HMAC

Also known as: Keyed-Hash MAC, RFC 2104 HMAC

A keyed Message Authentication Code construction built on top of a cryptographic hash function, defined in RFC 2104 and FIPS 198-1.

HMAC (Hash-based Message Authentication Code) is a symmetric MAC construction defined in RFC 2104 and FIPS 198-1 that combines a secret key K with a cryptographic hash function H to produce a tag: HMAC(K,m) = H((K' XOR opad) || H((K' XOR ipad) || m)). The nested structure makes HMAC secure against length-extension attacks even when used with Merkle-Damgård hashes like SHA-256, and its security is reducible to weak collision resistance and the pseudorandomness of the compression function. Common instantiations are HMAC-SHA-256 and HMAC-SHA-512, used in TLS record protection, JWT signing, OAuth, IPsec, and as the PRF inside PBKDF2 and HKDF. HMAC remains a strong default choice for symmetric message authentication.

Examples

JWT tokens with the HS256 algorithm are signed using HMAC-SHA-256.
AWS Signature Version 4 uses HMAC-SHA-256 to sign API requests.

HMAC

Examples

Related terms

Message Authentication Code (MAC)

Cryptographic Hash Function

SHA-256

PBKDF2

Digital Signature

TLS (Transport Layer Security)

Definition

Examples

Related terms

Message Authentication Code (MAC)

Cryptographic Hash Function

SHA-256

PBKDF2

Digital Signature

TLS (Transport Layer Security)