Hash-based message authentication code (hmac)

> Software Security > (Authentication|Access control|Identification) - AuthN

1 - About

Hash-based message authentication code

A keyed-hash message authentication code (HMAC) is a specific type of message authentication code (MAC) involving:

As the private key is stored on the client side (code, config file), there is a possibility for an agressor to retrieve it via reverse engineering

3 - Usage

It may be used to simultaneously:

  • verify both the data integrity
  • and the authentication of a message, as with any MAC.

4 - Concept - Example

HMAC does not encrypt the message. Instead, the message (encrypted or not) is sent alongside the HMAC hash. Parties with the secret key will hash the message again themselves, and if it is authentic, the received and computed hashes will match.

Your client (for instance: mobile app, react app) will need:

  • a public API key that:
    • identifies the client,
    • is send along with the request.
    • is public (everyone can see it).
  • and a private / cryptographic key that:
    • should never be sent along with the request,
    • is known by the client (embedded key in app)
    • is known by the server
    • is used to hash the message that will be sent to the server.

5 - Management

5.1 - Creation

The HMAC can be generated using a SHA1 / MD5 algorithm, a message that should be generated by an algorithm that both server and client know.

5.2 - Naming (HMAC-MD5 or HMAC-SHAX)

The resulting MAC algorithm is termed HMAC-X, where X is the hash function used (e.g. HMAC-MD5 or HMAC-SHA1).

6 - Documentation / Reference