HMACs and MACs are authentication codes and are often the backbone of JWT authentication systems. Let's take a look at how they work! MAC - Message Authentication Code MACs are exactly what they sound like; small codes that allow receivers of messages to know who the sender was (authentication). A MAC code is calculated by using a and a as inputs. Anyone who has a can then that that code and message were created by someone with the same key. message secret key copy of that secret key verify One way this is accomplished is by using a for instance, SHA-256. Simply put, a hash function takes an input and then returns an output, where: hash function, The output is very unlikely to be the same for different inputs The output is always the same for the same inputs The output is not predictable - changing the input in any way results in a seemingly random change to the output Given this, a naive example of MAC generation by the sender could be: macCode = sha256( + ) 'thisIsASecretKey1234' 'my message here' Then the verification by the receiver would be: == sha256( + ) macCode 'thisIsASecretKey1234' 'my message here' Note that MACs don't necessarily use a hash function, but a hash can be used as a "signing" mechanism. For a further reading look at the . MAC Wikipedia article HMAC - Hash-Based Message Authentication Code An HMAC is a kind of MAC. All HMACs are MACs but not all MACs are HMACs. The main difference is that an HMAC uses two rounds of hashing instead of one (or none). Each round of hashing uses a section of the secret key. As a naive example: ( + ( + )) sha256 'thisIsASe' sha256 'cretKey1234' 'my message here' Which is a simplified version of the function given in . RFC-2104 Why use HMAC? Why do we need to hash twice? With many hash functions, it is relatively easy to change the message (without knowing the key) and obtain another valid MAC. We call this a . No known extension attacks are known against the current HMAC specification. length extension attack To read further about HMACs take a look . here HMACs with JWTs If you've ever used JWTs for authentication schemes on a web app, then you know that JWTs are wonderful for keeping track of who is who. A JWT (when using HMAC as the signing scheme) is basically just an HMAC message where the message data is a JSON object. The interesting thing about the JWT system is that the sender and the receiver of the JWT are typically the same entity, that is, the webserver. Look at the following example: User gives the server an username and password Server verifies the username and password are correct Server generates a JWT using HMAC: = hmacCode ( + ( + )) sha256 'thisIsASe' sha256 'cretKey1234' '{"email":"lane@qvault.io"}' The server responds with the following (decoded) JWT: .{ : }.hmacCode header "email" "lane@qvault.io" User decides to update his/her profile picture by sending the following request: PUT /users/profile_picture
Authentication: Bearer .{ : } { : } header "email" "lane@qvault.io" .hmacCode "new_picture" "http://linktopicture.com/mypic" Server parses the JWT. The JWT says the user is "lane@qvault.io" The server verifies that the user really is Lane by validating the HMAC code, because only someone with access to the secret key 'thisIsASecretKey1234' could have made the HMAC code that corresponds to the 'lane@qvault.io' message If the verification is successful, then the server updates Lane's profile picture Because this is a very basic example of how JWT's work, it skips over some implementation details. However, if you want to learn more about the specifics, take a look at the explanation on . jwt.io If you feel that I missed anything important, or have any questions, feel free to contact me on twitter! Lane on Twitter: @wagslane Lane on Dev.to: wagslane Previously published at https://qvault.io/2019/12/12/hmac-and-mac-explained-simply-building-secure-auth-with-jwts/

Twitter

Could Banning Cryptography Keep the Country Safe?

Cryptology Vs. Cryptography Vs. Cryptanalysis - Get your Vocabulary Right!

Learn to code on Boot.dev

Nominated for 2022 - HackerNoon Contributor of the Year - Algorithms

Nominated for 2022 - HackerNoon Contributor of the Year - Mathematics

Nominated for 2022 - HackerNoon Contributor of the Year - Cryptography

Nominated for Coding Guru of 2022

Nominated for 2022 - HackerNoon Contributor of the Year - Github

Nominated for 2022 - HackerNoon Contributor of the Year - Online Education

Nominated for 2022 - HackerNoon Contributor of the Year - Job Hunting

Nominated for Super Career Strategist of 2022

Too Long; Didn't Read

HMAC and MAC Explained: How To Build Secure Authentication With JWTs

HMAC and MAC Explained: How To Build Secure Authentication With JWTs

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

A Complete Overview of Cryptography

161 Stories To Learn About Authentication

3 Reasons for B2C Enterprises to Implement Single Sign-on Authentication

4 Dangers of Sticking with Outdated MFA Methods

The Noonification: Tailwindcss? Ill Pass (8/27/2023)

80% Devices in 2023 Are Already Passkey-Ready: Apple, Microsoft, and Google Pushing It Even Higher

A Complete Overview of Cryptography

161 Stories To Learn About Authentication

3 Reasons for B2C Enterprises to Implement Single Sign-on Authentication

4 Dangers of Sticking with Outdated MFA Methods

The Noonification: Tailwindcss? Ill Pass (8/27/2023)

80% Devices in 2023 Are Already Passkey-Ready: Apple, Microsoft, and Google Pushing It Even Higher

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps