HMAC explained | keyed hash message authentication code
Вставка
- Опубліковано 8 жов 2024
- 🔥More exclusive content: productioncode...
Twitter: / _jgoebel
Blog: productioncode...
Website: jangoebel.com
In this video we cover what HMAC (keyed hash message authentication code) is and where it is used in the IT world. We also clarify the HMAC vs hash question and explain the two guarantees HMAC gives. HMAC provides integrity and authentication and is often used in JSON Web Tokens with the HS256 algorithm. To understand HMAC you need to understand what a hash function is. A hash function maps an arbitrary amount of input bits to an output bit vector of fixed length.
With HMAC you can use an arbitrary hashing function such as SHA256 and a secret.
What do you think about this video?
Was the explanation about HMAC clear?
pretty much
clear
it is great
Exacly what is needed, Comprehnsive and short
@@ppcuser100 thx, great to hear 👍
Solid vid on hashing and HMAC ... one of the best vids I've seen on the topic period. Thanks!
thx Wael, I'm glad it was understandable 👍
Really
Thanks for a simple and clear explanation!
here is a question I have, would appreciate your response:
HMAC looks quite similar to a signed data. only difference i see is with signed data hash is encrypted by a ASYM private key and in HMAC there is rather a secret key known to both parties used!
Hi Akhilesh, yes that is pretty much the main difference.
This was really helpful. The explanation was clear and concyse. Thank you
thx Jaime I'm glad it was helpful!
Well explained and good presentation, Thanks
Clear as newly Windexed glass! I found this helpful. Thanks for putting this out there.
The best explanation I have seen so far, thank you!
Glad it was helpful!
the best explanation that I could find & way better than in my script
thank you for the effort :)
Glad it helped!
Very good explanation, well done.
Glad you liked it!
Explanation made sense Helped me to undersand HMAC better Thank your for the Tutorial
you're welcome Shan 👍
It was a very good brief explanaition of HMAC fairly helpfull. I was wondering what is the minimum key size that can be used for HMAC and that is considered secure and not broken?
Great video ,simple and directly into the point thanks a lot.
Glad it was helpful!
This is very helpful. I have a rudimentary question. The difference between the Hash function and HMAC is the secret. The output for both is fixed. Then in the example what additional security does that key provide. Because is HMAC is changed when Hello World changes to Hello Bob. Won't also the Hash function output change in that case? And even then Bob would know that the message has been tampered with. Additionally, in case of HMAC when Bob gets the hacked message, is he also getting the HMAC output , which I am assuming is not tampered, to compare it against his own calculation of HMAC?
I have the same question and to be honest it seems no different than a JWT
A MiTM could intercept and change the message and then hash it again and attach the new hash together and bob wont notice any changes
@@rajaaekant A MiTM could intercept and change the message and then hash it again and attach the new hash together and bob wont notice any changes
For HMAC to work, the key must be secret, and only known by senders and receivers. If this is the case, then MITM is ineffective, because the attacker presumably doesn't have the key. This means that if the message and/or hash is tampered with, then the hash won't match.
Thanks man. Very clear explanation. This is what I was looking for.
Glad it helped
Useful explanation- thank you very much
very clear and very precise...really liked it!!
thx Hemant 👍
Great explanation but sometime I notice in these videos is that no actual practical examples are shown. It would be cool to actually see it in action
thx, I saw in my analytics that people hop off after a short period of time. That's why I thought I keep the video as short as possible
best of best explanation ever
thx
Brilliantly explained cheers bro 👊
Glad it helped
Excellent explanation, thank you!
Glad you enjoyed it!
A great example is when you want to prevent replay attacks. JWT provides some of the same features.
Das war eine tolle Erklärung.
danke dir
thank you so mush for you help. keep going don't stop
thx, I'm glad you found it useful
question... the HMAC is supposed to provide authentication (meaning know "who" sent the message). But if someone is listening to the messages, couldn't they replay that message from anywhere and make it look like it came from Alice?
Hi Frank, just HMACing the message would indeed not protect against replay attacks. Theoretically you could protect against replay attacks by including the MAC or the previous message in the current message and then HMACing this (crypto.stackexchange.com/questions/39640/can-i-use-a-hmac-for-replay-attack-protection)
Another option would be to just work with idempotency keys in each message so replaying is essentially useless
Well done. Good explanation
Glad it was helpful!
Great explanation, to the point. Thanks
thx Ric
This is really good explanation, Thanks
you're most welcome
Thank you for this explantion.
Glad it was helpful!
Explained well! Thank you.
Glad you liked it
Very clear Explanation
thx Mohamed 👍
fantastic video - thanks!
Glad it helped!
Very nice explanation, thanks !
Glad it was helpful!
Exactly what I was looking for, thank you!
thx Michael 👍
thank you for helping me understand it. it made zero sense when I read about it in class
thx
well deserved subscribe.. Great explanation. Well done sir
thx
Really good explanation. So the MAC function, is the same as the HMAC function but without the "Hash function" input, right?
No, HMAC is a subtype of a MAC. There are also other MACs that are not based on hashes, e.g. CMAC or Poly1305
@@jgoebel yes thats what i meant. HMAC is a version of MAC which adds the input "hash function"
@@ferbe666 ah sry, I didn't get it at first what you meant
thanks that was helpful, but am sorry, a random doubt why is it always bob and alice
?
A few people came up with the names and people have been using it ever since. How can Alice send a message to Bob is a little bit less abstract than "how can person A send a message to person B". It's sort of similar to "Hello World" examples in programming languages: en.wikipedia.org/wiki/Alice_and_Bob
This makes sense and assisted me in my research
Thanks!
you're most welcome 👍
Excellent, ez to understand
thx Champ 👍
Thanks, this was really helpful.
I'm glad it helped
Thank you for the video! Does HMAC take part in TLS/SSL? When the client and the server pass the TLS handshake and create a common SESSION key, do they also HMAC is message that is being sent out for data integrity?
No with TLS you use asymmetric cryptography. HMAC would not be suited for this because it requires a shared secret.
@@jgoebel TLS uses both asymmetric and symmetric cryptography. After they exchange public keys, server or client/(depending on the TLS version), for TLS 1.3 after it receives the TLS ClientHello request the server creates a new session key, and it encryprts it with the public key of the client, send it back to the client, and decrypts it with its private key. Now both have a common SESSION Key, and the encryption becomes symmetric. HMAC is added to each message to keep data integrity with the common key.
Really good video man. But i came with a doubt. How does the two parties agree on having "this secret key"? how is it exchanged? How do i know that the attacker didn't captured the secret key? Thanks!
you would need to exchange the key on a secure channel before. Having shared secrets implies the need for exchanging the secrets before. This is problematic when it comes to data breaches and it is more annoying because you typically do it manually. That's why these days you typically rely on asymmetric cryptography where you only need the public key to verify the signature and where you can easily expose your public key (e.g. by using a JWKS on your server)
It did make sense - thank you
thx
How do I do the SHA512 HMAC recursively? i.e.does the key stay the same?
This is Awesome. Any resources to implementation with JWT?
this is a good start: github.com/panva/jose
This made sense, thanks!
great, thx
old one, but still makes sense! :) zhx!
HMAC never gets old :)
Great explanation
Glad it was helpful!
How do you pass a shared secret key over the network? Is it safe enough to put it inside custom header?
you would need to share the secret upfront with the other party manually. For security reasons, you cannot send it in the request itself
Good explanation, helped a lot, thanks!
Glad it helped!
Thank you!!
That was great
Thanks for the video
Glad you enjoyed it
Can you explain about Secure Remote Password protocal?
I'm interested in hmac for cloud architecture, so internal http api calls can be verified who sent it and the payload was not modified.
If you could describe in a part two, the actual oath recomendation for hmac for parakeet and payload validation that would be really cool.
For security reasons, I would recommend to use digital signature schemes instead of HMAC to avoid having shared secrets
Thanks. Clearly understood.
Great to hear!
Great video, thank you!
thx Amanda, I'm glad you liked it!
Well done
thx Majdi
Could you tell me about Hmackey
H(M) is the SHA-256 hash...
of the message (M)
what dose mean of the massage here can u explaine ?
i dont now what is massge mean
message is whatever you want to hash
Cool video.
Thanks!
Keep up the good work
thx Senthu 👍
Message digest algorithms don't use secret keys, where HMAC is a combination of a secret key and a hash function.
exactly wat i needed
thx Ibro 👍
Really clear and easy to follow, thanks!
thx you 👍
How does the sender share the key with the recipient?
that would be a manual operation
The ques is how to get it
you can provide this ppt ?
So short: a HMAC is an encrypted hash?
no, an HMAC uses a hash function and a secret to produce a small piece of data called a message authentication code. The message authentication code is created by combining the hash function and the secret. So the MAC is not sth encrypted that you could theoretically decrypt.
он у папича дома сидит? great explanation btw
AB De Villiers
Thank you for a great explanation.
Glad you liked it
How is this different from hashing passwords with salt? hash('sha256', 'My Password'.$salt)