What is HMAC?

15

When working on a project that uses sha256 and security keys, I came across the term hmac .

I still do not really know what it's all about, and I'd like to understand a bit more.

I have the following questions:

  • What would an HMAC be?
  • Does HMAC have anything to do with the hash (md5, sha1, sha256)?
  • Why do I always hear something like "HMAC calculation" ? What would this "calculation" be?
  • Does it have any purpose for information security? If so, cite examples.

And finally:

  • How do you pronounce it? I always say: "Agá mequi"
asked by anonymous 14.03.2017 / 17:40

2 answers

14

HMAC is an acronym for Hash-based Message Authentication Code

  

What would an HMAC be?

An HMAC is a type of MAC (message authentication code). A MAC is a code that you can add to the end of a message to protect the integrity of the message, ensuring that it was received by the recipient without any accidental or malicious changes.

The simplest way to try to protect the integrity of a message would be to include a checksum at the end. This would protect against accidental modifications but would not protect against malicious modifications, since a malicious person could recalculate the checksum to make it check with the modified message.

To protect against malicious modifications we can use a cryptographically secure MAC. This MAC is a checksum type, but it also depends on a secret key that only the message's author has, which theoretically prevents an opponent from recalculating the MAC of a modified message.

HMAC is a specific algorithm to generate a cryptographically secure MAC from a secret key and a message any. It is better to use this algorithm than to reinvent the wheel since many simple algorithms like hash(chave + mensagem) are vulnerable to cryptographic attacks like the size extension attack .

  

Does HMAC have anything to do with the hash (md5, sha1, sha256)?

Yes, HMAC is a general algorithm that uses a hash function internally. This hash function can be any cryptographic hash, such as md5, sha1, or sha256, and depending on the hash function you use, you get a different version of HMAC (HMAC-MD5, HMAC-SHA1, HMAC-SHA256, etc.) / p>

  

Why do I always hear something like "HMAC calculation"? What would this "calculation" be?

The HMAC is an algorithm and this calculation is simply the execution of this algorithm. Roughly, the HMAC function is defined by

HMAC(K, m) =  hash(K1 + hash(K2 + m))

where:

  • K is the secret key
  • m is the message
  • hash is the chosen hash function (md5, sha1, etc)
  • K1 and K2 are secret keys derived from the original key K
  • + is the string concatenation operation.

For more details, I recommend reading the RFC 2104 or the Wikipedia article

  

Does it have any purpose for information security? If yes, please cite examples.

An example of using MAC is that a web server can deliver cookies to its users that can be read but not modified (as any modification to the content would invalidate the MAC).

    
14.03.2017 / 19:05
7

A brief introduction on Message Authentication Code (MAC¹):

A message authentication code is information used to authenticate a message. A MAC algorithm receives as a parameter a secret key (shared only with the recipient) and the message itself that will be authenticated, and returns a message authentication code. This code is used to verify the integrity and authenticity of the message data .

As we can see in the representation below, the message sender uses an algorithm to generate the message MAC to be sent using the secret key. The message and MAC are sent to the recipient. It holds the secret key executes the same algorithm on the message and checks if the generated MAC is equal to that sent by the sender. If they are the same, the recipient can assume that the integrity and authenticity of the message are ok.

Representationofinformationexchangeusingmessageauthentication(MAC)code
Adaptedfrom: Message Authentication Code - Wikipedia
¹MAC = Message Authentication Code

What is a Hash-based Message Authentication Code?

It is a type of message authentication code (MAC) involving in its construction a cryptographic hash (H) function combining with a secret key.

SHA-1, MD5 and other cryptographic hash functions can be used in the HMAC calculation and its cryptographic strength may vary according to the hash function used. p>

In the RFC 2104 definition, a representation of the HMAC function / calculation is displayed, where:

  • H (·) is a cryptographic hash function
  • K is a secret key filled with extra zeros to the right for input into the block of the hash function, or the hash of the original key if it is larger than the block size
  • m is the message to be authenticated
  • ∥ denotes concatenation
  • ⊕ denotes or exclusive (XOR)
  • opad is the external padding (0x5c5c5c ... 5c5c), a block of constant hex length)
  • ipad is the internal padding (0x363636 ... 3636), a block of constant hex length)

Description and representation obtained at: HMAC - Wikipedia, the free encyclopedia

>

ActualexampleofHMACusage:

AusecasethatIhaveexperiencedwasthevalidationoftheauthenticityandintegrityofnotificationssentfromapaymentsystemtoane-commercesystem(usingHMAC-SHA1),regardingthestatusoftransactions(confirmationsandcancellationsofproductpayments).

ThisvalidationisimportanttomakesurethattheresponsecomesfromthepaymentsystemandisnotfromanindividualwithbadintentionsforgingaPOSTofconfirmationofpaymentforatransaction,forexample.ThesecretkeyusedinthiscaseistheAPIKeyprovidedbythepaymentsystem.

HowdoyoupronounceHMAC?

Inthefirstfewseconds of this video and this video also you can hear the pronunciation of the term in English.

References:

16.03.2017 / 20:46