HMAC
What is HMAC?
HMACA keyed Message Authentication Code construction built on top of a cryptographic hash function, defined in RFC 2104 and FIPS 198-1.
HMAC (Hash-based Message Authentication Code) is a symmetric MAC construction defined in RFC 2104 and FIPS 198-1 that combines a secret key K with a cryptographic hash function H to produce a tag: HMAC(K,m) = H((K' XOR opad) || H((K' XOR ipad) || m)). The nested structure makes HMAC secure against length-extension attacks even when used with Merkle-Damgård hashes like SHA-256, and its security is reducible to weak collision resistance and the pseudorandomness of the compression function. Common instantiations are HMAC-SHA-256 and HMAC-SHA-512, used in TLS record protection, JWT signing, OAuth, IPsec, and as the PRF inside PBKDF2 and HKDF. HMAC remains a strong default choice for symmetric message authentication.
● Examples
- 01
JWT tokens with the HS256 algorithm are signed using HMAC-SHA-256.
- 02
AWS Signature Version 4 uses HMAC-SHA-256 to sign API requests.
● Frequently asked questions
What is HMAC?
A keyed Message Authentication Code construction built on top of a cryptographic hash function, defined in RFC 2104 and FIPS 198-1. It belongs to the Cryptography category of cybersecurity.
What does HMAC mean?
A keyed Message Authentication Code construction built on top of a cryptographic hash function, defined in RFC 2104 and FIPS 198-1.
How do you defend against HMAC?
Defences for HMAC typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for HMAC?
Common alternative names include: Keyed-Hash MAC, RFC 2104 HMAC.