In this short article I'm going to explain about HMAC authentication and how it works.
What is HMAC authentication?
HMAC (Hash-based message authentication code) authentication provides a simple way to authenticate and verify the data integrity of a HTTP request using cryptographic hash function in combination with a secret key that is known to client and server.
We can use any cryptographic hash function such as MD5 or SHA-1 to do the calculation of an HMAC, we term the resulting algorithm as HMAC-MD5 or HMAC-SHA1 accordingly.
If you want to have a secure communication between client and server which guarantee the authenticity and data integrity of the request. Then HMAC is the right solution for you.
How HMAC authentiation works?
As you can see in the diagram. Both Client and server have a shared secret key. Client will use this key to calculate the signature of the message using a cryptographic hash function, then message + header will be sent to the server. Once server receive the message it will also start calculating the HMAC signature of the message using the shared secret key. Now it will verify the signature it receives and the result signature calculated at the server end. If both match, request will be accepted otherwise it will reject by the server.
Advantages of cryptographic hash function
- Easy to compute the hash value for any given message - HMAC signature calculation take less computing power.
- In-feasible to generate a message from its hash - Different message attributes can be used to calculate the signature, so with this feature no one can identify the way we calculate the HMAC signature.
- In-feasible to modify a message without changing the hash - No one can modify the message without knowing the key.
- In-feasible to find two different messages with the same hash - No one can modify the message.
This doesn't grantee the replay attack, in order to avoid that we can include time-stamp while calculating the signature, It will help to expire the message after certain time period.
I hope now it is clear how HMAC works and how it will guarantee the authenticity and data integrity of the request.