Hashed Message Authentication Code Functions

A Hashed Message Authentication Code (HMAC) is a message authentication function for Internet communications described in RFC 2104 of the Network Working Group of the Internet Engineering Task Force (IETF). HMAC uses standard message digest functions, such as MD5 and SHA-1. In general, HMAC MD5 provides better performance for secure communications, while HMAC SHA-1 provides stronger cryptographic security.

HMAC is widely used by Internet security technologies, such as the TLS and IPSec protocols, to verify the integrity of transmitted data during secure communications. HMAC generates a message digest for each block of transmitted data and uses a random secret symmetric key to encrypt the message digests. The secret key is securely shared between the parties involved in the secure communications. (Secure secret key exchange is done with key exchange algorithms, which are described later in this chapter.) When data is received, the secret key is necessary to decrypt the message digest and perform the data integrity check.

The cryptographic strength of the HMAC depends on the underlying strength of the message digest used and how securely the secret key is exchanged. An intruder does not know the secret key and cannot tamper with the data en route or counterfeit the message digest. HMAC provides data integrity and protection against tampering in a manner similar to digital signatures, but it does not require communicating parties to have public and private keys. HMACs also provide better performance for bulk online communications than public key digital signing technologies.