Hash-Based Message Authentication Code

From Encyclopedia of Cybersecurity

Hash-Based Message Authentication Code (HMAC)

Hash-Based Message Authentication Code (HMAC) is a type of message authentication code (MAC) that uses a cryptographic hash function along with a secret key to verify the integrity and authenticity of a message. HMAC provides a mechanism for verifying that a message has not been altered or tampered with during transmission and that it originated from a trusted source.

Overview

HMAC combines the security properties of a cryptographic hash function with the secrecy of a shared secret key to generate a fixed-size authentication tag for a message. This tag is appended to the message and sent along with it. Upon receiving the message, the recipient can recompute the HMAC using the same secret key and verify that it matches the received authentication tag. If the computed HMAC matches the received one, the recipient can be confident that the message has not been altered and originated from the expected sender.

Key Features

  • Integrity: HMAC ensures the integrity of a message by generating a unique authentication tag that changes if any part of the message is altered.
  • Authentication: HMAC provides authentication by using a secret key to generate the authentication tag, ensuring that only parties with knowledge of the key can verify the authenticity of the message.
  • Non-repudiation: HMAC provides non-repudiation by proving that a message was indeed sent by a particular party, as only that party possesses the secret key needed to generate the authentication tag.
  • Efficiency: HMAC is computationally efficient and easy to implement, making it suitable for a wide range of applications.

Construction

HMAC is constructed using the following steps:

  1. Key Setup: The secret key is padded and processed by the cryptographic hash function to generate two initial hash values, known as inner and outer keys.
  2. Inner Hashing: The inner key is XORed with a predefined constant and concatenated with the message. The result is hashed using the cryptographic hash function.
  3. Outer Hashing: The outer key is XORed with a different predefined constant and concatenated with the result of the inner hashing step. The final result is hashed again using the cryptographic hash function to generate the HMAC.

Applications

HMAC is used in various security protocols and applications, including:

  • Secure Communication: Verifying the integrity and authenticity of data transmitted over insecure networks, such as the internet, in protocols like TLS, IPsec, and SSH.
  • Message Authentication: Verifying the authenticity of messages and data exchanged between parties in cryptographic protocols, digital signatures, and authentication mechanisms.
  • Password Authentication: Generating and verifying authentication tokens and password hashes in authentication protocols and systems.

Conclusion

Hash-Based Message Authentication Code (HMAC) is a widely used cryptographic technique for verifying the integrity and authenticity of messages. By combining the properties of a cryptographic hash function with a secret key, HMAC provides a robust mechanism for ensuring the security of data transmission and authentication in various applications and protocols.