📖 Description

1. What is HMAC Encryption?

HMAC (Hash-based Message Authentication Code) is a message authentication mechanism formed by combining a specific hash function (such as MD5, SHA1, SHA256) with a cryptographic key.

Core Function: It can not only verify data integrity (ensuring data has not been tampered with) but also verify the reliability of the data source (ensuring the sender possesses the correct key).
Security: Compared to a simple Hash(message + key), HMAC employs a double-hash construction (inner and outer padding), effectively resisting "length extension attacks".

2. Supported Algorithms and Configuration Parameters

This tool supports various mainstream hash functions as underlying implementations to meet the security requirements of different scenarios:

Algorithm Name	Output Length	Security Level	Recommended Scenarios
HMAC-SHA256	256 bits (64 chars)	Very High	Modern API Authentication (e.g., AWS, Alibaba Cloud SDK)
HMAC-SHA1	160 bits (40 chars)	Medium	Legacy OAuth protocols, Git hash verification
HMAC-MD5	128 bits (32 chars)	Low	Scenarios with extremely high performance demands and non-critical security
HMAC-SHA512	512 bits (128 chars)	Highest	Financial-grade security and highly confidential data verification

3. How HMAC Works (Keyed-Hashing)

The operational logic of HMAC can be summarized in the following steps:

Key Preprocessing: If the key is too long, it is first hashed; if too short, it is padded to the block length.
Inner Hash: XOR the preprocessed key with the inner padding constant (ipad), concatenate it with the plaintext message, and compute the hash.
Outer Hash: XOR the key with the outer padding constant (opad), concatenate it with the inner hash result, and compute the hash again.
Output Result: The resulting fixed-length string is the HMAC signature.

4. Frequently Asked Questions (FAQ)

Q: What is the difference between HMAC and ordinary SHA256 encryption?

A: Ordinary SHA256 only requires the message content to generate a fingerprint; whereas HMAC must be provided with a key (Key). Even if the message is identical, different keys will generate completely different HMAC values. This is commonly used to prevent others from forging messages.

Q: Why does the HMAC value I generate not match the server's verification?

A: Please check the following three points:

Character Encoding: Does the plaintext or key contain Chinese characters? Ensure both parties use UTF-8 encoding.
Output Format: Does the server require Hex (hexadecimal) or Base64?
Key Handling: Some systems may Base64 decode the Key before using it in calculations. Ensure the input format is consistent.

Q: Is HMAC reversible? Can it be decrypted?

A: No, it is irreversible. HMAC belongs to the category of one-way hash functions. It can only be used for "verification," meaning the receiver recalculates it using the same algorithm and key and compares the results for consistency.

5. Why Choose This Site's HMAC Tool?

Full Algorithm Coverage: Provides the complete series of HMAC algorithms from MD5 to SHA512.
Localized Computation: The Key is the core of security. This site guarantees that all encryption processes are completed locally in your browser. Keys are never uploaded, ensuring the security of your interfaces.
Real-time Conversion: Supports real-time input preview and provides both Hex and Base64 output results, facilitating direct use in code configuration.
Developer-Friendly: Perfectly compatible with the output results of Node.js crypto, Python hmac library, and Java Mac class library.

More HMAC Basics: HMAC Basics: Concept, Mathematical Structure, Security, and Application Scenarios

HMAC Encryption