What is HMAC
HMAC (Hash-based Message Authentication Code) is a message authentication code based on Hash functions and keys. It was proposed in 1996 by , a method for message authentication based on Hash functions and keys, and was announced as RFC2104 in 1997. HMAC uses keys, messages and hash functions to ensure that messages are not tampered with during transmission and can also verify the sender identity of the message.
Main uses of HMAC
HMAC is mainly used in the following aspects:
- Verify the integrity of data: HMAC can be used to verify whether the data has been tampered with during transmission. The receiver calculates the HMAC of the received message and compares it with the received HMAC. If the same, the data can be considered complete.
- For authentication: HMAC can also be used to verify the sender of a message. Because HMAC calculation requires a key, only those who know this key can generate the correct HMAC. So, if the HMAC of a message is correct, it can be assumed that the message does come from the claimed sender, and the typical usage scenario is OpenAPI.
- Prevent replay attacks: In some cases, HMACs can also be used to prevent replay attacks. Add a timestamp or serial number to the message and participate in the calculation of the HMAC, the receiver can reject messages with the old timestamp or serial number, thus preventing the attacker from replaying the old messages.
- Security Protocol: HMAC is used in many security protocols, such as IPSec (for protecting Internet Protocol communications) and TLS (for protecting web communications). These protocols use HMAC to ensure data integrity and verify the sender's identity.
How HMAC works
Typical usage of HMAC is as follows:
- Determines a hash function (such as SHA256 or MD5) and a key.
- By combining the key and message and operating through hash function, a fixed-size data (called the message authentication code) is generated.
- When the message recipient receives the message and the HMAC, the received message is computed using the same key and hash function, and then the result is compared with the received HMAC, if the same, the message is considered complete and untampered and does come from the claimed sender.
crypto/hmac package in Golang
The crypto/hmac package in Golang provides an implementation method of HMAC. Here are some of the main functions and usages of the crypto/hmac package:
- The New function, which receives a hash function and a key, returns a calculating the HMAC.
h := (, key)
- The Write method can add data to the HMAC and implements an interface.
_, err := (data)
if err != nil {
(err)
}- Sum method, returning the current hash value as a byte slice. You can choose to provide an existing byte slice, and the hash value will be appended to the end of this slice.
result := (nil)
- Equal function, used to compare whether two HMACs are equal, this function prevents attacks of the timing attack type (using the same time for comparison).
isValid := (mac1, mac2)
It can be seen that the Equal function does not simply use the `==` operator to compare two HMAC values, but uses a technique called "constant time comparison" to compare. This technique ensures that the time spent on comparison does not depend on the data of comparison, thus preventing timing attacks of the timing attack type. By calculating the time taken by the comparison operation, an attacker can infer some information about the data. For example, if the time taken for a comparison operation is of some relationship to the number of bytes, an attacker can infer the correct HMAC value by changing the input and observing the changes in the time taken for a comparison operation.
The following is an example of using the crypto/hmac package to generate HMAC, the code is as follows:
package main
import (
"crypto/hmac"
"crypto/sha256"
"fmt"
)
func main() {
key := []byte("secret key")
data := []byte("message to authenticate")
h := (, key)
_, err := (data)
if err != nil {
("Error writing to HMAC:", err)
return
}
result := (nil)
("HMAC: %x\n", result)
}This example uses SHA-256 as the underlying hash function, but any hash function that implements the interface can also be used.
How to choose the right hash function and key length
When selecting the hash function and key length of HMAC, the following factors need to be considered:
- Security Requirements: Security Requirements are the most important factor in determining the selection of hash function and key length. If higher security is required, a more powerful hash function and a longer key should be chosen. For example, SHA-256 or SHA-3.
- Performance requirements: More powerful hash functions and longer keys are often more performance-intensive. If the system has strict performance requirements, a trade-off between security and performance may be required.
- Compatibility: If the system needs to interact with other systems, you may need to select a hash function and key length that is compatible with other systems.
Regarding hash functions, a hash function that is widely accepted and has undergone strict security verification should be selected. SHA-256 is a widely accepted hashing algorithm that not only provides sufficient security, but also has good performance on most modern hardware.
Regarding the key length, generally speaking, the length of the key should be at least the same as the output length of the hash function. For example, if SHA-256 is used, the key length should be at least 256 bits. If the key is too short, it may reduce the security of the HMAC. If the key is too long, it will not waste server resources, nor will it further improve the security of HMAC. So, choosing a key length that is the same as the hash function output is a good choice.
summary
This article explains in detail how to implement HMAC in Golang, and first introduces the basic concepts and uses of HMAC. Then, we explained in detail how HMAC works, including how to choose a hash function and a key. Hope it helps you understand and effectively use HMAC to improve the integrity of your program.
The above is a detailed explanation of how to implement HMAC in Golang. For more information about Golang's implementation of HMAC, please pay attention to my other related articles!