Definition

Hash-based Message Authentication Code (HMAC)

Hash-based Message Authentication Code (HMAC) is a message authentication code that uses a cryptographic key in conjunction with a hash function.

Hash-based message authentication code (HMAC) provides the server and the client each with a private key that is known only to that specific server and that specific client. The client creates a unique HMAC, or hash, per request to the server by hashing the request data  with the private keys and sending it as part of a request. What makes HMAC more secure than Message Authentication Code (MAC) is that the key and the message are hashed in separate steps.

HMAC(key, msg) = H(mod1(key) || H(mod2(key) || msg))

This ensures the process is not susceptible to extension attacks that add to the message and can cause elements of the key to be leaked as successive MACs are created.

Once the server receives the request and regenerates its own unique HMAC, it compares the two HMACs. If they're equal, the client is trusted and the request is executed. This process is often called a secret handshake.

This was last updated in November 2010

Next Steps

The spate of credit card breaches of major retailers demand more advanced cryptography standards to protect credit card holders. The Payment Card Industry Data Security Standard (PCI DSS) requires merchants to encrypt specific card holder information. Understanding the choice of encryption methods such as hashing, public-private key and others is a high priority towards ensuring retailers don’t get breached. Learn more about authentication, and get started by reading a primer on multifactor authentication in the enterprise. Then read our comparison of MFA tools to get the inside scoop on the product landscape.

Continue Reading About Hash-based Message Authentication Code (HMAC)

Dig Deeper on Web authentication and access control

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

I'm not sure this article is correct WRT the use of public private key. Please see NIST site: http://csrc.nist.gov/groups/ST/toolkit/message_auth.html and document http://csrc.nist.gov/groups/ST/toolkit/message_auth.html / http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.198-1.pdf

HMAC is usually used with a private/secret key known only to the sender and the receiver.

Cancel

-ADS BY GOOGLE

File Extensions and File Formats

Powered by:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close