P
P
Practical Cryptography for Developers
SoftUniNakov.com
Search…
P
P
Practical Cryptography for Developers
Welcome
Preface
Cryptography - Overview
Hash Functions
MAC and Key Derivation
HMAC and Key Derivation
HMAC Calculation - Examples
Exercises: Calculate HMAC
KDF: Deriving Key from Password
PBKDF2
Modern Key Derivation Functions
Scrypt
Bcrypt
Linux crypt()
Argon2
Secure Password Storage
Exercises: Password Encryption
Secure Random Generators
Key Exchange and DHKE
Encryption: Symmetric and Asymmetric
Symmetric Key Ciphers
Asymmetric Key Ciphers
Digital Signatures
Quantum-Safe Cryptography
More Cryptographic Concepts
Crypto Libraries for Developers
Conclusion
Powered By GitBook
HMAC and Key Derivation
Simply calculating hash_func(key + msg) to obtain a MAC (message authentication code) is considered insecure (see the details). It is recommended to use the HMAC algorithm instead, e.g. HMAC-SHA256 or HMAC-SHA3-512 or other secure MAC algorithm.

What is HMAC?

​HMAC = Hash-based Message Authentication Code (MAC code, calculated using a cryptographic hash function):
1
HMAC(key, msg, hash_func) -> hash
Copied!
The results MAC code is a message hash mixed with a secret key. It has the cryptographic properties of hashes: irreversible, collision resistant, etc.
The hash_func can be any cryptographic hash function like SHA-256, SHA-512, RIPEMD-160, SHA3-256 or BLAKE2s.
HMAC is used for message authenticity, message integrity and sometimes for key derivation.

Key Derivation Functions (KDF)

Key derivation function (KDF) is a function which transforms a variable-length password to fixed-length key (sequence of bits):
1
function(password) -> key
Copied!
As very simple KDF function, we can use SHA256: just hash the password. Don't do this, because it is insecure. Simple hashes are vulnerable to dictionary attacks.
As more complicated KDF function, you can derive a password by calculating HMAC(salt, msg, SHA256) using some random value called "salt", which is stored along with the derived key and used later to derive the same key again from the password.
Using HKDF (HMAC-based key derivation) for key derivation is less secure than modern KDFs, so experts recommend using stronger key derivation functions like PBKDF2, Bcrypt, Scrypt and Argon2. We shall discuss all these KDF functions later.

HMAC Calculation - Example

To get a better idea of HMAC and how it is calculated, try this online tool: https://www.freeformatter.com/hmac-generator.html​
Play with calculating HMAC('sample message', '12345', 'SHA256'):
1
HMAC('sample message', '12345', 'SHA256') =
2
'ee40ca7bc90df844d2f5b5667b27361a2350fad99352d8a6ce061c69e41e5d32'
Copied!
Try the above example yourself.
Previous
MAC and Key Derivation
Next
HMAC Calculation - Examples
Last modified 11d ago
Copy link
Contents
What is HMAC?
Key Derivation Functions (KDF)
HMAC Calculation - Example