Hash-based Message Authentication Code (HMAC)

Hash-based Message Authentication Code (HMAC) is a message authentication code that uses a cryptographic key in conjunction with a hash function.

Hash-based message authentication code (HMAC) provides the server and the client each with a public and private key. The public key is known, but the private key is known only to that specific server and that specific client. The client creates a unique HMAC, or hash, per request to the server by combing the request data and hashing that data, along with a private key and sending it as part of a request. The server receives the request and regenerates its own unique HMAC. The server compares the two HMACs, and, if they're equal, the client is trusted and the request is executed. This process is often called a secret handshake.

What makes HMAC more secure than Message Authentication Code (MAC) is that the key and the message are hashed in separate steps.

This was last updated in November 2010

Next Steps

The spate of credit card breaches of major retailers demand more advanced cryptography standards to protect credit card holders. The Payment Card Industry Data Security Standard (PCI DSS) requires merchants to encrypt specific card holder information. Understanding the choice of encryption methods such as hashing, public-private key and others is a high priority towards ensuring retailers don’t get breached. Learn more about authentication, and get started by reading a primer on multifactor authentication in the enterprise. Then read our comparison of MFA tools to get the inside scoop on the product landscape.

Continue Reading About Hash-based Message Authentication Code (HMAC)

Dig Deeper on Web Authentication and Access Control



Find more PRO+ content and other member only offers, here.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.


File Extensions and File Formats