HMAC (hash-based message authentication code) is a method being increasingly used for message authentication. It used any major cryptographic hash functions such as MD5, SHA1 and is used in combination with a separate secret shared key.
HMAC is most useful as a method for creating a message authentication code using a combination of a has function and secret key. The code can be used to verify the integrity and perform authentication of a message. It’s a much more advanced method than using Basic authentication, which normally relies upon the transmission of a username and password. Basic authentication of course additionally requires transport layer encryption too in order to protect the transmission of this data.
Indeed HMAC is closer to Digest authentication as it uses MD5 to hash the authentication details. This makes it much more difficult to intercept and steal the personal details. For many application Digest access authentication has been used for many years to negotiate credentials primarily username and password. Many banks have been using this as a preferred method as securely authenticating before transmitting important financial information. It operates over HTTP and does not require SSL to operate, so although more secure than basic authentication there are some potential vulnerabilities such as MiTM (man in the middle) attacks.
Most larger sites that require secure authentication methods are moving over to HMAC. For example it is now the main authentication method used by Amazon Web Services. There is lots of documentation to support it and now an increasing number of secure application libraries which can be used to implement it too.
AWS Key Management Service gives you the facility to utilise keys in order to encrypt any data you have stored in Amazon S3 (Amazon’s cloud service). It achieves this by using a signature to authenticate any request for this data, only those with a valid signature are allowed to access the data (although this function can be turned off). The signature allows to AWS to verify the requestor’s identity, protects the data transmission process and also protects against reuse of the signed portions which can potentially be used in a ‘replay attack‘.
How the Signature is Calculated
In the AWS authentication model (AWS REST API) the signature is calculated by linking the request elements together in order to create a string e.g using a POST policy from a HTTP request. This is notionally referred to as the string to sign. After a signing key is created to calculate the HMAC of the string used to sign. A secret key is used to create this signing key, which S3 used to recreate the signature utilising the authentication method in order to ensure the match.
Many e-commerce such as Nike and Adidas use HMAC as an extra level of security and to prevent the use of ATC bots which try and jump straight to the cart page before checking out.
One of the reasons that most Bots have problems coping with HMAC when it’s implemented properly is that it signs the entire request. Which basically guarantees the authenticity of the action. This is important for protecting against replay and man in the middle attacks as it means that there is no way to interfere with the API call in transit. Any modification or indeed if there’s an issue with any information being dropped (such as using a rotating proxy) would effectively mean that the signature won’t match anymore.
The HMAC is essentially a composition of the URL, timestamp request and a series of other headers, hashed using the secret key which has been supplied. AWS are probably the biggest users of HMAC authentication but there are lots of other implementations. It’s often used to block or ban the use of mass purchase techniques using Bots and other automated software.