Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.

Global Accelerated Learning • Est. 1999
Glossary Term Hash Based Message Authentication Code (HMAC)

Training Camp • Cybersecurity Glossary

What is Hash Based Message Authentication Code (HMAC)?

A keyed hash (RFC 2104/FIPS 198-1) proving a message's integrity and origin with a shared secret. Used in TLS, JWT and AWS SigV4.

Glossary > Cryptography & PKI > Hash Based Message Authentication Code (HMAC)

Hash Based Message Authentication Code (HMAC) — A keyed hash (RFC 2104/FIPS 198-1) proving a message's integrity and origin

Understanding Hash Based Message Authentication Code (HMAC)

HMAC (Hash-based Message Authentication Code) is a mechanism that verifies both the integrity and authenticity of a message by combining a cryptographic hash function with a shared secret key. Standardized in RFC 2104 and FIPS 198-1, it produces a fixed-length tag that only parties holding the key can generate or validate, proving the message was neither altered nor forged.

Mechanically, HMAC processes the secret key and message through two nested hash passes using inner and outer padding constants (ipad and outer pad), expressed as H((K XOR opad) || H((K XOR ipad) || message)). This double-hashing structure is what defeats length-extension attacks that break naive "hash of key plus message" schemes. Any approved iterative hash works underneath, most commonly SHA-256, yielding constructions named HMAC-SHA256. The verifier recomputes the tag over the received message under the same key and compares.

For security, HMAC underpins integrity and message authentication across countless protocols, but it is not encryption and provides no confidentiality on its own. Its strength rests entirely on key secrecy: an attacker who obtains the key can forge valid tags at will, so keys must be generated with sufficient entropy, distributed over secure channels, and rotated. Comparisons must be constant-time; leaking timing or partial-match details enables tag-forgery oracles. Downgrade or algorithm-negotiation flaws that allow a "none" choice must be blocked.

In practice, HMAC authenticates API requests in AWS Signature Version 4, signs tokens as the HS256 algorithm in JSON Web Tokens, and provides message authentication inside TLS cipher suites and IPsec. A concrete example: a client signing an AWS API call derives a signing key from its secret access key and computes HMAC-SHA256 over the canonical request; AWS recomputes the same HMAC server-side, and a mismatch rejects the request, ensuring nobody tampered with parameters in transit. Because HMAC guards integrity but not secrecy, it is typically paired with TLS or authenticated encryption so that confidentiality and tamper-detection are both covered.

Learn More About Hash Based Message Authentication Code (HMAC):

Ready to Get Certified?

Hash Based Message Authentication Code (HMAC) is one of the topics you'll master in the Security+ Boot Camp.

Security+ Boot Camp →