What is HMAC?

While working on a project that uses sha256 and security keys, I came across the term hmac.

I still don't know what it's all about, and I'd like to understand a little more.

I have the following doubts:

  • What Would an HMAC be?
  • does HMAC have anything to do with hash (md5, sha1, sha256)?
  • Why do I always hear something like "HMAC calculation" ? What would that be "calculation" ?
  • does it have any purpose for information security? If so, cite examples.

And finally:

  • How to pronounce it? I always say: "Agá-mequi"
Author: Wallace Maxters, 2017-03-14
Source

2 answers

HMAC is an acronym for Hash-based Message Authentication Code

What Would an HMAC be?

An HMAC is a type of MAC (message authentication code). A MAC is code that you can add to the end of a message to protect the integrity of the message, ensuring that it was received by the recipient without accidental or malicious changes.

The simplest way to try to protect the integrity of a message would be include a checksum at the end. This would protect against accidental modifications but would not protect against malicious modifications, since a malicious person could recalculate the checksum to make it check with the modified message.

To protect against malicious modifications we can use a cryptographically secure MAC. This MAC is like a checksum, but it also depends on a secret key that only author of the message has, which theoretically prevents an opponent from recalculate your MAC from a modified message.

HMAC is a a specific algorithm for generating a cryptographically secure MAC from a secret key and any message. It is better to use this algorithm than to reinvent the wheel as many simple algorithms like hash(chave + mensagem) are vulnerable to cryptographic attacks like size extension attack.

HMAC has something to do with hash (md5, sha1, sha256)?

Yes, HMAC is a general algorithm that uses a hash function internally. This hash function can be any cryptographic hash, such as md5, sha1 or sha256 and depending on the hash function you use you get a different version of HMAC (HMAC-MD5, HMAC-SHA1, HMAC-SHA256, etc).

Why do I always hear something like "HMAC calculation"? What would this "calculation"be?

HMAC is an algorithm and this calculation is simply execution of that algorithm. Roughly speaking, the HMAC function is defined by

HMAC(K, m) =  hash(K1 + hash(K2 + m))

Where:

  • K is the secret key
  • m is the message
  • hash is the chosen hash function (md5, sha1, etc)
  • K1 and K2 are secret keys derived from the original key K
  • + is the string concatenation operation.

For more details, I recommend reading the RFC 2104 or the Wikipedia article

Does it have any purpose for information security? If so, cite examples.

An example of using MAC is that a web server can deliver cookies to its users that can be read but not modified (as any modification to the content would invalidate the MAC).

 18
Author: hugomg, 2017-08-31 05:42:44

A brief introduction about Message Authentication Code (MAC1):

A message authentication code is information used to authenticate a message. A MAC algorithm receives as a parameter a secret key (shared only with the recipient) and the message itself that will be authenticated, and returns a message authentication code. this code is used to verify the integrity and authenticity of message data.

As we can see in the representation below, the sender of the message uses an algorithm to generate the MAC of the message to be sent using the secret key. The message and MAC are sent to the recipient. It in possession of the secret key performs the same algorithm on the message and checks if the generated MAC is the same as the one sent by the sender. If they are the same, the recipient can assume that the integrity and authenticity of the message are ok.

insert the description of the image here representation of exchange of information using Message Authentication Code (MAC).
adapted from: Message Authentication Code-Wikipedia
1MAC = Message Authentication Code

What is an HMAC-Hash-based Message Authentication Code?

Is a type of Message Authentication Code (MAC) involving in its construction a cryptographic hash (H) function combining with a secret key.

SHA-1, MD5 and other cryptographic hash functions can be used in the calculation of HMAC and its cryptographic strength may vary according to the hash function used.

In the definition RFC 2104 a representation of the function/calculation HMAC is presented, where:

  • H (*·is a cryptographic hash function
  • K is a secret key filled with extra zeros on the right for input into the block of the hash function size , or the hash of the original key if it is larger than the block size
  • m is the message to be authenticated
  • den denotes concatenation
  • den denotes or exclusive (XOR)
  • opad is the external fill (0x5c5c5c...5c5c), a block of hexadecimal constant length)
  • ipad is the internal fill (0x363636...3636), a block of hexadecimal constant length)

description and representation obtained at: HMAC-Wikipedia, the free encyclopedia

insert the description of the image here

Actual example of using HMAC:

One use case I had experience with was validation of the authenticity and integrity of notifications sent from a payment system to an e-commerce system (using HMAC-SHA1), referring to the status of transactions (product payment confirmations and cancellations).

This validation is important to make sure that the response comes from the payment system and is not from an individual with bad intentions forging a payment confirmation POST of a transaction, for example. The Secret Key used in this case is the API Key provided by the payment system.

How to pronounce HMAC?

In the first seconds of this video and this video also you can hear the pronunciation of the term in English.

References:

 9
Author: William Pereira, 2017-03-17 20:17:06