Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.
Training Camp • Cybersecurity Glossary
A keyed hash (RFC 2104/FIPS 198-1) proving a message's integrity and origin with a shared secret. Used in TLS, JWT and AWS SigV4.
Hash Based Message Authentication Code (HMAC) Definition: A keyed hash (RFC 2104/FIPS 198-1) proving a message's integrity and origin with a shared secret. Used in TLS, JWT and AWS SigV4.
HMAC (Hash-based Message Authentication Code) is a mechanism that verifies both the integrity and authenticity of a message by combining a cryptographic hash function with a shared secret key. Standardized in RFC 2104 and FIPS 198-1, it produces a fixed-length tag that only parties holding the key can generate or validate, proving the message was neither altered nor forged.
Mechanically, HMAC processes the secret key and message through two nested hash passes using inner and outer padding constants (ipad and outer pad), expressed as H((K XOR opad) || H((K XOR ipad) || message)). This double-hashing structure is what defeats length-extension attacks that break naive "hash of key plus message" schemes. Any approved iterative hash works underneath, most commonly SHA-256, yielding constructions named HMAC-SHA256. The verifier recomputes the tag over the received message under the same key and compares.
For security, HMAC underpins integrity and message authentication across countless protocols, but it is not encryption and provides no confidentiality on its own. Its strength rests entirely on key secrecy: an attacker who obtains the key can forge valid tags at will, so keys must be generated with sufficient entropy, distributed over secure channels, and rotated. Comparisons must be constant-time; leaking timing or partial-match details enables tag-forgery oracles. Downgrade or algorithm-negotiation flaws that allow a "none" choice must be blocked.
In practice, HMAC authenticates API requests in AWS Signature Version 4, signs tokens as the HS256 algorithm in JSON Web Tokens, and provides message authentication inside TLS cipher suites and IPsec. A concrete example: a client signing an AWS API call derives a signing key from its secret access key and computes HMAC-SHA256 over the canonical request; AWS recomputes the same HMAC server-side, and a mismatch rejects the request, ensuring nobody tampered with parameters in transit. Because HMAC guards integrity but not secrecy, it is typically paired with TLS or authenticated encryption so that confidentiality and tamper-detection are both covered.
Hash Based Message Authentication Code (HMAC) is one of the topics you'll master in the Security+ Boot Camp.
Security+ Boot Camp →