Tool
HMAC Playground
HMAC turns any hash into a keyed message authentication code. Side panel shows the naive H(key || message) construction so the difference is visible.
16 bytes · algorithm block size is 64 bytes. Keys longer than the block size are hashed down; shorter are zero-padded.
12 bytes
The right way to authenticate a message with a key. Resistant to length-extension even when the underlying hash is not.
For Merkle-Damgård hashes (MD5, SHA-1, SHA-2 non-truncated) this construction leaks length-extension: anyone who sees this digest and knows |key| + |message| can produce H(key || message || pad || X) for any X without knowing the key. SHA-3 and BLAKE2/3 happen to be safe here, but HMAC is still preferred for interop and clarity.
The HMAC construction
HMAC(K, m) = H((K ⊕ opad) ∥ H((K ⊕ ipad) ∥ m)), where ipad = 0x36 repeated and opad = 0x5crepeated, both to the hash’s block size. The two nested hash calls defeat length-extension; the XOR pads bind the key inside both layers.
- RFC 2104 specifies HMAC; FIPS 198-1 standardizes it.
- HMAC survives even when the underlying hash is collision-broken , HMAC-MD5 has no known practical break, though new designs should not use it.
- For BLAKE2 and BLAKE3, the keyed mode is part of the hash; you do not need HMAC on top.
FAQ