Hash-based Message Authentication Code (HMAC)

Hash-based Message Authentication Code (HMAC) is a message authentication code that uses a cryptographic key in conjunction with a hash function.

Hash-based message authentication code (HMAC) provides the server and the client each with a private key that is known only to that specific server and that specific client. The client creates a unique HMAC, or hash, per request to the server by hashing the request data  with the private keys and sending it as part of a request. What makes HMAC more secure than Message Authentication Code (MAC) is that the key and the message are hashed in separate steps.

HMAC(key, msg) = H(mod1(key) || H(mod2(key) || msg))

This ensures the process is not susceptible to extension attacks that add to the message and can cause elements of the key to be leaked as successive MACs are created.

Once the server receives the request and regenerates its own unique HMAC, it compares the two HMACs. If they're equal, the client is trusted and the request is executed. This process is often called a secret handshake.

This was last updated in November 2010

Next Steps

The spate of credit card breaches of major retailers demand more advanced cryptography standards to protect credit card holders. The Payment Card Industry Data Security Standard (PCI DSS) requires merchants to encrypt specific card holder information. Understanding the choice of encryption methods such as hashing, public-private key and others is a high priority towards ensuring retailers don’t get breached. Learn more about authentication, and get started by reading a primer on multifactor authentication in the enterprise. Then read our comparison of MFA tools to get the inside scoop on the product landscape.

Continue Reading About Hash-based Message Authentication Code (HMAC)

Dig Deeper on Identity and access management

Enterprise Desktop
Cloud Computing