Hmac

Member Posts: 896 ■■■■□□□□□□
Stupid question of the day, possibly the week.

In regards to HMAC, what I gather from the process, it involves :

Computer A sending a message to computer B. Computer A takes the message and tags on the symmetric key, and then hashes the message. The key is removed and the message is sent including the hash value. Computer B gets the message, tags on the key that is shared between the two computers, and runs a hashing algorithm on it to make sure the values match. This provides integrity.

So basically a hacker won't be able to trick computer B since he is missing a key piece of the message, and the hash would be completely different.

Correct?

• Member Posts: 1,588
It's a complex topic, so I wouldn't call it a stupid question by any means.

In general, that is what it does and it provides integrity.

The only thing I'd clarify is that the key is not removed by Computer A. Computer A creates a hash of the message, adds the secret key to add some randomness to the hash, and then performs some additional cryptographic functions on this result. Let's say the message is "You Passed!", the hash of the message is 123, and the secret key is ABC. The resulting HMAC value might be 4F8E351B. The key can't be removed from this HMAC value.

The original message "You Passed!" and the HMAC value are sent to Computer B.

Computer B knows the secret key (ABC) and repeats the process on the received message. Computer B calculates the hash of the message, combines the secret key of ABC, and performs the same HMAC calculations. Computer B then compares the result with the HMAC value received by Computer A.

Imagine Computer B receives the message "You Passed!" and calculates an HMAC value of 4F8E351B. This is the same as the received HMAC value of 4F8E351B so Computer B knows that the received message "You Passed!" is the same as the message that was sent. The message has not lost integrity.

In contrast, imagine Computer B receives a modified message of "Send more money for your test results", and calculates an HMAC value of 34456DE9. This HMAC value is different than the received HMAC value of 4F8E351B calculated on actual message sent from Computer A. Computer B knows that the received message is different than the message that was sent. The message has lost integrity.

Your conclusion is accurate. An attacker would not have access to the secret key. If the attacker modified the message in transit, Computer B would not be tricked into thinking that the message is accurate.

Hope this helps.
• Member Posts: 896 ■■■■□□□□□□
Thank you!
The thing that confused me was the key being removed, but it looks like it isn't. I appreciate the response.