SHA-256 and HMAC? ›

HMAC stands for "Hash-based Message Authentication Code," and SHA-256 refers to the Secure Hash Algorithm 256-bit variant. HMAC-SHA-256 combines the strength of SHA-256's cryptographic hashing with HMAC's ability to authenticate the integrity and source of a message.

What are the key requirements for HMAC SHA-256? ›

The secret key for HMACSHA256 encryption. The key can be any length. However, the recommended size is 64 bytes. If the key is more than 64 bytes long, it is hashed (using SHA-256) to derive a 64-byte key.

What is the difference between HMAC and AES? ›

Terminology nitpick: HMAC is a keyed hash function. Hash functions are not reversible. AES on the other hand is a symmetric block cipher, which produces decryptable ciphertexts. Those two are fundamentally different.

What are the disadvantages of HMAC? ›

One of the main drawbacks of HMAC is that it requires both parties to share a secret key in advance, which can be challenging in some scenarios, such as public key infrastructures or distributed systems.

Is HMAC encrypted or hashing? ›

HMAC does not encrypt the message. Instead, the message (encrypted or not) must be sent alongside the HMAC hash. Parties with the secret key will hash the message again themselves, and if it is authentic, the received and computed hashes will match.

Why does HMAC use two keys? ›

Cryptographic keys.

An encryption algorithm alters data, and a recipient needs a specific code (or key) to make it readable once more. HMAC relies on two sets of keys. One is public, and one is private.

How to use HMAC authentication? ›

How to Implement HMAC
  1. Build your token in Ad Manager. You'll specify details about the visit and the time. You'll use Google's authentication key to create your "secret key."
  2. Implement. You can put your new token within your authorization request header, or you can pass it as a query string or form data parameter.
Sep 15, 2023

What is the HMAC code? ›

HMAC (Hash-Based Message Authentication Code) is a cryptographic technique that ensures data integrity and authenticity using a hash function and a secret key. Unlike approaches based on signatures and asymmetric cryptography. Checking data integrity is necessary for the parties involved in communication.

What is the best practice of HMAC authentication? ›

3 Best practices for HMAC

To use HMAC effectively and securely, it's recommended to use a strong hash function, such as SHA-256, SHA-384, or SHA-512. A secure key should be generated randomly, stored securely, and rotated periodically. The key should be long enough to prevent brute-force attacks.

What is a MAC code? ›

Message Authentication Code (MAC), also referred to as a tag, is used to authenticate the origin and nature of a message. MACs use authentication cryptography to verify the legitimacy of data sent through a network or transferred from one person to another.

How to generate HMAC secret key? ›

Create an HMAC key
  1. In the Google Cloud console, go to the Cloud Storage Settings page. Go to Settings.
  2. Select the Interoperability tab.
  3. Click add_box Create a key for a service account.
  4. Select the service account you want the HMAC key to be associated with.
  5. Click Create key.

How do you verify the HMAC key? ›

Enable HMAC signatures
  • In your Customer Area, go to Developers > Webhooks.
  • From the list of webhooks, select the one to configure.
  • Select Edit webhook or the edit icon .
  • Under Security, generate a new HMAC key or enter an existing HMAC key. ...
  • Select Save configuration.

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Tish Haag

Last Updated:

Views: 5279

Rating: 4.7 / 5 (67 voted)

Reviews: 90% of readers found this page helpful

Author information

Name: Tish Haag

Birthday: 1999-11-18

Address: 30256 Tara Expressway, Kutchburgh, VT 92892-0078

Phone: +4215847628708

Job: Internal Consulting Engineer

Hobby: Roller skating, Roller skating, Kayaking, Flying, Graffiti, Ghost hunting, scrapbook

Introduction: My name is Tish Haag, I am a excited, delightful, curious, beautiful, agreeable, enchanting, fancy person who loves writing and wants to share my knowledge and understanding with you.