Sign in Subscribe

HMAC (Hashed Message Authentication Code)

Last updated on 

Introduction:

Hashed Message Authentication Code (HMAC) is a mechanism that is used for verifying the authenticity of a message. It is a technique that combines a secret key with a message and uses a hash function to generate a fixed-size message authentication code (MAC). The MAC is then appended to the message and sent to the receiver. The receiver can then use the same secret key and hash function to generate a MAC and compare it with the received MAC to verify the message's authenticity.

HMAC was introduced in 1996 by Mihir Bellare, Ran Canetti, and Hugo Krawczyk, and has since become a popular method for verifying the integrity and authenticity of messages.

In this article, we will explain how HMAC works, its components, the security properties it provides, and some applications where it is used.

Components of HMAC:

The HMAC algorithm consists of two components: a keyed hash function and a secret key.

Keyed hash function: A keyed hash function is a hash function that takes a secret key and a message as input and produces a fixed-length hash value. The output of a keyed hash function is dependent on both the message and the secret key. Therefore, even if an attacker knows the message, they cannot produce the same hash value without the secret key.

HMAC uses a variety of hash functions such as MD5, SHA-1, SHA-256, etc. The choice of the hash function depends on the level of security required for the application.

Secret key: A secret key is a shared secret between the sender and the receiver. The sender uses the secret key to generate the MAC, and the receiver uses the same secret key to verify the MAC.

The secret key must be kept confidential, as an attacker who gains access to the key can generate MACs for any message.

HMAC Algorithm:

The HMAC algorithm takes the following inputs:

  1. Message: the message to be authenticated
  2. Secret key: the shared secret between the sender and the receiver
  3. Hash function: the hash function to be used

The HMAC algorithm then performs the following steps:

  1. Key modification: If the secret key is longer than the block size of the hash function, it is hashed to produce a key that is equal to the hash function's block size. If the secret key is shorter than the block size of the hash function, it is padded with zeros to produce a key that is equal to the hash function's block size.
  2. Inner padding: The message is padded with zeros to make its length a multiple of the hash function's block size. The padded message is then XORed with a block of 0x36.
  3. Hash function: The result of the XOR operation is then passed through the hash function, resulting in an intermediate hash value.
  4. Outer padding: The secret key is XORed with a block of 0x5c. The intermediate hash value is then concatenated with the result of the XOR operation to form a new message. The new message is padded with zeros to make its length a multiple of the hash function's block size.
  5. Final hash: The padded message is then passed through the hash function to produce the final HMAC value.

Security Properties of HMAC:

HMAC provides the following security properties:

  1. Message authentication: HMAC provides message authentication by ensuring that the received message has not been tampered with or modified in transit.
  2. Keyed hash: HMAC is a keyed hash function, which means that an attacker cannot generate the same MAC without the secret key.
  3. Resistance to brute-force attacks: HMAC is resistant to brute-force attacks because the secret key is used in the algorithm, making it difficult for an attacker to guess the key.
  4. Resistance to length extension attacks: HMAC is resistant to length extension attacks, where an attacker appends data to a message to generate a valid MAC for the new message. HMAC uses a double-hash technique that prevents an attacker from creating a valid MAC for a modified message.

Applications of HMAC:

HMAC is widely used in various applications that require message authentication, such as:

  1. Secure network communication: HMAC is used in secure network communication protocols such as SSL/TLS and IPSec to ensure that the received data has not been tampered with or modified in transit.
  2. Digital signatures: HMAC is used in digital signature schemes to ensure that the signed message has not been tampered with or modified.
  3. Password authentication: HMAC is used in password authentication systems to store password hashes securely. The system generates an HMAC of the password using a secret key and stores it. When a user enters a password, the system generates an HMAC of the entered password using the same secret key and compares it with the stored HMAC to verify the password.
  4. API authentication: HMAC is used in API authentication schemes to ensure that the API request is coming from a trusted source. The sender generates an HMAC of the request using a secret key and sends it along with the request. The receiver verifies the HMAC to ensure that the request is authentic.

Conclusion:

In summary, HMAC is a widely used message authentication technique that combines a secret key and a hash function to generate a fixed-size MAC. The HMAC algorithm is secure against various attacks and provides message authentication, keyed hash, resistance to brute-force attacks, and resistance to length extension attacks. HMAC is used in various applications that require message authentication, such as secure network communication, digital signatures, password authentication, and API authentication.