Security Engineer Interview Questions: What’s an HMAC?

Source: Wikipedia

At the OWASP Bay Area Meetup recently, I ran into Tad Whitaker. He works in security and was instrumental in organizing the OWASP Bay Area meetup along with Prashanth KV and the rest of the OWASP Bay Area leadership. As I was perusing through his public github repos, I came across one entitled “Security Engineer Interview Questions”. This intrigued me and I opened it to find that it was a list of interview questions that Tad had curated from all Security Engineer Interview Questions from Glassdoor.

I found the repo to be extremely useful. Not only were these questions a reflection of what the industry expects, but very useful to know for experienced and aspiring security engineers around the globe. The repo is here, btw. As I read through some of the questions, I realized that several were AppSec related. And in addition, I felt that they were a great way to get a lot of folks to understand some of these key concepts, especially from the perspective of AppSec usecases and vulnerabilities, which is why I decided to repurpose the project differently.

My overall aim is to put together a “compendium of answers” for most/all/some of these questions, with a special focus on AppSec. My objective is to answer the question first, and subsequently identify real-world use-cases, anecdotes or “trench stories” for the question, as applicable. The idea is to present the most relevant information about the question without having to refer to several sources at a time. I am doing this more as a personal project, and a way of giving back something to the community at large. So, before I get started, I would like to thank Tad for the initial inspiration.

Question: What is an HMAC?

An HMAC is “Hash-based Message Authentication Code”. Before we get to the “Hash-based” part, let’s quickly get into the “Message Authentication Code” part of this term. A Message Authentication Code is a short piece of code that is meant to verify integrity with authenticity of a message of any kind. For instance, let’s assume that Alice sends a message to Bob, with the following content.

Hi Bob — Please transfer $1000 to Account Number: 012349124212

but Sally, a malicious actor intercepts the message and changes the account number to her account:

Hi Bob — Please transfer $1000 to Account Number: 022389124391

When this message is received by Bob, he would act on what appears to be a genuine message from Alice, and transfer the money to Sally’s account.

If on the other hand, there was a separate transmission of a Message Authentication Code or a Digital Signature for the message transmitted, Bob would’ve received an HMAC with the message which looked like this:

but when Bob checks the HMAC against the message that Sally sent, Bob gets an output like this:

And since

a47dee64d793e51dabac8125591264bf827ab84d211bd85ce8fb4856c663e779 != 70974227ea4b52d45163666abd171662f03f29131baa68e90bbd0f681963c8ab

Bob would have realized that this message was probably tampered in transit and therefore compromised. Bob has now verified that this message has been modified and is not authentic.

An HMAC is a recipe for a Hashing algorithm to be used as a Message Authentication Code. With an HMAC, you can use popular hashing algorithms like SHA-256, etc with a secret key to generate a Message Authentication Code. Other than an HMAC, you also have block-ciphers like AES and DES to generate a CMAC (Cipher Based Message Authentication Code). However, I am guessing that owing to speed and ease-of-use, the HMAC is a more popular way of generating Message Authentication Codes.

How does an HMAC work?

  • An HMAC Implementation of a Hashing Algorithm, example — HMAC-SHA256 is the HMAC Implementation or recipe for SHA-256.
  • A Secret Key
  • A Message

In this code snippet we are using python’s default HMAC library, with a not-very-secure key called “s3cr3tk3y” and the message is “Hello World”. The message could be JSON (popular for Web Services) or a file, or any other datatype. I am using the SHA-256 hashing function to generate the HMAC

Where are HMACs used?

Transport Layer Security

This is a CipherSuite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, and in this CipherSuite the SHA-256 at the end of the CipherSuite specification denotes the HMAC algorithm used to generate Message Authentication Codes TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

With Google’s successful compromise of the SHA-1 algorithm in 2017[link], its highly recommended that you use CipherSuites with SHA-256 and higher.

JSON Web Tokens

For instance, in a JWT, the application would generate a JSON payload and sign it with an HMAC-SHA256 algo (called HS256 in short) and transmit that to the client. The client would use this Token in all subsequent requests to the application. The application would decode the base64 encoded token and verify if the HMAC matches the one generated by the application at runtime. If the decode succeeds and the other parameters like Expiration check out, the request is considered authenticated.

One of the key concerns with using HMACs with JWTs is the use of the Secret Key. If the Secret Key is exposed or is weak, then its trivial for the attacker to forge authenticated requests to the application and bypass authentication and authorization controls. Please see my article and repo on JWTs for additional information[link]

In the code snippet above, I have created a JWT with a JSON payload of {“Hello”: “World”}. I have used the key “s3cr3tk3y” and the HMAC-SHA256 algorithm to generate the token.

I have used the decode() function to check if the token is valid. Turns out, it is :)

PBKDF2 — Password Protection

PBKDF2 (Password-based Key Derivation Function) has emerged as one of the “goto” ways of protecting passwords at rest. Several organizations (and its about time) have started migrating from storing passwords with plain (gasp) or salted hashing algos to key-stretching and intentionally slow algorithms like PBKDF2 and BCrypt.

PBKDF2 uses the following parameters to generate a password hash:

DK = PBKDF2(PRF, Password, Salt, c, dkLen)

  • The PRF is the Pseudorandom Function, which is essentially an HMAC
  • The Password is the user’s plaintext password
  • The salt is the nonce that adds entropy to the password
  • The `c` parameter is the number of iterations that the process would repeat itself. For instance — 10,000 iterations
  • dkLen is the desired length of the derived key (commonly called the password hash)

At its core, PBKDF2 uses the HMAC to generate the Pseudorandom function. Again, its recommended not to use algos like SHA-1 that are considered weak. I recommend using SHA-256 and above for the HMAC.

PBKDF2 initially generates a password digest based on the algorithm from the plaintext and generates an HMAC based on that password digest, thereby generating the Pseudorandom function.

In this code snippet we are using python’s `passlib` library to generate a PBKDF2-HMAC-SHA256 hash, with 10,000 iterations and a random salt.


CTO of we45 (An AppSec Company), DevSecOps Greasemonkey, Passionate Security Technologist and Creator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store