In cryptography, HMAC (Hashbased Message Authentication Code), is a specific construction for calculating a message authentication code (MAC) involving a cryptographic hash function in combination with a secret key. As with any MAC, it may be used to simultaneously verify both the data integrity and the authenticity of a message. Any iterative cryptographic hash function, such as MD5 or SHA1, may be used in the calculation of an HMAC; the resulting MAC algorithm is termed HMACMD5 or HMACSHA1 accordingly. The cryptographic strength of the HMAC depends upon the cryptographic strength of the underlying hash function, the size of its hash output length in bits and on the size and quality of the cryptographic key.
An iterative hash function breaks up a message into blocks of a fixed size and iterates over them with a compression function. For example, MD5 and SHA1 operate on 512bit blocks. The size of the output of HMAC is the same as that of the underlying hash function (128 or 160 bits in the case of MD5 or SHA1, respectively), although it can be truncated if desired.
The definition and analysis of the HMAC construction was first published in 1996 by Mihir Bellare, Ran Canetti, and Hugo Krawczyk,^{[1]} who also wrote RFC 2104. This paper also defined a variant called NMAC that is rarely if ever used. FIPS PUB 198 generalizes and standardizes the use of HMACs. HMACSHA1 and HMACMD5 are used within the IPsec and TLS protocols.
Contents 
Let:
Then HMAC(K,m) is mathematically
defined by
The following pseudocode demonstrates how HMAC may be implemented.
function hmac (key, message) if (length(key) > blocksize) then key = hash(key) // keys longer than blocksize are shortened else if (length(key) < blocksize) then key = key ∥ zeroes(blocksize  length(key)) // keys shorter than blocksize are zeropadded end if opad = [0x5c * blocksize] ⊕ key // Where blocksize is that of the underlying hash function ipad = [0x36 * blocksize] ⊕ key // Where ⊕ is exclusive or (XOR) return hash(opad ∥ hash(ipad ∥ message)) // Where ∥ is concatenation end function
A business that suffers from attackers that place fraudulent Internet orders may insist that all its customers deposit a secret key with them. Along with an order, a customer must supply the order's HMAC digest, computed using the customer's symmetric key. The business, knowing the customer's symmetric key, can then verify that the order originated from the stated customer and has not been tampered with.
The design of the HMAC specification was motivated by the existence of attacks on more trivial mechanisms for combining a key with a hash function. For example, one might assume the same security that HMAC provides could be achieved with MAC = H(key ∥ message). However this method suffers from a serious flaw: with most hash functions, it is easy to append data to the message without knowing the key and obtain another valid MAC. The alternative, appending the key using MAC = H(message ∥key), suffers from the problem that an attacker who can find a collision in the (unkeyed) hash function has a collision in the MAC. Using MAC = H(key ∥ message ∥ key) is better, however various security papers have suggested vulnerabilities with this approach, even when two different keys are used.^{[1]}^{[2]}^{[3]}
No known extensions attacks have been found against the current HMAC specification which is defined as H(key1 ∥ H(key2 ∥ message)) because the outer application of the hash function masks the intermediate result of the internal hash. The values of ipad and opad are not critical to the security of the algorithm, but were defined in such a way to have a large Hamming distance from each other and so the inner and outer keys will have fewer bits in common.
The cryptographic strength of the HMAC depends upon the size of the secret key that is used. The most common attack against HMACs is brute force to uncover the secret key. HMACs are substantially less affected by collisions than their underlying hashing algorithms alone.^{[4]} ^{[5]}
In 2006, Jongsung Kim, Alex Biryukov, Bart Preneel, and Seokhie Hong showed how to distinguish HMAC with reduced versions of MD5 and SHA1 or full versions of HAVAL, MD4, and SHA0 from a random function or HMAC with a random function. Differential distinguishers allow an attacker to devise a forgery attack on HMAC. Furthermore, differential and rectangle distinguishers can lead to secondpreimage attacks. HMAC with the full version of MD4 can be forged with this knowledge. These attacks do not contradict the security proof of HMAC, but provide insight into HMAC based on existing cryptographic hash functions. ^{[6]}

