What is HMAC(Hash based Message Authentication Code)?
Last Updated :
01 Jul, 2024
HMAC (Hash-based Message Authentication Code) is a type of message authentication code (MAC) that is acquired by executing a cryptographic hash function on the data that is to be authenticated and a secret shared key. Like any of the MACs, it is used for both data integrity and authentication.
What is HMAC?
HMAC (Hash-Based Message Authentication Code) is a cryptographic technique that ensures data integrity and authenticity using a hash function and a secret key. Unlike approaches based on signatures and asymmetric cryptography. Checking data integrity is necessary for the parties involved in communication. HTTPS, SFTP, FTPS, and other transfer protocols use HMAC. The cryptographic hash function may be MD-5, SHA-1, or SHA-256. Digital signatures are nearly similar to HMACs i.e. they both employ a hash function and a shared key. The difference lies in the keys i.e. HMAC uses a symmetric key(same copy) while Signatures uses an asymmetric (two different keys).
Working of Hash-based Message Authentication Code
HMACs provides client and server with a shared private key that is known only to them. The client makes a unique hash (HMAC) for every request. When the client requests the server, it hashes the requested data with a private key and sends it as a part of the request. Both the message and key are hashed in separate steps making it secure. When the server receives the request, it makes its own HMAC. Both the HMACS are compared and if both are equal, the client is considered legitimate.
The formula for HMAC:
HMAC = hashFunc(secret key + message)
There are three types of authentication functions. They are message encryption, message authentication code, and hash functions. The major difference between MAC and hash (HMAC here) is the dependence of a key. In HMAC we have to apply the hash function along with a key on the plain text. The hash function will be applied to the plain text message. But before applying, we have to compute S bits and then append it to plain text and after that apply the hash function. For generating those S bits we make use of a key that is shared between the sender and receiver.
Using key K (0 < K < b), K+ is generated by padding O’s on left side of key K until length becomes b bits. The reason why it’s not padded on right is change(increase) in the length of key. b bits because it is the block size of plain text. There are two predefined padding bits called ipad and opad. All this is done before applying hash function to the plain text message.
ipad - 00110110
opad - 01011100
Now we have to calculate S bits:
- K+ is XORed with ipad and the result is S1 bits which is equivalent to b bits since both K+ and ipad are b bits. We have to append S1 with plain text messages. Let P be the plain text message.
- S1, p0, p1 upto Pm each is b bits. m is the number of plain text blocks. P0 is plain text block and b is plain text block size. After appending S1 to Plain text we have to apply HASH algorithm (any variant). Simultaneously we have to apply initialization vector (IV) which is a buffer of size n-bits. The result produced is therefore n-bit hashcode i.e H( S1 || M ).
- Similarly, n-bits are padded to b-bits And K+ is EXORed with opad producing output S2 bits. S2 is appended to the b-bits and once again hash function is applied with IV to the block. This further results into n-bit hashcode which is H( S2 || H( S1 || M )).
Summary of Calculation
- Select K.
- If K < b, pad 0’s on left until k=b. K is between 0 and b ( 0 < K < b )
- EXOR K+ with ipad equivalent to b bits producing S1 bits.
- Append S1 with plain text M
- Apply SHA-512 on ( S1 || M )
- Pad n-bits until length is equal to b-bits
- EXOR K+ with opad equivalent to b bits producing S2 bits.
- Append S2 with output of step 5.
- Apply SHA-512 on step 7 to output n-bit hashcode.
Security in Hash-based Message Authentication Code
HMAC is more secure than MAC since the key and message are hashed in different steps:
HMAC(key, message) = H(mod1(key) || H(mod2(key) || message).
The data is initially hashed by the client using a private key before being sent to the server as part of the request. The server then creates its own HMAC. This assures that the process is not vulnerable to attacks, which could result in crucial data being disclosed as subsequent MACs are generated. Additionally, once the procedure is completed, the delivered message becomes irreversible and resistant to hackers. Even if a malicious party attempts to steal the communication, they will be unable to determine its length or decrypt it because they do not have the decryption key.
Advantages of HMAC
- HMACs are ideal for high-performance systems like routers due to the use of hash functions which are calculated and verified quickly unlike the public key systems.
- Digital signatures are larger than HMACs, yet the HMACs provide comparably higher security.
- HMACs are used in administrations where public key systems are prohibited.
Disadvantages of HMAC
- HMACs uses shared key which may lead to non-repudiation. If either sender or receiver’s key is compromised then it will be easy for attackers to create unauthorized messages.
- Securely managing and distributing secret keys can be challenging.
- Although unlikely, hash collisions (where two different messages produce the same hash) can occur.
- The security of HMAC depends on the length of the secret key. Short keys are more vulnerable to brute-force attacks.
- The security of HMAC relies on the strength of the chosen hash function (e.g., SHA-256). If the hash function is compromised, HMAC is also affected.
Applications of HMAC
- Verification of e-mail address during activation or creation of an account.
- Authentication of form data that is sent to the client browser and then submitted back.
- HMACs can be used for Internet of things (IoT) due to less cost.
- Whenever there is a need to reset the password, a link that can be used once is sent without adding a server state.
- It can take a message of any length and convert it into a fixed-length message digest. That is even if you got a long message, the message digest will be small and thus permits maximizing bandwidth.
Conclusion
HMAC (Hash-Based Message Authentication Code) is a cryptographic technique that ensures data integrity and authenticity using a hash function and a secret key. It is widely used in secure communication protocols like HTTPS and SFTP. HMAC provides higher security than traditional MACs due to its two-step hashing process, making it resistant to certain types of attacks. Despite challenges like key management and potential hash collisions, HMAC remains a robust and efficient method for securing data in various applications, including email verification, IoT, and password reset mechanisms.
Similar Reads
Message Authentication Codes
Message Authentication Codes are the codes which plays their role in two important functions: Authentication Detection and Falsification Detection. Where do we need these codes? Suppose User A send message to user B with message - 'abc'. A encrypts the message using Shared - Key Cryptosystem for enc
2 min read
How message authentication code works?
Prerequisite - Message authentication codes Apart from intruders, the transfer of message between two people also faces other external problems like noise, which may alter the original message constructed by the sender. To ensure that the message is not altered there's this cool method MAC. MAC stan
2 min read
Challenge Response Authentication Mechanism (CRAM)
Challenge Response Authentication Mechanism (CRAM) is the most often used way to authenticate actions. They are a group of protocols in which one side presents a challenge(to be answered) and the other side must present a correct answer(to be checked/validated) to the challenge in order to get authe
3 min read
What is Kerberos Authentication?
Authentication is the process of verifying the identity of a user or information so that the receiver can ensure that the message has been sent from a genuine source or not. Kerberos is a Network Authentication Protocol evolved at MIT, which uses an encryption technique called symmetric key encrypt
5 min read
What is Authentication Tokens In Network Security?
Password is the most common way of authentication. However, they are not as cheap and simple as we think, especially from the organization's point of view because they have to provide an id and password to each resource they use as well as they've to manage the passwords of so many people using thei
4 min read
Challenge Handshake Authentication Protocol (CHAP)
Challenge Handshake Authentication Protocol (CHAP) is a Point-to-point protocol (PPP) authentication protocol developed by IETF (Internet Engineering Task Force). It is used at the initial startup of the link. Also, it performs periodic checkups to check if the router is still communicating with the
5 min read
What is User Authentication, and Why is it Important?
Today when more and more companies and organizations are going digital, the security of data and authorization to important systems and services is crucial. User authentication is central to this security paradigm as it refers to the mechanism by which the identity of a user is first confirmed befor
8 min read
Network Authentication Protocols: RADIUS, TACACS+
Network authentication protocols are known as methods that are used to verify the identity of the users or the devices that are written to access a particular network. these protocols are used to make sure that only the authorized users of the devices are granted access while making sure the unautho
8 min read
Setup two-factor authentication (2FA/MFA) for Linux systems
Two-factor authentication, or multi-factor authentication, is a technique or method of security that requires users to provide two different authentication factors before granting access to an account or system. These factors typically include something the user knows (like a password or PIN) and so
4 min read
Authentication in Distributed System
Authentication in distributed systems is crucial for verifying the identity of users, devices, and services to ensure secure access to resources. As systems span multiple servers and locations, robust authentication mechanisms prevent unauthorized access and data breaches. This article explores vari
11 min read