Questions tagged [hmac]

In cryptography, HMAC (Hash-based Message Authentication Code) is a specific construction for calculating a message authentication code (MAC) involving a cryptographic hash function in combination with a secret key. As with any MAC, it may be used to simultaneously verify both the data integrity and the authenticity of a message. Any cryptographic hash function, such as MD5 or SHA-1, may be used in the calculation of an HMAC; the resulting MAC algorithm is termed HMAC-MD5 or HMAC-SHA1 accordingly. The cryptographic strength of the HMAC depends upon the cryptographic strength of the underlying hash function, the size of its hash output length in bits and on the size and quality of the cryptographic key.

An iterative hash function breaks up a message into blocks of a fixed size and iterates over them with a compression function. For example, MD5 and SHA-1 operate on 512-bit blocks. The size of the output of HMAC is the same as that of the underlying hash function (128 or 160 bits in the case of MD5 or SHA-1, respectively), although it can be truncated if desired.

The definition and analysis of the HMAC construction was first published in 1996 by Mihir Bellare, Ran Canetti, and Hugo Krawczyk, who also wrote RFC 2104. This paper also defined a variant called NMAC that is rarely if ever used. FIPS PUB 198 generalizes and standardizes the use of HMACs. HMAC-SHA-1 and HMAC-MD5 are used within the IPsec and TLS protocols.

Source: Wikipedia

An example of calculating a HMAC-SHA256 in Java:

byte[] expectedResult = { /* Expected HMAC result from a prior run */
        96, 21, 116, 11, 4, -51, -115, -20, 104, 18, 117, -75, 3, -100, 126,
        -89, -22, 120, -120, 30, 102, 104, -125, -120, -62, 111, -75,
        24, 14, 62, 48, -65 };

byte[] secret = "your eyes only".getBytes();
String algorithm = "HmacSha256";

SecretKeySpec signingKey = new SecretKeySpec(secret, algorithm);

// Init HMAC usign secret
Mac hmac = Mac.getInstance(algorithm);
hmac.init(signingKey);

// Run message through HMAC and calculate result
byte[] message = "Don't tamper with me".getBytes();
byte[] macOutput = hmac.doFinal(message);

// Compare HMAC output to expected result
// A message that has been altered will not be equal
assertTrue(Arrays.equals(macOutput, expectedResult));

1439 questions

votes

1 answer

How Do Hardware Token Devices work?

Recently, my bank sent me this tiny device that generates a unique code that must be used when performing online transactions, all the device does is generate this unique code when I press a particular white button and it doesn't look like it…

asked Aug 11 '14 at 17:26

Feyisayo Sonubi

1,052
5
15
27

votes

3 answers

C# equivalent to hash_hmac in PHP

using .NET and C# i need to provide an integrity string using HMAC SHA512 to a PHP server . Using in C# : Encoding encoding = Encoding.UTF8; byte[] keyByte = encoding.GetBytes(key); HMACSHA512 hmacsha512 = new HMACSHA512(keyByte); byte[]…

c# hmac sha512

asked Oct 09 '12 at 16:17

Philippe

votes

2 answers

Python encoded message with HMAC-SHA256

I try to encoded message with HMAC-SHA256 in Python according to [instructions][1] import hmac import hashlib nonce = 1234 customer_id = 123232 api_key = 2342342348273482374343434 API_SECRET = 892374928347928347283473 message = nonce + customer_id…

python encode hmac

asked Jun 30 '16 at 21:34

Oana Andone

votes

3 answers

Using HMAC-SHA1 for API authentication - how to store the client password securely?

In a RESTful API that uses S3-style authentication, the API client signs the request with his secret key using HMAC-SHA1, so the secret key is never transmitted over the wire. The server then authenticates the client by using that client's secret…

security encryption password-protection hmac

asked Mar 30 '11 at 14:33

Elad

3,145
2
20
17

votes

4 answers

Using HMAC SHA256 in Ruby

I'm trying to apply HMAC-SHA256 for generate a key for an Rest API. I'm doing something like this: def generateTransactionHash(stringToHash) key = '123' data = 'stringToHash' digest = OpenSSL::Digest.new('sha256') hmac =…

ruby-on-rails ruby sha256 hmac

asked Jan 18 '16 at 12:41

Eduardo Pedroso

votes

5 answers

How to use SHA256-HMAC in python code?

I am taking message and key from this URL import hmac import hashlib import base64 my =…

python oauth sha256 hmac

asked Sep 29 '16 at 10:04

Venkatesh Panabaka

2,064
4
19
27

votes

2 answers

Is there any function for creating Hmac256 string in android?

Is there any function for creating Hmac256 string in android ? I am using php as my back end for my android application, in php we can create hmac256 string using the php function hash_hmac () [ ref ] is there any function like this in Android…

android hmac hmacsha1

asked Mar 15 '16 at 07:15

Bikesh M

8,163
6
40
52

votes

6 answers

How much can you truncate a SHA1 hash and be reasonably sure of having an unique ID?

I am making an application that stores documents and gives each one a UID based on a SHA1 digest of a few things including the timestamp. The digest has a lot of characters, and I want to allow users to identify the documents by using the first x…

algorithm probability sha1 hmac

asked Jan 24 '11 at 16:23

dan

43,914
47
153
254

votes

4 answers

How can I decrypt a HMAC?

I can make an HMAC using the following: var encrypt = crypto.createHmac("SHA256", secret).update(string).digest('base64'); I am trying to decrypt an encoded HMAC with the secret: var decrypt = crypto.createDecipher("SHA256",…

node.js cryptography hmac sha256

asked Jan 08 '13 at 15:54

ThomasReggi

55,053
85
237
424

votes

2 answers

Generate a 10-digit TOTP password with a certain key

This problem is related to TOTP as specified in RFC6238 here: https://www.rfc-editor.org/rfc/rfc6238#section-1.2. I am to implement the RFC6238 to generate a 10-digit TOTP password, which will be used in a POST request later on. The sample input and…

java encryption hmac password-encryption one-time-password

asked Mar 02 '17 at 03:47

Nicholas Sadjoli

votes

2 answers

Is HMAC necessary if all API calls are made through https?

If all api calls are sent through https, does HMAC add any extra security? For example, in oauth 2, the client sends its secret key to the provider without any hashing whatsoever. Is this considered secure because it's over https? While not…

https oauth-2.0 hmac

asked Jun 26 '12 at 08:55

Philippe Huibonhoa

votes

4 answers

PBKDF2-HMAC-SHA2 test vectors

There are test vectors for PBKDF2-HMAC-SHA1 in RFC6070. There are test vectors for HMAC-SHA2 in RFC4231. But so far I haven't found test vectors for PBKDF2-HMAC-SHA2 anywhere. I'm most interested in SHA256, so I'll post some vectors I calculated…

cryptography hmac sha2 pbkdf2

asked Feb 26 '11 at 23:48

Christian Aichinger

6,989
4
40
60

votes

1 answer

How do I sign a POST request using HMAC-SHA512 and the Python requests library?

I'm trying to use Python to access the trading API at poloniex.com, a cryptocurrency exchange. To do this I must follow this prescription: All calls to the trading API are sent via HTTP POST to https://poloniex.com/tradingApi and must contain the…

python python-requests hmac

asked Feb 07 '17 at 21:38

Werhli

votes

1 answer

How does one generate an HMAC string in Elixir?

I'm attempting to write an Amazon Product Advertising API client in Elixir. The developer guide describes the process for signing an API request in which the an HMAC-SHA26 hash must be created using the request and the "Secret Access Key." This is…

hmac sha256 erlang-otp elixir amazon-product-api

asked Nov 22 '14 at 20:50

Zach Garwood

votes

1 answer

How to create a Json Web Token (JWT) using OpenSSL shell commands?

I'm trying to create a JSON Web Token (JWT) using command line utilities on MacOS and hitting a snag with the signing portion. I was greatly inspired by this gist: https://gist.github.com/indrayam/dd47bf6eef849a57c07016c0036f5207 For my JWT I…

linux bash openssl jwt hmac

asked Nov 22 '19 at 23:10

Jordan Reed

Prev 1

…

95 96 Next