← Lessons

quiz vs the machine

Gold1360

Security

The HMAC For Integrity

How combining a secret key with a hash proves a message was not altered or forged.

4 min read · core · beat Gold to climb

The Gap a Hash Leaves

A plain hash proves data integrity only if no attacker can change the data and recompute the hash. Since hashes are public, anyone can do that. HMAC closes the gap by mixing in a secret key.

How HMAC Works

HMAC, hash based message authentication code, feeds both the message and a secret key through a hash function in a defined two pass structure. The output is a tag. Only someone holding the key can produce or verify the correct tag.

  • The receiver recomputes the tag and compares it.
  • A wrong key or altered message yields a different tag.
  • It provides integrity and authenticity but not confidentiality.

Why Trust It

HMAC is provably secure when built on a strong hash, even if that hash has minor weaknesses. Always compare tags with a constant time check so timing does not leak whether early bytes matched.

Key idea

HMAC binds a secret key into a hash to produce a tag that proves a message is unaltered and came from a key holder, giving integrity and authenticity that a bare hash cannot.

Check yourself

Answer to earn rating on the learn ladder.

1. What does HMAC add to a plain hash?

2. What does HMAC provide?

3. How should HMAC tags be compared?