Thanks for a simple and clear explanation! here is a question I have, would appreciate your response: HMAC looks quite similar to a signed data. only difference i see is with signed data hash is encrypted by a ASYM private key and in HMAC there is rather a secret key known to both parties used!
This is very helpful. I have a rudimentary question. The difference between the Hash function and HMAC is the secret. The output for both is fixed. Then in the example what additional security does that key provide. Because is HMAC is changed when Hello World changes to Hello Bob. Won't also the Hash function output change in that case? And even then Bob would know that the message has been tampered with. Additionally, in case of HMAC when Bob gets the hacked message, is he also getting the HMAC output , which I am assuming is not tampered, to compare it against his own calculation of HMAC?
For HMAC to work, the key must be secret, and only known by senders and receivers. If this is the case, then MITM is ineffective, because the attacker presumably doesn't have the key. This means that if the message and/or hash is tampered with, then the hash won't match.
question... the HMAC is supposed to provide authentication (meaning know "who" sent the message). But if someone is listening to the messages, couldn't they replay that message from anywhere and make it look like it came from Alice?
Hi Frank, just HMACing the message would indeed not protect against replay attacks. Theoretically you could protect against replay attacks by including the MAC or the previous message in the current message and then HMACing this (crypto.stackexchange.com/questions/39640/can-i-use-a-hmac-for-replay-attack-protection) Another option would be to just work with idempotency keys in each message so replaying is essentially useless
A few people came up with the names and people have been using it ever since. How can Alice send a message to Bob is a little bit less abstract than "how can person A send a message to person B". It's sort of similar to "Hello World" examples in programming languages: en.wikipedia.org/wiki/Alice_and_Bob
It was a very good brief explanaition of HMAC fairly helpfull. I was wondering what is the minimum key size that can be used for HMAC and that is considered secure and not broken?
I'm interested in hmac for cloud architecture, so internal http api calls can be verified who sent it and the payload was not modified. If you could describe in a part two, the actual oath recomendation for hmac for parakeet and payload validation that would be really cool.
Thank you for the video! Does HMAC take part in TLS/SSL? When the client and the server pass the TLS handshake and create a common SESSION key, do they also HMAC is message that is being sent out for data integrity?
@@jgoebel TLS uses both asymmetric and symmetric cryptography. After they exchange public keys, server or client/(depending on the TLS version), for TLS 1.3 after it receives the TLS ClientHello request the server creates a new session key, and it encryprts it with the public key of the client, send it back to the client, and decrypts it with its private key. Now both have a common SESSION Key, and the encryption becomes symmetric. HMAC is added to each message to keep data integrity with the common key.
Really good video man. But i came with a doubt. How does the two parties agree on having "this secret key"? how is it exchanged? How do i know that the attacker didn't captured the secret key? Thanks!
you would need to exchange the key on a secure channel before. Having shared secrets implies the need for exchanging the secrets before. This is problematic when it comes to data breaches and it is more annoying because you typically do it manually. That's why these days you typically rely on asymmetric cryptography where you only need the public key to verify the signature and where you can easily expose your public key (e.g. by using a JWKS on your server)
no, an HMAC uses a hash function and a secret to produce a small piece of data called a message authentication code. The message authentication code is created by combining the hash function and the secret. So the MAC is not sth encrypted that you could theoretically decrypt.
What do you think about this video?
Was the explanation about HMAC clear?
pretty much
clear
it is great
Exacly what is needed, Comprehnsive and short
@@ppcuser100 thx, great to hear 👍
Solid vid on hashing and HMAC ... one of the best vids I've seen on the topic period. Thanks!
thx Wael, I'm glad it was understandable 👍
Really
Great job explaining the pieces of a HMAC and the practical use cases. Thank you!
The best explanation I have seen so far, thank you!
Glad it was helpful!
This was really helpful. The explanation was clear and concyse. Thank you
thx Jaime I'm glad it was helpful!
Thanks for a simple and clear explanation!
here is a question I have, would appreciate your response:
HMAC looks quite similar to a signed data. only difference i see is with signed data hash is encrypted by a ASYM private key and in HMAC there is rather a secret key known to both parties used!
Hi Akhilesh, yes that is pretty much the main difference.
Clear as newly Windexed glass! I found this helpful. Thanks for putting this out there.
the best explanation that I could find & way better than in my script
thank you for the effort :)
Glad it helped!
Well explained and good presentation, Thanks
Very good explanation, well done.
Glad you liked it!
Great video ,simple and directly into the point thanks a lot.
Glad it was helpful!
This is very helpful. I have a rudimentary question. The difference between the Hash function and HMAC is the secret. The output for both is fixed. Then in the example what additional security does that key provide. Because is HMAC is changed when Hello World changes to Hello Bob. Won't also the Hash function output change in that case? And even then Bob would know that the message has been tampered with. Additionally, in case of HMAC when Bob gets the hacked message, is he also getting the HMAC output , which I am assuming is not tampered, to compare it against his own calculation of HMAC?
I have the same question and to be honest it seems no different than a JWT
A MiTM could intercept and change the message and then hash it again and attach the new hash together and bob wont notice any changes
@@rajaaekant A MiTM could intercept and change the message and then hash it again and attach the new hash together and bob wont notice any changes
For HMAC to work, the key must be secret, and only known by senders and receivers. If this is the case, then MITM is ineffective, because the attacker presumably doesn't have the key. This means that if the message and/or hash is tampered with, then the hash won't match.
Explanation made sense Helped me to undersand HMAC better Thank your for the Tutorial
you're welcome Shan 👍
Brilliantly explained cheers bro 👊
Glad it helped
Great explanation but sometime I notice in these videos is that no actual practical examples are shown. It would be cool to actually see it in action
thx, I saw in my analytics that people hop off after a short period of time. That's why I thought I keep the video as short as possible
very clear and very precise...really liked it!!
thx Hemant 👍
How do I do the SHA512 HMAC recursively? i.e.does the key stay the same?
question... the HMAC is supposed to provide authentication (meaning know "who" sent the message). But if someone is listening to the messages, couldn't they replay that message from anywhere and make it look like it came from Alice?
Hi Frank, just HMACing the message would indeed not protect against replay attacks. Theoretically you could protect against replay attacks by including the MAC or the previous message in the current message and then HMACing this (crypto.stackexchange.com/questions/39640/can-i-use-a-hmac-for-replay-attack-protection)
Another option would be to just work with idempotency keys in each message so replaying is essentially useless
Thanks man. Very clear explanation. This is what I was looking for.
Glad it helped
well deserved subscribe.. Great explanation. Well done sir
thx
Excellent explanation, thank you!
Glad you enjoyed it!
Useful explanation- thank you very much
How do you pass a shared secret key over the network? Is it safe enough to put it inside custom header?
you would need to share the secret upfront with the other party manually. For security reasons, you cannot send it in the request itself
thank you so mush for you help. keep going don't stop
thx, I'm glad you found it useful
best of best explanation ever
thx
Very nice explanation, thanks !
Glad it was helpful!
thanks that was helpful, but am sorry, a random doubt why is it always bob and alice
?
A few people came up with the names and people have been using it ever since. How can Alice send a message to Bob is a little bit less abstract than "how can person A send a message to person B". It's sort of similar to "Hello World" examples in programming languages: en.wikipedia.org/wiki/Alice_and_Bob
It was a very good brief explanaition of HMAC fairly helpfull. I was wondering what is the minimum key size that can be used for HMAC and that is considered secure and not broken?
Great explanation, to the point. Thanks
thx Ric
Explained well! Thank you.
Glad you liked it
H(M) is the SHA-256 hash...
of the message (M)
what dose mean of the massage here can u explaine ?
i dont now what is massge mean
message is whatever you want to hash
Das war eine tolle Erklärung.
danke dir
Well done. Good explanation
Glad it was helpful!
Very clear Explanation
thx Mohamed 👍
thank you for helping me understand it. it made zero sense when I read about it in class
thx
I'm interested in hmac for cloud architecture, so internal http api calls can be verified who sent it and the payload was not modified.
If you could describe in a part two, the actual oath recomendation for hmac for parakeet and payload validation that would be really cool.
For security reasons, I would recommend to use digital signature schemes instead of HMAC to avoid having shared secrets
This is really good explanation, Thanks
you're most welcome
How does the sender share the key with the recipient?
that would be a manual operation
This makes sense and assisted me in my research
Thanks!
you're most welcome 👍
Thank you for the video! Does HMAC take part in TLS/SSL? When the client and the server pass the TLS handshake and create a common SESSION key, do they also HMAC is message that is being sent out for data integrity?
No with TLS you use asymmetric cryptography. HMAC would not be suited for this because it requires a shared secret.
@@jgoebel TLS uses both asymmetric and symmetric cryptography. After they exchange public keys, server or client/(depending on the TLS version), for TLS 1.3 after it receives the TLS ClientHello request the server creates a new session key, and it encryprts it with the public key of the client, send it back to the client, and decrypts it with its private key. Now both have a common SESSION Key, and the encryption becomes symmetric. HMAC is added to each message to keep data integrity with the common key.
Excellent, ez to understand
thx Champ 👍
Exactly what I was looking for, thank you!
thx Michael 👍
Really good explanation. So the MAC function, is the same as the HMAC function but without the "Hash function" input, right?
No, HMAC is a subtype of a MAC. There are also other MACs that are not based on hashes, e.g. CMAC or Poly1305
@@jgoebel yes thats what i meant. HMAC is a version of MAC which adds the input "hash function"
@@ferbe666 ah sry, I didn't get it at first what you meant
Thank you for this explantion.
Glad it was helpful!
It did make sense - thank you
thx
A great example is when you want to prevent replay attacks. JWT provides some of the same features.
Good explanation, helped a lot, thanks!
Glad it helped!
Can you explain about Secure Remote Password protocal?
This made sense, thanks!
great, thx
Could you tell me about Hmackey
Great explanation
Glad it was helpful!
Thanks, this was really helpful.
I'm glad it helped
fantastic video - thanks!
Glad it helped!
Thanks. Clearly understood.
Great to hear!
Really good video man. But i came with a doubt. How does the two parties agree on having "this secret key"? how is it exchanged? How do i know that the attacker didn't captured the secret key? Thanks!
you would need to exchange the key on a secure channel before. Having shared secrets implies the need for exchanging the secrets before. This is problematic when it comes to data breaches and it is more annoying because you typically do it manually. That's why these days you typically rely on asymmetric cryptography where you only need the public key to verify the signature and where you can easily expose your public key (e.g. by using a JWKS on your server)
That was great
Thanks for the video
Glad you enjoyed it
Message digest algorithms don't use secret keys, where HMAC is a combination of a secret key and a hash function.
This is Awesome. Any resources to implementation with JWT?
this is a good start: github.com/panva/jose
Great video, thank you!
thx Amanda, I'm glad you liked it!
old one, but still makes sense! :) zhx!
HMAC never gets old :)
you can provide this ppt ?
Keep up the good work
thx Senthu 👍
Thank you!!
The ques is how to get it
Well done
thx Majdi
Really clear and easy to follow, thanks!
thx you 👍
exactly wat i needed
thx Ibro 👍
Cool video.
Thanks!
он у папича дома сидит? great explanation btw
Thanks
So short: a HMAC is an encrypted hash?
no, an HMAC uses a hash function and a secret to produce a small piece of data called a message authentication code. The message authentication code is created by combining the hash function and the secret. So the MAC is not sth encrypted that you could theoretically decrypt.
AB De Villiers
How is this different from hashing passwords with salt? hash('sha256', 'My Password'.$salt)