HMAC explained | keyed hash message authentication code

Подписаться 12 тыс.

Просмотров 70 тыс.

50% 1

🔥More exclusive content: productioncode...
Twitter: / _jgoebel
Blog: productioncode...
Website: jangoebel.com
In this video we cover what HMAC (keyed hash message authentication code) is and where it is used in the IT world. We also clarify the HMAC vs hash question and explain the two guarantees HMAC gives. HMAC provides integrity and authentication and is often used in JSON Web Tokens with the HS256 algorithm. To understand HMAC you need to understand what a hash function is. A hash function maps an arbitrary amount of input bits to an output bit vector of fixed length.
With HMAC you can use an arbitrary hashing function such as SHA256 and a secret.

Опубликовано:

5 окт 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 145

@jgoebel 3 года назад

What do you think about this video? Was the explanation about HMAC clear?

@arsenmkrtchyan4832 3 года назад

pretty much

@kusharora1435 3 года назад

clear

@Ms_Oszy 3 года назад

it is great

@ppcuser100 2 года назад

Exacly what is needed, Comprehnsive and short

@jgoebel 2 года назад

@@ppcuser100 thx, great to hear 👍

@waelaltaqi 3 года назад

Solid vid on hashing and HMAC ... one of the best vids I've seen on the topic period. Thanks!

@jgoebel 3 года назад

thx Wael, I'm glad it was understandable 👍

@princeroshan4105 3 года назад

Really

@MrJohn360 3 года назад

This was really helpful. The explanation was clear and concyse. Thank you

@jgoebel 3 года назад

thx Jaime I'm glad it was helpful!

@akhileshgupta5713 3 года назад

Thanks for a simple and clear explanation! here is a question I have, would appreciate your response: HMAC looks quite similar to a signed data. only difference i see is with signed data hash is encrypted by a ASYM private key and in HMAC there is rather a secret key known to both parties used!

@jgoebel 3 года назад

Hi Akhilesh, yes that is pretty much the main difference.

@AlHoussem 28 дней назад

Well explained and good presentation, Thanks

@captainnemonic Год назад

Clear as newly Windexed glass! I found this helpful. Thanks for putting this out there.

@romankovrigin240 7 месяцев назад

The best explanation I have seen so far, thank you!

@jgoebel 7 месяцев назад

Glad it was helpful!

@message59 2 года назад

the best explanation that I could find & way better than in my script thank you for the effort :)

@jgoebel 2 года назад

Glad it helped!

@thornwebdesign Год назад

Very good explanation, well done.

@jgoebel Год назад

Glad you liked it!

@KirkRivkin 2 месяца назад

Excellent explanation, thank you!

@jgoebel 2 месяца назад

Glad you enjoyed it!

@ABLyonary 2 года назад

Great explanation but sometime I notice in these videos is that no actual practical examples are shown. It would be cool to actually see it in action

@jgoebel 2 года назад

thx, I saw in my analytics that people hop off after a short period of time. That's why I thought I keep the video as short as possible

@aghiadalzein3069 4 месяца назад

Great video ,simple and directly into the point thanks a lot.

@jgoebel 4 месяца назад

Glad it was helpful!

@binr_9817 3 года назад

Explanation made sense Helped me to undersand HMAC better Thank your for the Tutorial

@jgoebel 3 года назад

you're welcome Shan 👍

@WildMemo 6 месяцев назад

Explained well! Thank you.

@jgoebel 5 месяцев назад

Glad you liked it

@hemantmadan8110 3 года назад

very clear and very precise...really liked it!!

@jgoebel 3 года назад

thx Hemant 👍

@tuxieo 11 месяцев назад

thank you for helping me understand it. it made zero sense when I read about it in class

@jgoebel 11 месяцев назад

thx

@maciejwodecki9294 2 года назад

Thanks man. Very clear explanation. This is what I was looking for.

@jgoebel 2 года назад

Glad it helped

@ouss0539 6 месяцев назад

best of best explanation ever

@jgoebel 4 месяца назад

thx

@sezgingurel3942 Год назад

Das war eine tolle Erklärung.

@jgoebel Год назад

danke dir

@hfasihi 6 месяцев назад

Well done. Good explanation

@jgoebel 5 месяцев назад

Glad it was helpful!

@siddharthjain3592 2 года назад

This is very helpful. I have a rudimentary question. The difference between the Hash function and HMAC is the secret. The output for both is fixed. Then in the example what additional security does that key provide. Because is HMAC is changed when Hello World changes to Hello Bob. Won't also the Hash function output change in that case? And even then Bob would know that the message has been tampered with. Additionally, in case of HMAC when Bob gets the hacked message, is he also getting the HMAC output , which I am assuming is not tampered, to compare it against his own calculation of HMAC?

@rajaaekant Год назад

I have the same question and to be honest it seems no different than a JWT

@1337soundeZ Год назад

A MiTM could intercept and change the message and then hash it again and attach the new hash together and bob wont notice any changes

@1337soundeZ Год назад

@@rajaaekant A MiTM could intercept and change the message and then hash it again and attach the new hash together and bob wont notice any changes

@dougsaylor6442 7 месяцев назад

For HMAC to work, the key must be secret, and only known by senders and receivers. If this is the case, then MITM is ineffective, because the attacker presumably doesn't have the key. This means that if the message and/or hash is tampered with, then the hash won't match.

@Alex-nq7uh Год назад

Useful explanation- thank you very much

@or1equalsto1 7 месяцев назад

Brilliantly explained cheers bro 👊

@jgoebel 7 месяцев назад

Glad it helped

@ylazerson 8 месяцев назад

fantastic video - thanks!

@jgoebel 8 месяцев назад

Glad it helped!

@gonzalocruz6653 2 года назад

It was a very good brief explanaition of HMAC fairly helpfull. I was wondering what is the minimum key size that can be used for HMAC and that is considered secure and not broken?

@adrianweder7086 2 года назад

old one, but still makes sense! :) zhx!

@jgoebel 2 года назад

HMAC never gets old :)

@dmha1655 2 года назад

It did make sense - thank you

@jgoebel 2 года назад

thx

@kebman 2 года назад

A great example is when you want to prevent replay attacks. JWT provides some of the same features.

@ricp Год назад

Great explanation, to the point. Thanks

@jgoebel Год назад

thx Ric

@michaelulloa12 3 года назад

Exactly what I was looking for, thank you!

@jgoebel 3 года назад

thx Michael 👍

@RandomAlias1 2 года назад

well deserved subscribe.. Great explanation. Well done sir

@jgoebel 2 года назад

thx

@shakirel 2 года назад

Thank you for this explantion.

@jgoebel 2 года назад

Glad it was helpful!

@FrankGraffagnino 2 года назад

question... the HMAC is supposed to provide authentication (meaning know "who" sent the message). But if someone is listening to the messages, couldn't they replay that message from anywhere and make it look like it came from Alice?

@jgoebel 2 года назад

Hi Frank, just HMACing the message would indeed not protect against replay attacks. Theoretically you could protect against replay attacks by including the MAC or the previous message in the current message and then HMACing this (crypto.stackexchange.com/questions/39640/can-i-use-a-hmac-for-replay-attack-protection) Another option would be to just work with idempotency keys in each message so replaying is essentially useless

@hugo565 2 года назад

Very nice explanation, thanks !

@jgoebel 2 года назад

Glad it was helpful!

@mohamedishhaq9197 3 года назад

Very clear Explanation

@jgoebel 3 года назад

thx Mohamed 👍

@janithmalinga5765 2 года назад

This is really good explanation, Thanks

@jgoebel 2 года назад

you're most welcome

@champsurapong2694 3 года назад

Excellent, ez to understand

@jgoebel 3 года назад

thx Champ 👍

@nguyenquan4836 Год назад

Thank you!!

@josephnour6888 2 года назад

thank you so mush for you help. keep going don't stop

@jgoebel 2 года назад

thx, I'm glad you found it useful

@majdirekik7549 Год назад

Well done

@jgoebel Год назад

thx Majdi

@fgh7832 3 года назад

This makes sense and assisted me in my research

@fgh7832 3 года назад

Thanks!

@jgoebel 3 года назад

you're most welcome 👍

@sreesha445 2 года назад

Thanks. Clearly understood.

@jgoebel 2 года назад

Great to hear!

@nicetomeetugaming7024 2 года назад

Thanks, this was really helpful.

@jgoebel 2 года назад

I'm glad it helped

@deanwhite8413 Год назад

Cool video.

@jgoebel Год назад

Thanks!

@vadimsadykov8042 Год назад

Great explanation

@jgoebel Год назад

Glad it was helpful!

@Kakapo66 2 года назад

Good explanation, helped a lot, thanks!

@jgoebel 2 года назад

Glad it helped!

@hypebeastuchiha9229 2 года назад

That was great Thanks for the video

@jgoebel 2 года назад

Glad you enjoyed it

@silas3463 2 года назад

This made sense, thanks!

@jgoebel 2 года назад

great, thx

@munidinesh9775 2 года назад

thanks that was helpful, but am sorry, a random doubt why is it always bob and alice ?

@jgoebel 2 года назад

A few people came up with the names and people have been using it ever since. How can Alice send a message to Bob is a little bit less abstract than "how can person A send a message to person B". It's sort of similar to "Hello World" examples in programming languages: en.wikipedia.org/wiki/Alice_and_Bob

@amandaahringer7466 3 года назад

Great video, thank you!

@jgoebel 3 года назад

thx Amanda, I'm glad you liked it!

@srinivas1483 5 месяцев назад

Message digest algorithms don't use secret keys, where HMAC is a combination of a secret key and a hash function.

@liecretsev 3 года назад

How do you pass a shared secret key over the network? Is it safe enough to put it inside custom header?

@jgoebel 2 года назад

you would need to share the secret upfront with the other party manually. For security reasons, you cannot send it in the request itself

@artsofsenthu 3 года назад

Keep up the good work

@jgoebel 3 года назад

thx Senthu 👍

@_yak 3 года назад

Really clear and easy to follow, thanks!

@jgoebel 3 года назад

thx you 👍

@gabrielgenao5583 2 года назад

Really good video man. But i came with a doubt. How does the two parties agree on having "this secret key"? how is it exchanged? How do i know that the attacker didn't captured the secret key? Thanks!

@jgoebel 2 года назад

you would need to exchange the key on a secure channel before. Having shared secrets implies the need for exchanging the secrets before. This is problematic when it comes to data breaches and it is more annoying because you typically do it manually. That's why these days you typically rely on asymmetric cryptography where you only need the public key to verify the signature and where you can easily expose your public key (e.g. by using a JWKS on your server)

@peter9910 Год назад

How do I do the SHA512 HMAC recursively? i.e.does the key stay the same?

@ibroschool 3 года назад

exactly wat i needed

@jgoebel 3 года назад

thx Ibro 👍

@KrisMeister Год назад

I'm interested in hmac for cloud architecture, so internal http api calls can be verified who sent it and the payload was not modified. If you could describe in a part two, the actual oath recomendation for hmac for parakeet and payload validation that would be really cool.

@jgoebel Год назад

For security reasons, I would recommend to use digital signature schemes instead of HMAC to avoid having shared secrets

@adnantatlis3225 2 года назад

H(M) is the SHA-256 hash... of the message (M) what dose mean of the massage here can u explaine ? i dont now what is massge mean

@jgoebel 2 года назад

message is whatever you want to hash

@truonghoangha5907 2 года назад

Can you explain about Secure Remote Password protocal?

@amritadhikari1188 2 года назад

This is Awesome. Any resources to implementation with JWT?

@jgoebel 2 года назад

this is a good start: github.com/panva/jose

@northmania5332 2 года назад

Thank you for the video! Does HMAC take part in TLS/SSL? When the client and the server pass the TLS handshake and create a common SESSION key, do they also HMAC is message that is being sent out for data integrity?

@jgoebel 2 года назад

No with TLS you use asymmetric cryptography. HMAC would not be suited for this because it requires a shared secret.

@northmania5332 2 года назад

@@jgoebel TLS uses both asymmetric and symmetric cryptography. After they exchange public keys, server or client/(depending on the TLS version), for TLS 1.3 after it receives the TLS ClientHello request the server creates a new session key, and it encryprts it with the public key of the client, send it back to the client, and decrypts it with its private key. Now both have a common SESSION Key, and the encryption becomes symmetric. HMAC is added to each message to keep data integrity with the common key.

@rukshanaaly7794 2 года назад

How does the sender share the key with the recipient?

@jgoebel 2 года назад

that would be a manual operation

@zef3589 Год назад

он у папича дома сидит? great explanation btw

@onlymetalks Год назад

The ques is how to get it

@jayeshpobari6565 Год назад

you can provide this ppt ?

@TheBroadwood 2 года назад

So short: a HMAC is an encrypted hash?

@jgoebel 2 года назад

no, an HMAC uses a hash function and a secret to produce a small piece of data called a message authentication code. The message authentication code is created by combining the hash function and the secret. So the MAC is not sth encrypted that you could theoretically decrypt.