HMAC is an acronym for Hash-based Message Authentication Code
What would an HMAC be?
An HMAC is a type of MAC (message authentication code). A MAC is a code that you can add to the end of a message to protect the integrity of the message, ensuring that it was received by the recipient without any accidental or malicious changes.
The simplest way to try to protect the integrity of a message would be to include a checksum at the end. This would protect against accidental modifications but would not protect against malicious modifications, since a malicious person could recalculate the checksum to make it check with the modified message.
To protect against malicious modifications we can use a cryptographically secure MAC. This MAC is a checksum type, but it also depends on a secret key that only the message's author has, which theoretically prevents an opponent from recalculating the MAC of a modified message.
HMAC is a specific algorithm to generate a cryptographically secure MAC from a secret key and a message any. It is better to use this algorithm than to reinvent the wheel since many simple algorithms like hash(chave + mensagem)
are vulnerable to cryptographic attacks like the size extension attack .
Does HMAC have anything to do with the hash (md5, sha1, sha256)?
Yes, HMAC is a general algorithm that uses a hash function internally. This hash function can be any cryptographic hash, such as md5, sha1, or sha256, and depending on the hash function you use, you get a different version of HMAC (HMAC-MD5, HMAC-SHA1, HMAC-SHA256, etc.) / p>
Why do I always hear something like "HMAC calculation"? What would this "calculation" be?
The HMAC is an algorithm and this calculation is simply the execution of this algorithm. Roughly, the HMAC function is defined by
HMAC(K, m) = hash(K1 + hash(K2 + m))
where:
-
K
is the secret key
-
m
is the message
-
hash
is the chosen hash function (md5, sha1, etc)
-
K1
and K2
are secret keys derived from the original key K
-
+
is the string concatenation operation.
For more details, I recommend reading the RFC 2104 or the Wikipedia article
Does it have any purpose for information security? If yes, please cite examples.
An example of using MAC is that a web server can deliver cookies to its users that can be read but not modified (as any modification to the content would invalidate the MAC).