What is hmac
Last updated: April 1, 2026
Key Facts
- HMAC was proposed by Mihir Bellare, Ran Canetti, and Rafi Venkatesan in 1996 and is standardized in FIPS 198-1
- HMAC works by combining a secret key with a message and applying a hash function (like SHA-256) to produce a unique authentication code
- The recipient can verify an HMAC by recomputing it with their own copy of the secret key and comparing it to the received HMAC
- HMAC is computationally efficient and widely used in API authentication, session token verification, and data integrity checks
- Unlike digital signatures, HMAC requires both parties to share the same secret key, making it suitable for symmetric key authentication scenarios
Introduction to HMAC
HMAC stands for Hash-based Message Authentication Code, a cryptographic technique used to verify both the authenticity and integrity of a message. It combines a shared secret key with a message and applies a cryptographic hash function to produce a unique code that proves the message hasn't been altered and comes from an authenticated source.
How HMAC Works
HMAC operates through a straightforward but powerful process involving several cryptographic operations. The sender uses a secret key and the message to calculate an HMAC value. This value is then transmitted along with the original message to the recipient. The recipient uses their own copy of the secret key to independently calculate an HMAC from the received message. If both HMAC values match, the message is authenticated and unaltered. If they differ, the message has been tampered with or the sender is not who they claim to be.
Technical Construction
HMAC combines three main components to ensure security:
- Secret key: A shared symmetric key known only to the sender and recipient
- Hash function: A cryptographic function like SHA-256 or SHA-512 that produces a fixed-length output
- Message: The data whose authenticity and integrity need to be verified
The HMAC algorithm applies the hash function twice: first combining the key with the message, then hashing the result again with a modified key. This double-hashing approach significantly strengthens security against various cryptographic attacks.
Common Applications
HMAC is widely deployed across internet security and data protection:
- API authentication: Services use HMAC to verify requests from clients using shared API secrets
- Session tokens: Web applications use HMAC to ensure session cookies haven't been forged or modified
- Webhook verification: Platforms use HMAC to prove webhooks originate from legitimate sources
- Message authentication: Email systems and messaging platforms use HMAC to prevent message tampering
- File integrity: Software downloads and updates are verified using HMAC
HMAC vs. Digital Signatures
While both HMAC and digital signatures provide authentication, they work differently. HMAC uses a symmetric secret key that both parties must share, making it efficient for internal systems or trusted partners. Digital signatures use asymmetric cryptography with public and private keys, allowing verification by anyone with the public key, which is essential for public authentication scenarios.
Security Considerations
The security of HMAC depends entirely on the secrecy of the shared key. If the key is compromised, any party can forge valid HMACs. Therefore, secret keys must be generated securely, stored safely, and rotated periodically. Organizations should never hardcode secret keys in source code or share them over insecure channels.
Related Questions
What is the difference between HMAC and a digital signature?
HMAC uses a shared secret key for symmetric authentication, while digital signatures use asymmetric cryptography with public and private keys. HMAC is faster and suitable for private authentication between trusted parties, whereas digital signatures enable public verification of authenticity.
Can HMAC be used for encryption?
No, HMAC is designed exclusively for authentication and integrity verification, not encryption. It produces a hash code that proves a message is authentic but does not conceal the message contents. For confidentiality, encryption algorithms like AES must be used separately.
What hash functions are used with HMAC?
Common hash functions paired with HMAC include SHA-256, SHA-512, and SHA-1 (though SHA-1 is deprecated). SHA-256 and SHA-512 are recommended for new implementations due to their strong security properties and resistance to collision attacks.
More What Is in Daily Life
- What Is a Credit ScoreA credit score is a three-digit number, typically ranging from 300 to 850, that represents your cred…
- What Is CD rates make no sense based on length of time invested. Explain like I'm 5CD (Certificate of Deposit) rates often don't increase with longer lock-up times the way people expe…
- What is a phdA PhD (Doctor of Philosophy) is a doctoral degree earned after completing advanced academic research…
- What is a polymathA polymath is a person with deep knowledge and expertise across multiple different fields or academi…
- What is aarch64ARMv8-A (commonly called ARM64 or AArch64) is a 64-bit processor architecture developed by ARM Holdi…
- What is about menTopics and discussions about men typically encompass masculinity, male identity, gender roles, men's…
- What is aaaAAA batteries are a standard cylindrical battery size measuring 10.5mm in diameter and 44.5mm in len…
- What is aacAAC (Advanced Audio Codec) is a digital audio compression format that provides better sound quality …
- What is aaa gameAAA games are high-budget video games developed by large studios with budgets typically exceeding $1…
- What is a proxyA proxy is a server that acts as an intermediary between your device and the internet, forwarding yo…
- What is advilAdvil is a brand name for ibuprofen, an over-the-counter nonsteroidal anti-inflammatory drug (NSAID)…
- What is affiliationAffiliation is a formal connection or association between entities, such as individuals joining orga…
- What is agoraphobiaAgoraphobia is an anxiety disorder characterized by intense fear of situations where escape might be…
- What is a jockA jock is an athlete, especially in high school or college, known for participation in sports. The t…
- What is a jesterA jester is a professional entertainer employed by royalty or nobility to provide humor, satire, and…
- What is a juxtapositionJuxtaposition is a literary and rhetorical technique of placing two contrasting things side by side …
- What is a juggernautA juggernaut is an unstoppable or overwhelming force, power, or person that crushes all opposition. …
- What is a jointA joint is an anatomical structure where two or more bones meet and connect, allowing movement and f…
- What is a jewA Jew is a person who practices Judaism, is of Jewish descent, or identifies with Jewish culture, et…
- What is alsALS, or Amyotrophic Lateral Sclerosis, is a progressive neurodegenerative disease that affects nerve…
Also in Daily Life
- How To Save Money
- Why are so many white supremacist and right wings grifters not white
- Does "I'm 20 out" mean youre 20 minutes away from where you left, or youre 20 minutes away from your destination
- Why are so many men convinced that they are ugly
- What does awol mean
- What does asl mean
- What does ad mean
- What does asap mean
- What does apex mean
- What does asmr stand for
- What does atp mean
- What causes autism
- What does abg mean
- What does am and pm mean
- What does a fox sound like
More "What Is" Questions
Trending on WhatAnswer
Browse by Topic
Browse by Question Type
Sources
- Wikipedia - HMAC CC-BY-SA-4.0
- NIST FIPS 198-1 - The Keyed-Hash Message Authentication Code Public Domain