HMAC (Hash-Based Message Authentication Codes) Definition

HMAC (Hash-Based Message Authentication Codes) Definition

Thousands of businesses across the globe save time and money with Okta. Find out what the impact of identity could be for your organisation.

HMAC (Hash-Based Message Authentication Codes) Definition

Learn why Top Industry Analysts consistently name Okta and Auth0 as the Identity Leader

Hash-based message authentication code (or HMAC) is a cryptographic technique that combines public keys, private keys, and a hash into a mix hackers can't unpack. 

Use HMAC, and you'll tap into a method that can both encrypt data and check the integrity of information you get in return.

How HMAC Works 

Two parties want to communicate, but they want to ensure that the contents of their connection remain private. They also distrust the internet, and they need a way to verify that the packets they receive haven't been tampered with. HMAC is a valid solution. 

HMAC keys consist of two parts. These are:

  1. Cryptographic keys. An encryption algorithm alters data, and a recipient needs a specific code (or key) to make it readable once more. HMAC relies on two sets of keys. One is public, and one is private.
  2. Hash function. A hash algorithm alters or digests the message once more. HMAC uses generic cryptographic hash functions, such as SHA-1, MD5, or RIPEMD-128/60.

A pair using this system must agree on:

  • Public keys. They must have a way to contact one another. A public key is a bit like an address, and it allows a sender to craft a customised message.
  • Private keys. They must have a way to decode messages they get. A private key handles this task, and it's meant to stay secret and hidden.
  • Algorithm. They must pick one hash function that all of their messages will move through. 

When complete, the message is considered irreversible, and it's also resistant to hacking. Someone who intercepts this message won't even be able to guess at its length. The work renders the message contents absolutely useless to anyone without a key or a code. 

HMAC tester tools can help demonstrate how something like this works. Imagine you're dealing with these inputs:
 

  • Potential message: I would like to buy 100 units. 
  • Secret key: 666
  • Algorithm: MD5

The resulting message reads: " fd9f18089206e67b163771a3883185ab." 

A dense layer of mathematics underlies what seems like an easy translation process. When we attempt to display what HMAC looks like mathematically, we use diagrams like this. 

Understanding the math is critical for developers. If you're asked to explain your work and the protections you offer, a diagram can often showcase things better than your words ever can.

But the average computer user may never need to understand the math. To them, knowing that their messages are protected may be all they require.

 

HMAC

 

How to Implement HMAC 

To use HMAC, either as an individual or a web developer, you'll need three important things. And you'll need an agreement abo