Menu
Preamble: I am quite new to HMACs, so please forgive me if the question is a little bit dumb.
As far as I understood, an HMAC is used to make sure that a message has not been tampered. So basically, it serves as a hash code. But, as the hash algorithm is known an attacker could easily calculate a new hash code for the tampered version of the message.
This is what HMACs try to solve: They provide a hash which is not only based upon the message that shall be hashed, but also on a cryptographic key. This way it is not possible to calculate a valid for the message without knowledge of the key.
Is this right so far?
My question now is: What do we need HMACs for if we can achieve the same goal using public key signing? IIRC signing works exactly the same way: Calculate a hash and sign it to make sure that nobody tampered either the message or the hash.
So what's the point of an HMAC?
637
Hash-based message authentication code (or HMAC) is a cryptographic authentication technique that uses a hash function and a secret key. With HMAC, you can achieve authentication and verify that data is correct and authentic with shared secrets, as opposed to approaches that use signatures and asymmetric cryptography.
It is a result of work done on developing a MAC derived from cryptographic hash functions. HMAC is a great resistance towards cryptanalysis attacks as it uses the Hashing concept twice. HMAC consists of twin benefits of Hashing and MAC and thus is more secure than any other authentication code.
When two parties exchange messages through those secure file transfer protocols, those messages will be accompanied by HMACs instead of plain hashes. An HMAC employs both a hash function and a shared secret key. A shared secret key provides exchanging parties a way to establish the authenticity of the message.
The design of the HMAC specification was motivated by the existence of attacks on more trivial mechanisms for combining a key with a hash function. For example, one might assume the same security that HMAC provides could be achieved with MAC = H(key ∥ message).
An HMAC is smaller in size and takes much less CPU to compute and verify than any know public key operation for comparable security levels.
80
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
