What is the HMAC?

Asked

Viewed 5,391 times

18

When working on a project that uses sha256 and security keys, I came across the term hmac.

I’m still not quite sure what this is about, and I’d like to understand a little more.

I have the following doubts:

  • What would be an HMAC?
  • HMAC has something to do with the hash (md5, sha1, sha256)?
  • Why do I always hear something like "calculation of HMAC"? What would that be "calculus"?
  • Does it have any purpose for information security? If so, cite examples.

And lastly:

  • How do you pronounce it? I always say, "Hold on"
security-guard terminology hash

2 answers

20


HMAC is an acronym for Hash-based Message Authentication Code

What would be an HMAC?

An HMAC is a type of MAC (message authentication code). A MAC is a code that you can add at the end of a message to protect the integrity of the message, ensuring that it was received by the recipient without accidental or malicious changes.

The simplest way to try to protect the integrity of a message would be to include a checksum at the end. This would protect against accidental modifications but would not protect against malicious modifications, as a malicious person could recalculate the checksum to make it match the modified message.

To protect against malicious modifications we can use an encrypted MAC. This MAC is like a checksum, but it also depends on a secret key that only the author of the message has, which theoretically prevents an opponent from recalculating the MAC from a modified message.

The HMAC is a a specific algorithm to generate a cryptographically secure MAC from a secret key and any message. It’s better to use this algorithm than to reinvent the wheel because many simple algorithms like hash(chave + mensagem) are vulnerable to cryptographic attacks such as attack of size extension.

HMAC has something to do with the hash (md5, sha1, sha256)?

Yes, HMAC is a general algorithm that uses a hash function internally. This hash function can be any cryptographic hash such as md5, sha1 or sha256 and depending on the hash function you use you get a different version of HMAC (HMAC-MD5, HMAC-SHA1, HMAC-SHA256, etc).

Why do I always hear something like "HMAC calculation"? What would this "calculation be"?

HMAC is an algorithm and this calculation is simply the execution of this algorithm. Roughly, the HMAC function is defined by

HMAC(K, m) =  hash(K1 + hash(K2 + m))

where:

  • K is the secret key
  • m is the message
  • hash is the hash function chosen (md5, sha1, etc)
  • K1 and K2 are secret keys derived from the original key K
  • + is the string concatenation operation.

For more details, I recommend reading RFC 2104 or the wikipedia article

Does it have any purpose for information security? If so, cite examples.

An example of MAC usage is that a web server can deliver cookies to its users that can be read but not modified (as any modification to the content would invalidate the MAC).

  • Great, man, very good... +1. Just missing pronunciation :>

  • 1

    In Portuguese I would say "maqui" even instead of "méqui". But I think it doesn’t matter.

  • Great explanation!

9

A brief introduction to Message Authentication Code (MAC¹):

A message authentication code is information used to authenticate a message. A MAC algorithm receives as a parameter a secret key (shared only with the recipient) and the message itself that will be authenticated, and returns a message authentication code. This code is used to verify the integrity and authenticity of the message data.

As we can see in the representation below, the sender of the message uses an algorithm to generate the MAC of the message to be sent using the secret key. The message and MAC are sent to the recipient. It in possession of the secret key executes the same algorithm on the message and checks if the generated MAC is equal to the one sent by the patch. If they are equal, the recipient can assume that the integrity and authenticity of the message are ok.

inserir a descrição da imagem aqui Representation of information exchange using message authentication code (MAC).
Adapted from: Message Authentication Code - Wikipedia
¹MAC = Message Authentication Code

What is an HMAC - Hash-based Message Authentication Code?

It is a type of message authentication code (MAC) involving in its construction a cryptographic hash (H) function combining with a secret key.

SHA-1, MD5 and other cryptographic hash functions can be used in calculation of HMAC and its cryptographic strength may vary according to the hash function used.

In defining RFC 2104 a representation of the HMAC function/calculation is shown, where:

  • H( ) is a cryptographic hash function
  • K is a secret key filled with extra zeros on the right for input into the hash function size block, or the hash of the original key if it is larger than the block size
  • m is the message to be authenticated
  • denotes concatenation
  • denote or exclusive (XOR)
  • opad is the outer fill (0x5c5c5c...5c5c), a block of hexadecimal constant length)
  • ipad is the internal fill (0x363636...3636), a block of hexadecimal constant length)

Description and representation obtained in: HMAC - Wikipedia, the free encyclopedia

inserir a descrição da imagem aqui

Real example of using HMAC:

One use case I’ve had experience with validation of the authenticity and integrity of notifications sent from a payment system for an e-commerce system (using HMAC-SHA1) relating to transaction status (confirmations and cancellations of product payments).

This validation is important to make sure that the answer comes from the payment system and is not from an individual with bad intentions forging a POST payment confirmation of a transaction, for example. The secret key used in this case is the API Key provided by the payment system.

How to pronounce HMAC?

In the first seconds of this video and this video also you can hear the pronunciation of the term in English.

References:

Browser other questions tagged security-guard terminology hash

You are not signed in. Login or sign up in order to post.