Hash-based message authentication code

A keyed hash message authentication code ( HMAC ) is a type of message authentication code ( MAC), the construction of which is based on a cryptographic hash function. HMACs are specified in RFC 2104 and in NIST FIPS 198 and extended in RFC 4868 for use in IPsec. They can also be used for example in the protocols TLS and SSH.


HMAC is computed from the message and a secret key using the hash function according to RFC 2104 as follows. is made up to the block length of the hash function ( 512 bits for the most common hash function ). If the length is greater than the block length of the hash function is replaced by.

And the values ​​are constants, represents the bit-wise XOR operation, and the connection by simply assembling ( concatenation ).

RFC 2104, both are constants defined as follows:

Design principles

The at first glance seemingly awkward design stems from the fact that almost all cryptographic hash functions are based on the Merkle - Damgård construction, ie on the iteration of a compression function. For example, there is a simple attack on a construction of MACs as. Due to the structure of the hash function can be easily calculated and the hash value for any message M of an unknown, the hash value, if the finalize function is missing or is readily reversible. But that can also be expanded.

If the underlying hash function is assumed to be collision resistant, simple MAC constructions are possible, for example, as the calculation. The construction is uncertain, however, as soon as a collision is found, because if, then K is independent of the key because of the structure also.

The idea of ​​the HMAC construction is not to rely on the collision resistance of the hash function, but on weaker assumptions on safety. For this reason, based on MD5 HMAC is still safe, although for MD5 collisions already been found.


If the underlying compression function is a pseudo-random function, as well as the HMAC construction is a pseudorandom function. Since each pseudo-random function is a good MAC, the HMAC construction is also a good MAC.