0

So my Question is a combination of 3:

  1. Does HMAC hashing also hash the message along with the Secret key send to the recipient? Or just the Secret key is hashed, leaving the message as Plaintext?
  2. If ONLY the secret key is hashed(not hashing the message), doesn't it makes the message vulnerable to unauthorized people(attackers) if they get access to that Plaintext and easily understand it?
  3. If both(message + secret key) are concatenated to form the hash, how HMAC is different from the 'SALTING' method?
mohdraqif
  • 23
  • 1
  • 5
  • 2
    The question is better suited to security.stackexchange.com, but should be rewritten before asking there. While I've tried my best to answer below, it's not really clear what you're asking. Question 1, for example does not make sense. You can't hash "just the HMAC." Also, "ONLY the secret key is hashed" doesn't make sense either (hashing the secret key isn't an HMAC). I suspect you have some misunderstanding about how an HMAC works, so you should likely start by researching that. You might start here: https://security.stackexchange.com/questions/20129/how-and-when-do-i-use-hmac – Rob Napier Sep 14 '20 at 15:32
  • 1
    Thank you for the referral to the article. I'm actually confused about how the HMAC works. I'll see the article. Thanks again. – mohdraqif Sep 15 '20 at 00:48

1 Answers1

4

HMAC authenticates a message. It does not encrypt it. If you want to encrypt the message, encrypt it first, and then apply an HMAC. (This is generally called the "encrypt-then-MAC" construction.)

The point of authentication is to demonstrate that a message has not been altered. The point of encryption is to prevent other parties from reading the message. Often these go together, but they don't have to.

Rob Napier
  • 286,113
  • 34
  • 456
  • 610