Questions tagged [hmac]

In cryptography, HMAC (Hash-based Message Authentication Code) is a specific construction for calculating a message authentication code (MAC) involving a cryptographic hash function in combination with a secret key. As with any MAC, it may be used to simultaneously verify both the data integrity and the authenticity of a message. Any cryptographic hash function, such as MD5 or SHA-1, may be used in the calculation of an HMAC; the resulting MAC algorithm is termed HMAC-MD5 or HMAC-SHA1 accordingly. The cryptographic strength of the HMAC depends upon the cryptographic strength of the underlying hash function, the size of its hash output length in bits and on the size and quality of the cryptographic key.

An iterative hash function breaks up a message into blocks of a fixed size and iterates over them with a compression function. For example, MD5 and SHA-1 operate on 512-bit blocks. The size of the output of HMAC is the same as that of the underlying hash function (128 or 160 bits in the case of MD5 or SHA-1, respectively), although it can be truncated if desired.

The definition and analysis of the HMAC construction was first published in 1996 by Mihir Bellare, Ran Canetti, and Hugo Krawczyk, who also wrote RFC 2104. This paper also defined a variant called NMAC that is rarely if ever used. FIPS PUB 198 generalizes and standardizes the use of HMACs. HMAC-SHA-1 and HMAC-MD5 are used within the IPsec and TLS protocols.

Source: Wikipedia

An example of calculating a HMAC-SHA256 in Java:

byte[] expectedResult = { /* Expected HMAC result from a prior run */
        96, 21, 116, 11, 4, -51, -115, -20, 104, 18, 117, -75, 3, -100, 126,
        -89, -22, 120, -120, 30, 102, 104, -125, -120, -62, 111, -75,
        24, 14, 62, 48, -65 };

byte[] secret = "your eyes only".getBytes();
String algorithm = "HmacSha256";

SecretKeySpec signingKey = new SecretKeySpec(secret, algorithm);

// Init HMAC usign secret
Mac hmac = Mac.getInstance(algorithm);
hmac.init(signingKey);

// Run message through HMAC and calculate result
byte[] message = "Don't tamper with me".getBytes();
byte[] macOutput = hmac.doFinal(message);

// Compare HMAC output to expected result
// A message that has been altered will not be equal
assertTrue(Arrays.equals(macOutput, expectedResult));

1439 questions

121

votes

5 answers

HMAC-SHA1 in bash

Is there a bash script to generate a HMAC-SHA1 hash? I'm looking for something equivalent to the following PHP code: hash_hmac("sha1", "value", "key");

bash sha1 hmac

asked Sep 02 '11 at 14:36

Mark

67,098
47
117
162

votes

9 answers

HMAC-SHA256 Algorithm for signature calculation

I am trying to create a signature using the HMAC-SHA256 algorithm and this is my code. I am using US ASCII encoding. final Charset asciiCs = Charset.forName("US-ASCII"); final Mac sha256_HMAC = Mac.getInstance("HmacSHA256"); final SecretKeySpec…

java character-encoding digital-signature hmac

asked Aug 19 '11 at 16:41

Rishi

1,331
4
13
16

votes

6 answers

How can I generate a HmacSHA256 signature of a string

Is there any way to create a HmacSHA256 signature of a string in php?

php hmac

asked Apr 25 '10 at 11:13

tarnfeld

25,992
41
111
146

votes

2 answers

What's the difference between Message Digest, Message Authentication Code, and HMAC?

My understanding of a message digest is that it's an encrypted hash of some data sent along with the encrypted data so you may verify that the data has not been tampered with. What is the difference then between this and message authentication codes…

security hmac message-digest

asked Sep 12 '10 at 22:05

zer0stimulus

22,306
30
110
141

votes

8 answers

Objective-C sample code for HMAC-SHA1

I need to generate HMAC-SHA1 in Objective C. But i didnt find anything that works. I tried with CommonCrypto, using CCHMAC, but didnt works. I need to generate a hmac and after generate HOTP number. Somebody have any example code in Objective C or…

c objective-c sha1 hmac

asked Apr 16 '09 at 14:50

Helena

votes

11 answers

How to send password securely via HTTP using Javascript in absence of HTTPS?

The very basic issue all developers face: Whenever user submits the form, the password is sent via network and it must be protected. The site I develop for doesn't have HTTPS. Neither does the owner want to buy a SSL certificate, nor is he…

security http hash password-protection hmac

asked Jan 05 '10 at 00:07

Viet

17,944
33
103
135

votes

5 answers

HMAC-SHA1: How to do it properly in Java?

I'm hashing some values using HMAC-SHA1, using the following code in Java: public static String hmacSha1(String value, String key) { try { // Get an hmac_sha1 key from the raw key bytes byte[] keyBytes = key.getBytes(); …

java hash sha1 hmac

asked Jun 10 '11 at 22:07

Mark

67,098
47
117
162

votes

8 answers

Implementation HMAC-SHA1 in python

I am trying to use the OAuth of a website, which requires the signature method to be 'HMAC-SHA1' only. I am wondering how to implement this in Python?

python oauth sha1 hmac

asked Dec 01 '11 at 08:55

xiaohan2012

9,870
23
67
101

votes

3 answers

How to generate HMAC-SHA1 in C#?

I am trying to make use of a REST API using C#. The API creator has provided sample libraries in PHP, Ruby and Java. I am getting hung up on one part of it where I need to generate an HMAC. Here's how it is done in the sample libraries they have…

c# java php ruby hmac

asked May 20 '11 at 05:16

jessegavin

74,067
28
136
164

votes

4 answers

Python3 and hmac . How to handle string not being binary

I had a script in Python2 that was working great. def _generate_signature(data): return hmac.new('key', data, hashlib.sha256).hexdigest() Where data was the output of json.dumps. Now, if I try to run the same kind of code in Python 3, I get…

python string python-3.x encoding hmac

asked Aug 06 '15 at 06:28

Aquiles Carattino

votes

2 answers

How to generate an HMAC in Java equivalent to a Python example?

I'm looking at implementing an app getting Twitter authorization via Oauth in Java. The first step is getting a request token. Here is a Python example for app engine. To test my code, I am running Python and checking output with Java. Here is an…

java oauth sha1 hmac cryptoapi

asked Jul 08 '10 at 21:31

dfrankow

20,191
41
152
214

votes

7 answers

java equivalent to php's hmac-SHA1

I'm looking for a java equivalent to this php call: hash_hmac('sha1', "test", "secret") I tried this, using java.crypto.Mac, but the two do not agree: String mykey = "secret"; String test = "test"; try { Mac mac = Mac.getInstance("HmacSHA1"); …

java php cryptography hmac

asked Oct 22 '09 at 20:56

Bee

14,277
6
35
49

votes

3 answers

HMAC vs simple MD5 Hash

Can anyone point out what the advantage of using HMАC is? For example, if I have a text T and a key K, I can use either HMAC-MD5 algorithm or Md5(T + K) to get a signature.

security md5 hmac

asked Feb 19 '11 at 15:05

user496949

83,087
147
309
426

votes

5 answers

Crypto algorithm list

I'm trying to find a list of strings that can be used a a crypto algorithm to fit into this function, replacing SHA256. crypto.createHmac("SHA256", secret).update(string).digest('base64'), I've come to the understanding that crypto uses openssl,…

javascript algorithm node.js cryptography hmac

asked Jan 05 '13 at 04:49

ThomasReggi

55,053
85
237
424

votes

4 answers

Compute HMAC-SHA512 with secret key in java

I want to exactly build a function which produces a HMAC with a secret key like this site provides: http://www.freeformatter.com/hmac-generator.html The Java 8 lib only provides MessageDigest and KeyGenerator which both only support up to…

java hmac

asked Sep 06 '16 at 18:05

PowerFlower

1,619
4
18
27

2 3

…

95 96 Next