Why use HMAC instead of simply hashing the key concatenated with the message?

Concatenating a key with a message and hashing it (e.g., SHA-256(key + message)) is vulnerable to length extension attacks. An attacker who knows the hash of key+message can compute the hash of key+message+extension without knowing the key. HMAC uses a specific double-hashing construction with inner and outer padding that prevents this attack. The HMAC construction is: HMAC(K, m) = H((K xor opad) || H((K xor ipad) || m)), making it provably secure.

Does the length of the secret key matter for HMAC?

Yes. The key should be at least as long as the hash output (32 bytes for SHA-256, 64 bytes for SHA-512) for optimal security. Keys shorter than the hash output reduce the effective security level. Keys longer than the block size (64 bytes for SHA-256, 128 bytes for SHA-512) are hashed first to fit the block size. Using a cryptographically random key of appropriate length provides the strongest HMAC security.

HMAC Generator - Free Online HMAC-SHA256, HMAC-SHA512 Tool

Q: What is HMAC and how is it different from a regular hash?

HMAC (Hash-based Message Authentication Code) combines a cryptographic hash function with a secret key to produce an authentication code. Unlike a plain hash which anyone can compute from the same input, an HMAC requires knowledge of the secret key. This means only parties who share the secret key can generate or verify the HMAC, providing both data integrity and authentication. A regular hash like SHA-256 only proves the data has not been altered, while an HMAC also proves who created it.

Q: What is webhook signature verification?

When a service sends a webhook to your application, it includes an HMAC signature in the HTTP headers. The signature is computed using a shared secret key and the request body. Your application recomputes the HMAC using the same key and body, then compares the result. If the signatures match, you can be confident the webhook was sent by the legitimate service and the payload was not tampered with during transit.

Q: Which HMAC algorithm should I use?

HMAC-SHA256 is the most widely used and recommended choice. It provides 256 bits of security, is supported everywhere, and is the default for most APIs including Stripe, GitHub, and Shopify webhooks. HMAC-SHA384 and HMAC-SHA512 provide larger security margins but are rarely necessary for typical applications. All three SHA-2 based HMAC variants are considered secure.

Generate HMAC (Hash-based Message Authentication Code) values using SHA-256, SHA-384, or SHA-512. Essential for webhook verification, API authentication, and message integrity.

What Is HMAC?

HMAC stands for Hash-based Message Authentication Code. It is a specific construction for creating a message authentication code using a cryptographic hash function combined with a secret key. Defined in RFC 2104, HMAC provides two guarantees that plain hashing cannot: data integrity (the message has not been altered) and authentication (the message was created by someone who knows the secret key). While anyone can compute the SHA-256 hash of a message, only someone with the secret key can generate the correct HMAC. This makes HMAC the standard mechanism for verifying that messages originate from trusted sources.

HMAC vs Plain Hashing

A plain hash like SHA-256("hello") can be computed by anyone and only proves that data has not been modified. It provides no proof of who created the hash. HMAC adds a secret key to the equation: HMAC-SHA256("secret_key", "hello") can only be computed or verified by parties who possess the secret key. This difference is critical in security. When Stripe sends a webhook to your server, it includes an HMAC signature. Your server recomputes the HMAC using your shared secret and the payload. If an attacker intercepts and modifies the payload, they cannot forge a valid HMAC without knowing the secret key.

How HMAC Prevents Length Extension Attacks

A naive approach to keyed hashing would be to concatenate the key with the message and hash them together: SHA-256(key + message). This is vulnerable to length extension attacks. Due to the Merkle-Damgard construction used by SHA-256 and other hash functions, an attacker who knows the hash of key+message can compute the hash of key+message+attacker_data without knowing the key. HMAC defeats this attack through a double-hashing construction. The formula is: HMAC(K, m) = H((K XOR opad) || H((K XOR ipad) || m)), where ipad and opad are fixed padding constants. The inner hash processes the key and message, and the outer hash processes the key and the inner hash result. This two-layer structure makes length extension attacks mathematically impossible.

Real-World HMAC Use Cases

Webhook verification is the most visible use of HMAC for developers. Services like GitHub, Stripe, Shopify, Twilio, and Slack sign every webhook payload with HMAC-SHA256 using a shared secret. API authentication protocols use HMAC to sign requests, with AWS Signature Version 4 being a prominent example where each API request is signed with HMAC-SHA256 using secret access keys. JSON Web Tokens (JWTs) commonly use HMAC-SHA256 (the HS256 algorithm) to sign token payloads, ensuring tokens cannot be forged. Message integrity in secure communication protocols relies on HMAC to detect any tampering with transmitted data. Session tokens in web applications are often protected with HMAC to prevent cookie tampering.

HMAC Construction Details

The HMAC algorithm processes the secret key through two rounds of hashing with different padding. First, if the key is longer than the hash function's block size (64 bytes for SHA-256, 128 bytes for SHA-512), it is hashed to fit. The key is then padded with zeros to match the block size. Two derived keys are created: the inner key (K XOR ipad, where ipad is 0x36 repeated) and the outer key (K XOR opad, where opad is 0x5C repeated). The inner hash computes H(inner_key || message), and the outer hash computes H(outer_key || inner_hash). This construction has been mathematically proven secure: if the underlying hash function is a pseudorandom function, then HMAC is also a pseudorandom function.

Frequently Asked Questions

What is HMAC and how is it different from a regular hash?

HMAC combines a hash function with a secret key to produce an authentication code. Unlike a plain hash that anyone can compute, HMAC requires the secret key, providing both integrity verification and sender authentication.

Why use HMAC instead of hashing key + message?

Simply hashing the concatenation of key and message is vulnerable to length extension attacks. HMAC's double-hashing construction with inner and outer padding prevents this class of attacks entirely.

What is webhook signature verification?

Services sign webhook payloads with HMAC using a shared secret. Your server recomputes the HMAC and compares it to the signature header to confirm the webhook is authentic and unmodified.

Which HMAC algorithm should I use?

HMAC-SHA256 is the standard recommendation. It is supported universally, used by major API providers (Stripe, GitHub, AWS), and provides 256 bits of security.

Does the length of the secret key matter?

Yes. Keys should be at least as long as the hash output (32 bytes for SHA-256). Shorter keys reduce security. Keys longer than the block size are hashed first, so excessively long keys offer no benefit.

HMAC Generator

Results

Embed This Calculator