What is HMAC and how does it work?


To that end, the HMAC algorithm makes use of a cryptographic key and hashing. Hashing turns data into a hash of a constant size. Hashing is also deterministic, meaning that the algorithm produces the same hash for the same input. But the real killer feature of hashing is that there is no way one can obtain the original data from the hash.

HMAC can prove authenticity too

While ascertaining data integrity is important, verifying authenticity is also important. Here is where HMAC becomes handy since it can both verify the authenticity and integrity of data. Let’s see how it accomplishes this.

How the HMAC algorithm works

First, we choose a hashing algorithm. Depending on the algorithm, the data would be hashed in blocks of a certain size B and a hash of size L is produced. It is relevant to note here that HMAC uses hashing algorithms that are block ciphers. Block ciphers encrypt data in blocks. For example, if we have a stream of 160 bits, then a block cipher might encrypt (or hash) the data in a block of 8 bits. In contrast, a stream cipher encrypts the data bit by bit.

Inner and Outer keys

Now, we need to derive two keys-the inner key and the outer key-from the cryptographic key. The inner key is generated by appending zeroes to the end of the key to make it of size B, and then XORing the key with the ipad-which is 352 bits of zeroes to the key to make the key 512 bits in size. Then, this key is XORed with the byte 0x36 repeated B times. For example, if the block size is 64 bytes (512 bits) and the key size is 20 bytes (160bits), then we append 0x36 repeated 64 times. The resultant key is the inner key.

  1. Since the key is the same and since we expect the key to be a secret between the sender and the recipient, it was the sender who actually sent the data.


Thus, we can summarize the HMAC algorithm as follows:

An example

I want to send the data “ Hello World! “ to Bob. I choose the SHA1 hashing algorithm to hash the data. The SHA-1 algorithm hashes data in blocks of 64 bytes. So, the block size B is 64 bytes. The hash produced by this algorithm is 20 bytes. So, L is 20 bytes.

Generating a secret key

Let me produce a 1024-bit (128-byte) key using All Keys Generator .

Hashing the secret key

Now, since my key is bigger than the block size of 64 bytes, I need to hash it. I am going to use this implementation of jsSHA for hashing. Hashing the above key gives me the hash below:

Zero-padding the secret key

This hash is also in the hexadecimal format. There are 40 characters producing 40×4, 160 bits (20 bytes). Now, we need to append zeroes to make the size of this key 64 bytes (512bits). We will have to append 512-160=352 bits of zeroes, which is 352/4=88 zeroes in hexadecimal, to the key to make it 64 bytes in size.

Creating the ipad


Deriving the inner key

Next, let’s produce the inner key by XORing the ipad with the key bitwise. We can do this using . The resultant inner key is this:

Creating the first hash

Now, let’s append our hexadecimal-encoded data to this key and create a hash using SHA-1.

Creating the opad


Deriving the outer key

Now, let’s XOR it with our zero-padded original key to produce the outer key.

Producing the HMAC code

Finally, let’s append the hash we obtained by hashing the inner key and the data to the outer key, and hash it.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store