CoderTools

HMAC Generator

Generate secure HMAC authentication codes with multiple hash algorithms

The secret key used for HMAC generation. Keep this confidential!

* SHA-1 is considered insecure. ** MD5 is cryptographically broken and should only be used for legacy compatibility. Use SHA-256 or SHA-512 for new applications.

About HMAC

HMAC (Keyed-Hash Message Authentication Code) is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secret cryptographic key. As specified in RFC 2104, it can be used to verify both the data integrity and the authentication of a message.

Unlike a standard hash function (like SHA-256) which only ensures data integrity (detecting accidental changes), HMAC uses a secret key to ensure authenticity (detecting tampering by an attacker). It is widely used in API authentication (e.g., AWS Signature v4), JSON Web Tokens (JWT), and financial data transmission. The strength of an HMAC depends on the cryptographic strength of the underlying hash function, the bit-length of its hash output, and the quality of the key.

Supported HMAC Algorithms

This tool supports comprehensive HMAC algorithms including SHA-256, SHA-512, SHA-384, SHA-224, and modern SHA-3 variants. Legacy support includes MD5 and SHA-1. The core calculation follows the formula: HMAC(K, m) = H((K' ⊕ opad) || H((K' ⊕ ipad) || m)), where H is the hash function, K is the secret key, m is the message, opad is the outer padding (0x5c), and ipad is the inner padding (0x36).

Common Use Cases

API request authentication and signature verification
JWT (JSON Web Token) signing with HS256/HS384/HS512
Webhook payload verification
Password-based key derivation (PBKDF2)
Message integrity verification in secure communications

Security Considerations

Security relies heavily on the secret key. Key Strength: The key should be random and at least as long as the hash function's output (e.g., 32 bytes for SHA-256). Algorithm Choice: Use SHA-256 or SHA-512 for modern applications. Avoid MD5 and SHA-1 as they are vulnerable to collision attacks, although HMAC constructs are generally more resistant to these collisions than the underlying hash functions themselves.

Example

Message: "Hello, World!"

Secret Key: "secret-key-2025"

Algorithm: HMAC-SHA256

Output:

e4d7f1b4c4e5a8d3e...

References

RFC 2104 - HMAC: Keyed-Hashing for Message Authentication Wikipedia: HMAC FIPS 198-1: The Keyed-Hash Message Authentication Code

Frequently Asked Questions (FAQ)

What is the difference between specific Hash and HMAC?

A Hash (like SHA-256) is a one-way function that transforms data into a fixed string; anyone can calculate it. HMAC uses a Hash function *plus* a secret key. Only someone with the secret key can create or verify the correct HMAC, making it suitable for authentication.

Why not just use Hash(Key + Message)?

Concatenating key and message (`H(Key + Message)`) is vulnerable to a 'Length Extension Attack' with certain hash functions like MD5 and SHA-1. HMAC's nested structure (`H(Key ^ opad + H(Key ^ ipad + Message))`) is specifically designed to prevent this and other cryptographic weaknesses.

Is HMAC reversible (can I decrypt it)?

No. HMAC is a cryptographic hash function, not an encryption algorithm. It is one-way. You cannot reverse the output to get the original message or the secret key. It is used for verifying authenticity, not for hiding data.

How long should my secret key be?

RFC 2104 recommends a key length at least equal to the hash output length (e.g., 32 bytes/64 hex characters for SHA-256). Keys longer than the block size strictly don't significantly increase security as they are hashed down.

Can I use this for password storage?

While HMAC is better than a simple hash, for passwords you should use specialized Key Derivation Functions (KDFs) like PBKDF2, bcrypt, or Argon2. PBKDF2 actually uses HMAC internally but adds iterations to slow down brute-force attacks.

Is my secret key safe using this tool?

Yes. This tool is fully client-side. The HMAC calculation is performed using JavaScript (Web Crypto API or CryptoJS) directly in your browser. Your secret key and message are never sent to any server.

Related Tools

SHA Hash Generator

Online SHA hash generator supporting SHA-1, SHA-256, SHA-384, SHA-512 algorithms

MD5/MD4 Hash Generator

Generate MD5 and MD4 hash values for text or files with multiple output formats

Base64 Encoder/Decoder

Quickly encode and decode Base64 strings, supporting both text and file conversion

JWT Encoder/Decoder

Decode, verify, and generate JSON Web Tokens with support for multiple signing algorithms

Password Generator

Generate strong, secure random passwords with customizable length, character types, strength indicator, and batch generation

Timestamp Converter

Convert between Unix timestamps and human-readable date/time

Quick Menu

No recent tools