HMAC explained | keyed hash message authentication code
Рет қаралды 69,291
Күн бұрын🔥More exclusive content: productioncode...
Twitter: / _jgoebel
Blog: productioncode...
Website: jangoebel.com
In this video we cover what HMAC (keyed hash message authentication code) is and where it is used in the IT world. We also clarify the HMAC vs hash question and explain the two guarantees HMAC gives. HMAC provides integrity and authentication and is often used in JSON Web Tokens with the HS256 algorithm. To understand HMAC you need to understand what a hash function is. A hash function maps an arbitrary amount of input bits to an output bit vector of fixed length.
With HMAC you can use an arbitrary hashing function such as SHA256 and a secret.
@jgoebel 3 жыл бұрын
What do you think about this video? Was the explanation about HMAC clear?
@arsenmkrtchyan4832 3 жыл бұрын
pretty much
@kusharora1435 3 жыл бұрын
clear
@Ms_Oszy 3 жыл бұрын
it is great
@ppcuser100 2 жыл бұрын
Exacly what is needed, Comprehnsive and short
@jgoebel 2 жыл бұрын
@@ppcuser100 thx, great to hear 👍
@waelaltaqi 3 жыл бұрын
Solid vid on hashing and HMAC ... one of the best vids I've seen on the topic period. Thanks!
@jgoebel 3 жыл бұрын
thx Wael, I'm glad it was understandable 👍
@princeroshan4105 3 жыл бұрын
Really
@AlHoussem 14 күн бұрын
Well explained and good presentation, Thanks
@MrJohn360 3 жыл бұрын
This was really helpful. The explanation was clear and concyse. Thank you
@jgoebel 3 жыл бұрын
thx Jaime I'm glad it was helpful!
@akhileshgupta5713 3 жыл бұрын
Thanks for a simple and clear explanation! here is a question I have, would appreciate your response: HMAC looks quite similar to a signed data. only difference i see is with signed data hash is encrypted by a ASYM private key and in HMAC there is rather a secret key known to both parties used!
@jgoebel 3 жыл бұрын
Hi Akhilesh, yes that is pretty much the main difference.
@captainnemonic Жыл бұрын
Clear as newly Windexed glass! I found this helpful. Thanks for putting this out there.
@KirkRivkin Ай бұрын
Excellent explanation, thank you!
@jgoebel Ай бұрын
Glad you enjoyed it!
@WildMemo 5 ай бұрын
Explained well! Thank you.
@jgoebel 5 ай бұрын
Glad you liked it
@romankovrigin240 7 ай бұрын
The best explanation I have seen so far, thank you!
@jgoebel 7 ай бұрын
Glad it was helpful!
@ouss0539 5 ай бұрын
best of best explanation ever
@jgoebel 3 ай бұрын
thx
@message59 2 жыл бұрын
the best explanation that I could find & way better than in my script thank you for the effort :)
@jgoebel 2 жыл бұрын
Glad it helped!
@thornwebdesign Жыл бұрын
Very good explanation, well done.
@jgoebel 11 ай бұрын
Glad you liked it!
@sezgingurel3942 Жыл бұрын
Das war eine tolle Erklärung.
@jgoebel Жыл бұрын
danke dir
@hfasihi 5 ай бұрын
Well done. Good explanation
@jgoebel 5 ай бұрын
Glad it was helpful!
@binr_9817 3 жыл бұрын
Explanation made sense Helped me to undersand HMAC better Thank your for the Tutorial
@jgoebel 3 жыл бұрын
you're welcome Shan 👍
@tuxieo 11 ай бұрын
thank you for helping me understand it. it made zero sense when I read about it in class
@jgoebel 10 ай бұрын
thx
@hemantmadan8110 3 жыл бұрын
very clear and very precise...really liked it!!
@jgoebel 2 жыл бұрын
thx Hemant 👍
@aghiadalzein3069 3 ай бұрын
Great video ,simple and directly into the point thanks a lot.
@jgoebel 3 ай бұрын
Glad it was helpful!
@Alex-nq7uh Жыл бұрын
Useful explanation- thank you very much
@maciejwodecki9294 Жыл бұрын
Thanks man. Very clear explanation. This is what I was looking for.
@jgoebel Жыл бұрын
Glad it helped
@siddharthjain3592 2 жыл бұрын
This is very helpful. I have a rudimentary question. The difference between the Hash function and HMAC is the secret. The output for both is fixed. Then in the example what additional security does that key provide. Because is HMAC is changed when Hello World changes to Hello Bob. Won't also the Hash function output change in that case? And even then Bob would know that the message has been tampered with. Additionally, in case of HMAC when Bob gets the hacked message, is he also getting the HMAC output , which I am assuming is not tampered, to compare it against his own calculation of HMAC?
@rajaaekant Жыл бұрын
I have the same question and to be honest it seems no different than a JWT
@1337soundeZ Жыл бұрын
A MiTM could intercept and change the message and then hash it again and attach the new hash together and bob wont notice any changes
@1337soundeZ Жыл бұрын
@@rajaaekant A MiTM could intercept and change the message and then hash it again and attach the new hash together and bob wont notice any changes
@dougsaylor6442 7 ай бұрын
For HMAC to work, the key must be secret, and only known by senders and receivers. If this is the case, then MITM is ineffective, because the attacker presumably doesn't have the key. This means that if the message and/or hash is tampered with, then the hash won't match.
@or1equalsto1 6 ай бұрын
Brilliantly explained cheers bro 👊
@jgoebel 6 ай бұрын
Glad it helped
@ylazerson 8 ай бұрын
fantastic video - thanks!
@jgoebel 8 ай бұрын
Glad it helped!
@ABLyonary 2 жыл бұрын
Great explanation but sometime I notice in these videos is that no actual practical examples are shown. It would be cool to actually see it in action
@jgoebel 2 жыл бұрын
thx, I saw in my analytics that people hop off after a short period of time. That's why I thought I keep the video as short as possible
@adrianweder7086 2 жыл бұрын
old one, but still makes sense! :) zhx!
@jgoebel 2 жыл бұрын
HMAC never gets old :)
@gonzalocruz6653 2 жыл бұрын
It was a very good brief explanaition of HMAC fairly helpfull. I was wondering what is the minimum key size that can be used for HMAC and that is considered secure and not broken?
@dmha1655 2 жыл бұрын
It did make sense - thank you
@jgoebel 2 жыл бұрын
thx
@mohamedishhaq9197 3 жыл бұрын
Very clear Explanation
@jgoebel 3 жыл бұрын
thx Mohamed 👍
@michaelulloa12 3 жыл бұрын
Exactly what I was looking for, thank you!
@jgoebel 3 жыл бұрын
thx Michael 👍
@ricp Жыл бұрын
Great explanation, to the point. Thanks
@jgoebel Жыл бұрын
thx Ric
@nigesp 2 жыл бұрын
Thank you for a great explanation.
@jgoebel 2 жыл бұрын
Glad you liked it
@hugo565 2 жыл бұрын
Very nice explanation, thanks !
@jgoebel 2 жыл бұрын
Glad it was helpful!
@champsurapong2694 3 жыл бұрын
Excellent, ez to understand
@jgoebel 3 жыл бұрын
thx Champ 👍
@nguyenquan4836 Жыл бұрын
Thank you!!
@RandomAlias1 2 жыл бұрын
well deserved subscribe.. Great explanation. Well done sir
@jgoebel 2 жыл бұрын
thx
@deanwhite8413 Жыл бұрын
Cool video.
@jgoebel 11 ай бұрын
Thanks!
@majdirekik7549 Жыл бұрын
Well done
@jgoebel Жыл бұрын
thx Majdi
@shakirel 2 жыл бұрын
Thank you for this explantion.
@jgoebel 2 жыл бұрын
Glad it was helpful!
@FrankGraffagnino 2 жыл бұрын
question... the HMAC is supposed to provide authentication (meaning know "who" sent the message). But if someone is listening to the messages, couldn't they replay that message from anywhere and make it look like it came from Alice?
@jgoebel 2 жыл бұрын
Hi Frank, just HMACing the message would indeed not protect against replay attacks. Theoretically you could protect against replay attacks by including the MAC or the previous message in the current message and then HMACing this (crypto.stackexchange.com/questions/39640/can-i-use-a-hmac-for-replay-attack-protection) Another option would be to just work with idempotency keys in each message so replaying is essentially useless
@kebman Жыл бұрын
A great example is when you want to prevent replay attacks. JWT provides some of the same features.
@janithmalinga5765 2 жыл бұрын
This is really good explanation, Thanks
@jgoebel 2 жыл бұрын
you're most welcome
@fgh7832 3 жыл бұрын
This makes sense and assisted me in my research
@fgh7832 3 жыл бұрын
Thanks!
@jgoebel 3 жыл бұрын
you're most welcome 👍
@josephnour6888 2 жыл бұрын
thank you so mush for you help. keep going don't stop
@jgoebel 2 жыл бұрын
thx, I'm glad you found it useful
@sreesha445 2 жыл бұрын
Thanks. Clearly understood.
@jgoebel 2 жыл бұрын
Great to hear!
@vadimsadykov8042 11 ай бұрын
Great explanation
@jgoebel 11 ай бұрын
Glad it was helpful!
@srinivas1483 5 ай бұрын
Message digest algorithms don't use secret keys, where HMAC is a combination of a secret key and a hash function.
@munidinesh9775 2 жыл бұрын
thanks that was helpful, but am sorry, a random doubt why is it always bob and alice ?
@jgoebel 2 жыл бұрын
A few people came up with the names and people have been using it ever since. How can Alice send a message to Bob is a little bit less abstract than "how can person A send a message to person B". It's sort of similar to "Hello World" examples in programming languages: en.wikipedia.org/wiki/Alice_and_Bob
@Kakapo66 2 жыл бұрын
Good explanation, helped a lot, thanks!
@jgoebel 2 жыл бұрын
Glad it helped!
@amandaahringer7466 3 жыл бұрын
Great video, thank you!
@jgoebel 3 жыл бұрын
thx Amanda, I'm glad you liked it!
@nicetomeetugaming7024 2 жыл бұрын
Thanks, this was really helpful.
@jgoebel 2 жыл бұрын
I'm glad it helped
@hypebeastuchiha9229 2 жыл бұрын
That was great Thanks for the video
@jgoebel 2 жыл бұрын
Glad you enjoyed it
@silas3463 2 жыл бұрын
This made sense, thanks!
@jgoebel 2 жыл бұрын
great, thx
@artsofsenthu 3 жыл бұрын
Keep up the good work
@jgoebel 3 жыл бұрын
thx Senthu 👍
@ibroschool 3 жыл бұрын
exactly wat i needed
@jgoebel 3 жыл бұрын
thx Ibro 👍
@liecretsev 2 жыл бұрын
How do you pass a shared secret key over the network? Is it safe enough to put it inside custom header?
@jgoebel 2 жыл бұрын
you would need to share the secret upfront with the other party manually. For security reasons, you cannot send it in the request itself
@peter9910 Жыл бұрын
How do I do the SHA512 HMAC recursively? i.e.does the key stay the same?
@adnantatlis3225 2 жыл бұрын
H(M) is the SHA-256 hash... of the message (M) what dose mean of the massage here can u explaine ? i dont now what is massge mean
@jgoebel 2 жыл бұрын
message is whatever you want to hash
@gabrielgenao5583 2 жыл бұрын
Really good video man. But i came with a doubt. How does the two parties agree on having "this secret key"? how is it exchanged? How do i know that the attacker didn't captured the secret key? Thanks!
@jgoebel 2 жыл бұрын
you would need to exchange the key on a secure channel before. Having shared secrets implies the need for exchanging the secrets before. This is problematic when it comes to data breaches and it is more annoying because you typically do it manually. That's why these days you typically rely on asymmetric cryptography where you only need the public key to verify the signature and where you can easily expose your public key (e.g. by using a JWKS on your server)
@amritadhikari1188 2 жыл бұрын
This is Awesome. Any resources to implementation with JWT?
@jgoebel Жыл бұрын
this is a good start: github.com/panva/jose
@zef3589 Жыл бұрын
он у папича дома сидит? great explanation btw
@_yak 3 жыл бұрын
Really clear and easy to follow, thanks!
@jgoebel 3 жыл бұрын
thx you 👍
@truonghoangha5907 2 жыл бұрын
Can you explain about Secure Remote Password protocal?
@KrisMeister Жыл бұрын
I'm interested in hmac for cloud architecture, so internal http api calls can be verified who sent it and the payload was not modified. If you could describe in a part two, the actual oath recomendation for hmac for parakeet and payload validation that would be really cool.
@jgoebel Жыл бұрын
For security reasons, I would recommend to use digital signature schemes instead of HMAC to avoid having shared secrets
@northmania5332 2 жыл бұрын
Thank you for the video! Does HMAC take part in TLS/SSL? When the client and the server pass the TLS handshake and create a common SESSION key, do they also HMAC is message that is being sent out for data integrity?
@jgoebel 2 жыл бұрын
No with TLS you use asymmetric cryptography. HMAC would not be suited for this because it requires a shared secret.
@northmania5332 2 жыл бұрын
@@jgoebel TLS uses both asymmetric and symmetric cryptography. After they exchange public keys, server or client/(depending on the TLS version), for TLS 1.3 after it receives the TLS ClientHello request the server creates a new session key, and it encryprts it with the public key of the client, send it back to the client, and decrypts it with its private key. Now both have a common SESSION Key, and the encryption becomes symmetric. HMAC is added to each message to keep data integrity with the common key.
@rukshanaaly7794 2 жыл бұрын
How does the sender share the key with the recipient?
@jgoebel 2 жыл бұрын
that would be a manual operation
@onlymetalks Жыл бұрын
The ques is how to get it
@TheBroadwood 2 жыл бұрын
So short: a HMAC is an encrypted hash?
@jgoebel 2 жыл бұрын
no, an HMAC uses a hash function and a secret to produce a small piece of data called a message authentication code. The message authentication code is created by combining the hash function and the secret. So the MAC is not sth encrypted that you could theoretically decrypt.
@jayeshpobari6565 Жыл бұрын
you can provide this ppt ?
@PuneetGurtoo 9 ай бұрын
AB De Villiers
@ferbe666 Жыл бұрын
Really good explanation. So the MAC function, is the same as the HMAC function but without the "Hash function" input, right?
@jgoebel 11 ай бұрын
No, HMAC is a subtype of a MAC. There are also other MACs that are not based on hashes, e.g. CMAC or Poly1305
@ferbe666 11 ай бұрын
@@jgoebel yes thats what i meant. HMAC is a version of MAC which adds the input "hash function"
@jgoebel 11 ай бұрын
@@ferbe666 ah sry, I didn't get it at first what you meant
@LewisMoten 3 ай бұрын
How is this different from hashing passwords with salt? hash('sha256', 'My Password'.$salt)
Practical Networking
Рет қаралды 55 М.
Satish C J
Рет қаралды 29 М.