HMAC Generator
Generate Hash-based Message Authentication Codes (HMAC) using a secret key and various hashing algorithms
About HMAC
A Hash-based Message Authentication Code (HMAC) is a specific type of message authentication code (MAC) that involves a cryptographic hash function and a secret key. It provides a way to verify both the data integrity and authenticity of a message.
Key features of HMAC:
- Data integrity: Ensures the message hasn't been altered during transmission
- Authentication: Verifies that the message came from the stated sender
- Secret key: Only parties with the secret key can generate or verify the HMAC
- Cryptographic strength: Inherits security properties from the underlying hash function
Security Note: The security of an HMAC depends on the strength of the underlying hash function and the size and quality of the key. Always use a strong, random key and a secure hash algorithm like SHA-256 or better.
How HMAC Works
The HMAC algorithm combines a hash function with a secret key through a series of operations:
HMAC(K, m) = H((K' ⊕ opad) || H((K' ⊕ ipad) || m))
The HMAC process uses inner and outer padding (ipad and opad) with specific values to prevent length extension attacks. This two-step process creates a more secure authentication code than simply concatenating the key and message.
Algorithm | Output Size (bits) | Security Level | Use Case |
---|---|---|---|
HMAC-MD5 | 128 | Low | Legacy systems, non-security critical applications |
HMAC-SHA1 | 160 | Moderate | Legacy compatibility, not recommended for new applications |
HMAC-SHA256 | 256 | High | General purpose, recommended for most applications |
HMAC-SHA512 | 512 | Very High | High-security applications, sensitive data |
HMAC-SHA3 | Variable | Very High | Modern applications requiring the latest standards |
HMAC Implementation in Different Languages
Here are examples of how to use HMAC in common programming languages:
JavaScript:
const crypto = require('crypto');
const message = 'Hello, world!';
const key = 'secret-key-1234';
// Generate HMAC
const hmac = crypto.createHmac('sha256', key)
.update(message)
.digest('hex');
// Result: 'a31588fdbeceb7b7b70bab5d659e9eaee1cc1ca2d738a6064d7b2149e7588fc1'
Python:
import hmac
import hashlib
message = b'Hello, world!'
key = b'secret-key-1234'
# Generate HMAC
hmac_sha256 = hmac.new(key, message, hashlib.sha256).hexdigest()
# Result: 'a31588fdbeceb7b7b70bab5d659e9eaee1cc1ca2d738a6064d7b2149e7588fc1'
PHP:
<?php
$message = 'Hello, world!';
$key = 'secret-key-1234';
// Generate HMAC
$hmac_sha256 = hash_hmac('sha256', $message, $key);
// Result: 'a31588fdbeceb7b7b70bab5d659e9eaee1cc1ca2d738a6064d7b2149e7588fc1'
?>
Common HMAC Use Cases
- API Authentication - Securing API requests by signing them with a shared secret key
- Message Integrity - Ensuring messages haven't been tampered with during transmission
- Password Storage - Creating key derivation functions for secure password storage
- Digital Signatures - Providing a lightweight alternative to full digital signatures for some applications
- Cookie Validation - Securing web cookies against tampering