The Difference between HMAC and MAC

Ben Mesander

Hash-based message authentication code, or HMAC, is an important building block for proving that data transmitted between the components of a system has not been tampered with.

HMAC is a widely used cryptographic technology. I recently came across its use in an RFID system.

Perhaps the most common use of HMAC is in TLS—Transport Layer Security, previously known as SSL. This is used every time you visit an “https://” URL in your browser. To really understand HMAC, you can read the RFC.

However, I’m going to give you the secret decoder ring here. You need to understand Message Authentication Code (MAC) first. Imagine I have a block of data, perhaps a video file. I want to send it to you and I would like you to be able to prove that it was unmodified in transit, and that I was the one who sent it to you.

The idea behind MAC is I compute a cryptographic hash function, perhaps MD5 or SHA-1, over both the block of data that I want to send, and a secret key that we share. I then transmit the block of data and the hash to you. You append the same shared secret key to the block of data and compute the same hash function. If you get the same hash result as I transmitted, then the message was not corrupted, and it came from someone who knew the shared secret—presumably me. Mathematically we can write

MAC = H(key || message)

In this formula, H denotes our cryptographic hash function (MD5, SHA1, etc.); || denotes concatenation; key is our shared secret; and message is the block of data we want to send.

What’s wrong with MAC? Well, it turns out a lot of people have spent a lot of time figuring out ways to change the data in a message but have it have the same resulting hash function. In particular, it turns out that if:

H(message1) == H(message2)

Then this is also true:

H(key || message1) == H(key || message2)

By its very nature, a hash function has collisions such that multiple messages hash to the same value. The problem here is someone can modify the message without knowing the key, give it to you, and it appears to be from me.

HMAC solves this problem by using the following construction:

HMAC = H(key1 || H(key2 || message))

No known attack allows an attacker to modify the message and have the same HMAC value without knowing key1 and key2 values.

HMAC is a key to SSL/TLS security, for the reasons described in this recent email by an engineer at Microsoft. In short, HMAC is a powerful tool for authenticating data that is fairly easy to implement and understand.

Cardinal Peak
Learn more about our Audio & Video capabilities.

Dive deeper into our IoT portfolio

Take a look at the clients we have helped.

We’re always looking for top talent, check out our current openings. 

Contact Us

Please fill out the contact form below and our engineering services team will be in touch soon.

We rely on Cardinal Peak for their ability to bolster our patent licensing efforts with in-depth technical guidance. They have deep expertise and they’re easy to work with.
Diego deGarrido Sr. Manager, LSI
Cardinal Peak has a strong technology portfolio that has complemented our own expertise well. They are communicative, drive toward results quickly, and understand the appropriate level of documentation it takes to effectively convey their work. In…
Jason Damori Director of Engineering, Biamp Systems
We asked Cardinal Peak to take ownership for an important subsystem, and they completed a very high quality deliverable on time.
Matt Cowan Chief Scientific Officer, RealD
Cardinal Peak’s personnel worked side-by-side with our own engineers and engineers from other companies on several of our key projects. The Cardinal Peak staff has consistently provided a level of professionalism and technical expertise that we…
Sherisse Hawkins VP Software Development, Time Warner Cable
Cardinal Peak was a natural choice for us. They were able to develop a high-quality product, based in part on open source, and in part on intellectual property they had already developed, all for a very effective price.
Bruce Webber VP Engineering, VBrick
We completely trust Cardinal Peak to advise us on technology strategy, as well as to implement it. They are a dependable partner that ultimately makes us more competitive in the marketplace.
Brian Brown President and CEO, Decatur Electronics
The Cardinal Peak team started quickly and delivered high-quality results, and they worked really well with our own engineering team.
Charles Corbalis VP Engineering, RGB Networks
We found Cardinal Peak’s team to be very knowledgeable about embedded video delivery systems. Their ability to deliver working solutions on time—combined with excellent project management skills—helped bring success not only to the product…
Ralph Schmitt VP, Product Marketing and Engineering, Kustom Signals
Cardinal Peak has provided deep technical insights, and they’ve allowed us to complete some really hard projects quickly. We are big fans of their team.
Scott Garlington VP Engineering, xG Technology
We’ve used Cardinal Peak on several projects. They have a very capable engineering team. They’re a great resource.
Greg Read Senior Program Manager, Symmetricom
Cardinal Peak has proven to be a trusted and flexible partner who has helped Harmonic to deliver reliably on our commitments to our own customers. The team at Cardinal Peak was responsive to our needs and delivered high quality results.
Alex Derecho VP Professional Services, Harmonic
Yonder Music was an excellent collaboration with Cardinal Peak. Combining our experience with the music industry and target music market, with Cardinal Peak’s technical expertise, the product has made the mobile experience of Yonder as powerful as…
Adam Kidron founder and CEO, Yonder Music
The Cardinal Peak team played an invaluable role in helping us get our first Internet of Things product to market quickly. They were up to speed in no time and provided all of the technical expertise we lacked. They interfaced seamlessly with our i…
Kevin Leadford Vice President of Innovation, Acuity Brands Lighting
We asked Cardinal Peak to help us address a number of open items related to programming our systems in production. Their engineers have a wealth of experience in IoT and embedded fields, and they helped us quickly and diligently. I’d definitely…
Ryan Margoles Founder and CTO, notion