Friday, 31 July 2015

Hash-based message authentication code

In cryptography, a keyed-hash message authentication code (HMAC) is a specific construction for calculating a message authentication code (MAC) involving a cryptographic hash function in combination with a secret cryptographic key.

As with any MAC, it may be used to simultaneously verify both the data integrity and the authentication of a message.

Any cryptographic hash function, such as MD5 or SHA-1, may be used in the calculation of an HMAC; the resulting MAC algorithm is termed HMAC-MD5 or HMAC-SHA1 accordingly.

The cryptographic strength of the HMAC depends upon the cryptographic strength of the underlying hash function, the size of its hash output, and on the size and quality of the key.

An iterative hash function breaks up a message into blocks of a fixed size and iterates over them with a compression function.

For example, MD5 and SHA-1 operate on 512-bit blocks. The size of the output of HMAC is the same as that of the underlying hash function (128 or 160 bits in the case of MD5 or SHA-1, respectively), although it can be truncated if desired.

HMAC-SHA1 and HMAC-MD5 are used within the IPsec and TLS protocols.

Signature generating algorithm on Client and Server side


import javax.crypto.Mac;

import javax.crypto.spec.SecretKeySpec;

import org.apache.commons.codec.binary.Base64;

import org.apache.log4j.Logger;

import com.francetelecom.csrtool.model.logging.FuncLogging;

import com.francetelecom.csrtool.utils.CSRToolUtil;


 * Utility class to generate HMAC message digest based on key and (SHA256/SHA512) algorithm 


public class HMACGenerator {

        /** HMAC256 **/

        public static final String HMAC256 = "HmacSHA256";

        /** HMAC512 **/

        public static final String HMAC512 = "HmacSHA512";

        /** LOGGER Constant */

        private static final Logger LOGGER = Logger.getLogger(HMACGenerator.class);


         * Generates a encrypted message digest based on HMACSHA256 or HMACSHA512 algorithm on the data                                           and specific key

         * @param base64Key - base64 private key

         * @param data refers to the data need to be encrypted

         * @param algorithm refers to the message digest algorithm been used (256 -> HMACSHA256) and (512                                                                   -> HMACSHA512)

         * @return HMAC encrypted String


        public static String generateHMACUsingBase64Key(String base64Key, String data) {

                if(Util.isStringNullOrEmpty(base64Key) || Util.isStringNullOrEmpty(data)) {

                        return null;


                // Decode Base64 key (string) to bytes

                byte[] secretkeyByte = Base64.decodeBase64(base64Key.getBytes());

                // Generate secret key specific to algorithm

                SecretKeySpec signingKey = new SecretKeySpec(secretkeyByte, HMAC256);

                String base64Digest = null;

                byte[] dataBytes = data.getBytes();

                try {

                        // Load and initialize algorithm using signing key

                        Mac mac = Mac.getInstance(HMAC256);


                        // Generate the HMAC using input data bytes

                        byte[] rawHmac = mac.doFinal(dataBytes);

                        // Convert raw HMAC into Base64 HMAC

                        byte[] hash = Base64.encodeBase64(rawHmac);

                        base64Digest = new String(hash);

                } catch (NoSuchAlgorithmException e) {

                } catch (InvalidKeyException e) {



                return base64Digest;



No comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...