A Hashed Message Authentication Code (HMAC) guarantees the
integrity of the message. At the local end, the message and a shared secret key
are sent through a hash algorithm, which produces a hash value, as shown in
Figure
. This is similar
to the hashing process discussed previously. However a HMAC combines shared
secret key with the message. A hash algorithm is a formula used to develop a
fixed-length string of digits that is unique to the contents of the message. A
hash is a one-way algorithm. A message can produce a hash, but a hash cannot
produce the original message. To transmit using HMAC, the message and hash are
both sent over the network, usually attached to each other.
At the remote
end, a two step process occurs. First, the received message and shared secret
key are sent through the hash algorithm in order to recalculate the hash value.
Second, the receiver compares the recalculated hash value with the hash that
was attached to the message. If the original hash and recalculated hash match,
the integrity of the message is guaranteed. If any part of the original message
is changed while in transit, the hash values will be different and the
modification will be detected.
There are two common hashing algorithms
:
- HMAC-MD5 uses a 128-bit shared secret key. The variable length message and
128-bit shared secret key are combined and run through the HMAC-MD5 hash
algorithm. The output is a 128-bit hash. The hash is appended to the original
message and forwarded to the remote end.
- HMAC-SHA-1 uses a 160-bit secret key. The variable length message and the
160 bit shared secret key are combined and run through the HMAC-SHA-1 hash
algorithm. The output is a 160-bit hash. The hash is appended to the original
message and forwarded to the remote end. HMAC-SHA-1 is considered
cryptographically stronger than HMAC-MD5.