HMAC Generator

Generate Hash-based Message Authentication Codes (HMAC) using a secret key and various hashing algorithms

About HMAC

A Hash-based Message Authentication Code (HMAC) is a specific type of message authentication code (MAC) that involves a cryptographic hash function and a secret key. It provides a way to verify both the data integrity and authenticity of a message.

Key features of HMAC:

  • Data integrity: Ensures the message hasn't been altered during transmission
  • Authentication: Verifies that the message came from the stated sender
  • Secret key: Only parties with the secret key can generate or verify the HMAC
  • Cryptographic strength: Inherits security properties from the underlying hash function

Security Note: The security of an HMAC depends on the strength of the underlying hash function and the size and quality of the key. Always use a strong, random key and a secure hash algorithm like SHA-256 or better.

How HMAC Works

The HMAC algorithm combines a hash function with a secret key through a series of operations:

HMAC(K, m) = H((K' ⊕ opad) || H((K' ⊕ ipad) || m))

Where:
H = Hash function (SHA-256, etc.)
K = Secret key
m = Message
|| = Concatenation
= XOR operation

The HMAC process uses inner and outer padding (ipad and opad) with specific values to prevent length extension attacks. This two-step process creates a more secure authentication code than simply concatenating the key and message.

AlgorithmOutput Size (bits)Security LevelUse Case
HMAC-MD5128LowLegacy systems, non-security critical applications
HMAC-SHA1160ModerateLegacy compatibility, not recommended for new applications
HMAC-SHA256256HighGeneral purpose, recommended for most applications
HMAC-SHA512512Very HighHigh-security applications, sensitive data
HMAC-SHA3VariableVery HighModern applications requiring the latest standards

HMAC Implementation in Different Languages

Here are examples of how to use HMAC in common programming languages:

JavaScript:


const crypto = require('crypto');

const message = 'Hello, world!';
const key = 'secret-key-1234';

// Generate HMAC
const hmac = crypto.createHmac('sha256', key)
                   .update(message)
                   .digest('hex');
// Result: 'a31588fdbeceb7b7b70bab5d659e9eaee1cc1ca2d738a6064d7b2149e7588fc1'
                

Python:


import hmac
import hashlib

message = b'Hello, world!'
key = b'secret-key-1234'

# Generate HMAC
hmac_sha256 = hmac.new(key, message, hashlib.sha256).hexdigest()
# Result: 'a31588fdbeceb7b7b70bab5d659e9eaee1cc1ca2d738a6064d7b2149e7588fc1'
                

PHP:


<?php
$message = 'Hello, world!';
$key = 'secret-key-1234';

// Generate HMAC
$hmac_sha256 = hash_hmac('sha256', $message, $key);
// Result: 'a31588fdbeceb7b7b70bab5d659e9eaee1cc1ca2d738a6064d7b2149e7588fc1'
?>
                

Common HMAC Use Cases

  • API Authentication - Securing API requests by signing them with a shared secret key
  • Message Integrity - Ensuring messages haven't been tampered with during transmission
  • Password Storage - Creating key derivation functions for secure password storage
  • Digital Signatures - Providing a lightweight alternative to full digital signatures for some applications
  • Cookie Validation - Securing web cookies against tampering