Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.
Training Camp • Cybersecurity Glossary
A way to prove message integrity and authenticity using a shared secret key and hashing.
Hash based Message Authentication Code HMAC Definition: A way to prove message integrity and authenticity using a shared secret key and hashing.
Hash-based Message Authentication Codes (HMACs) provide data integrity and authenticity checks by combining a cryptographic hash function with a secret key. Unlike simple checksums or plain hashes, HMAC ensures that only entities possessing the key can generate valid codes, thwarting tampering or replay attempts. Commonly used with hash algorithms like SHA-256, HMAC is used in protocols (e.g., JSON Web Signatures) and API authentication (e.g., AWS signature version 4). Implementation details include choosing a sufficiently strong hash function, securely managing keys, and ensuring short-lifetime keys for extra protection. Risks arise if keys are shared insecurely, or if the algorithm negotiation can be forced to “none.” Attackers who gain the key can forge valid HMACs. HMAC also combats length-extension attacks that plague naive hash usage. Verifying an HMAC requires re-computing it on the received message (under the same secret) and comparing results. Modern best practices suggest constant-time comparisons and avoiding revealing partial matches in error messages. Because HMAC doesn’t encrypt content, it’s often used alongside secure channels (TLS) or encryption for confidentiality, while HMAC ensures no unauthorized modifications occurred in transit.
Turn knowledge into credentials. Browse our instructor-led cybersecurity courses.
View All Courses →