What exactly is HMAC algorithm?

Before knowing the working or applications or formula of HMAC Algorithm, it’s very much essential that we must know what exactly HMAC is. When it comes to definition HMAC refers to a Keyed-Hashing for Message Authentication. It’s a MAC obtained by running a  hash function over the data and a shared secret key.

  1. History
  2. Applications of HMAC
  3. Working of HMAC
  4. Formula for working of HMAC
  5. Advantages
  6. Disadvantages

1) History

The definition and analysis of the HMAC construction date back to 1996, where it saw its first publication in the paper. The 1996 paper which spoke about HMAC also defined NMAC. FIPS generalized and standardized the use of HMACs.

2) Applications of HMAC

The HMAC can be applied in a number of scenarios, some of them are,

  • They are used in IoT as they are cheaper.
  • They are used for verification while activating or creating the account
  • They are also used while resetting the password for sending the one time hyperlink that is often used like OTP.
  • It can convert messages of any size into messages of fixed length

3) Working of HMAC

Working here basically involves providing the requestor and involved server with the private key which is only in the knowledge of them. For each and every request a different hash is made by the requestor. And then when there is a request by the client, the requisite data is hashed with the private key which was shared, which is sent as part of the request. HAMC is considered to be secure as the key and the message are then hashed in unique steps. Own HMAC is made by the server, whenever it receives a request. The client is taken to be legitimate only when both the HMAC’s are equal.

4) Formula for working of HMAC:

The formula for working with HMAC goes as follows

HMAC=hasfunc (secretkey message)

Firstly, the authentication function is of three types, namely

∙Message encryption

∙Message Authentication code

∙Hash Functions.

In HMAC the function of hash is applied with a key to the plain text. But before application of the function, there is a need to calculate S bits and then affix it to plain text and after that apply hash function. For a generation of those S bits, there is the use of a key that is shared between the sender and receiver.

In Brief, they can be said as,

  1. Select K.
      If K < b, pad 0’s on left until k is equal to b.And K is between 0 and b ( 0 < K < b )
  2. EXOR K with ipad equivalent to b bits producing S1 bits.
  3. Append S1 with plain text M
  4. Apply SHA-512 on ( S1 || M )
  5. Pad n-bits until length is equal to b-bits
  6. EXOR K with opad equivalent to b bits producing S2 bits.
  7. Append S2 with output of step 5.
  8. Apply SHA-512 on step 7 to output n-bit hash code.

The Procedure in detail can be explained as,

K is generated using K by padding O’s on the left side until the dimensions of K becomes b bits. B bits are the size of the blocks of the plain text. Ipad and opad are the two padding bits that are defined well in advance. And most importantly all these are finished before the hash function is applied.

 Ipad – 00110110                       opad – 01011100

Now there is a need for the calculation of S bits

S1 bits are obtained when K along with ipad is EXORed . The S1 resulting here is equal to b bits. This is obvious since both K and ipad are made up of b bits. Let the plain text message be taken as P with which we have to append S1.

From S1 to Pm each block is in b bits.

And M here is the number of blocks of plain text. 

and p0 is a block of plain text with b, being the block size of plain text

 The HASH algorithm is to be applied hereafter attaching S1 to Plain text.

The resultant thus is a hash code of n-bit.

5) Advantages

HMACs are considered to be secured one by many; besides this, they have many advantages like,

  • HMACs are considered to be good high-performance systems. It is because of the hash functions used, which are quick both in terms of calculation as well as verification.
  • Since it uses hashing twice, it is great for cryptanalysis attacks.

6) Disadvantages

Though there are many advantages, HMACs are not shielded from any disadvantages. Some of them are,

  • As HMAC makes use of the shared key, If there is a compromise in the key of sender or receiver, it makes the job of creating unauthorised messages easier for attackers.
  • There is also a need for periodic refreshments of keys, which adds to its disadvantage.


The usage of HMAC is considered to be secured. But the fact to be considered is in this modern era, even the most secure things sometimes are not enough to keep us safe. And HMAC is no exception to this. Though there are some loopholes in this system, they are going to be overcome in near future. It desirable for one to have a sound knowledge of this.

So, have you made up your mind to make a career in Cyber Security? Visit our Master Certificate in Cyber Security (Red Team) for further help. It is the first program in offensive technologies in India and allows learners to practice in a real-time simulated ecosystem, that will give them an edge in this competitive world.



Are you ready to build your own career?