or run

npx @tessl/cli init
Log in

Version

Tile

Overview

Evals

Files

docs

cipher-config.mdencoding.mdencryption.mdhash-functions.mdhmac.mdindex.mdkey-derivation.md
tile.json

hmac.mddocs/

HMAC Authentication

Hash-based Message Authentication Code (HMAC) functions for message authentication and integrity verification. HMAC combines a cryptographic hash function with a secret key to provide authentication and protect against tampering.

Capabilities

HMAC-MD5

HMAC using MD5 hash function (not recommended for security-critical applications).

/**
 * Computes HMAC using MD5 hash function
 * @param message - String or WordArray message to authenticate
 * @param key - String or WordArray secret key
 * @returns WordArray containing the HMAC
 */
CryptoJS.HmacMD5(message, key)

HMAC-SHA1

HMAC using SHA-1 hash function (deprecated for security-critical applications).

/**
 * Computes HMAC using SHA-1 hash function
 * @param message - String or WordArray message to authenticate
 * @param key - String or WordArray secret key
 * @returns WordArray containing the HMAC
 */
CryptoJS.HmacSHA1(message, key)

Usage Example:

var CryptoJS = require("crypto-js");

var message = "Hello World";
var key = "secret-key";

var hmac = CryptoJS.HmacSHA1(message, key);
console.log(hmac.toString()); // hex string
console.log(hmac.toString(CryptoJS.enc.Base64)); // base64 string

HMAC-SHA224

HMAC using SHA-224 hash function.

/**
 * Computes HMAC using SHA-224 hash function
 * @param message - String or WordArray message to authenticate
 * @param key - String or WordArray secret key
 * @returns WordArray containing the HMAC
 */
CryptoJS.HmacSHA224(message, key)

HMAC-SHA256

HMAC using SHA-256 hash function. Recommended for most applications.

/**
 * Computes HMAC using SHA-256 hash function
 * @param message - String or WordArray message to authenticate
 * @param key - String or WordArray secret key
 * @returns WordArray containing the HMAC
 */
CryptoJS.HmacSHA256(message, key)

Usage Example:

var CryptoJS = require("crypto-js");

// API signature verification
var message = "GET /api/users";
var secretKey = "api-secret-key";

var signature = CryptoJS.HmacSHA256(message, secretKey);
console.log("API Signature:", signature.toString());

// Verify signature
function verifySignature(message, key, expectedSignature) {
    var computedSignature = CryptoJS.HmacSHA256(message, key);
    return computedSignature.toString() === expectedSignature;
}

var isValid = verifySignature(message, secretKey, signature.toString());
console.log("Signature valid:", isValid);

HMAC-SHA384

HMAC using SHA-384 hash function.

/**
 * Computes HMAC using SHA-384 hash function
 * @param message - String or WordArray message to authenticate
 * @param key - String or WordArray secret key
 * @returns WordArray containing the HMAC
 */
CryptoJS.HmacSHA384(message, key)

HMAC-SHA512

HMAC using SHA-512 hash function for applications requiring maximum security.

/**
 * Computes HMAC using SHA-512 hash function
 * @param message - String or WordArray message to authenticate
 * @param key - String or WordArray secret key
 * @returns WordArray containing the HMAC
 */
CryptoJS.HmacSHA512(message, key)

Usage Example:

var CryptoJS = require("crypto-js");

// JWT-style token signing
function createToken(payload, secret) {
    var header = CryptoJS.enc.Base64.stringify(CryptoJS.enc.Utf8.parse('{"alg":"HS512","typ":"JWT"}'));
    var payloadStr = CryptoJS.enc.Base64.stringify(CryptoJS.enc.Utf8.parse(JSON.stringify(payload)));
    var message = header + "." + payloadStr;
    
    var signature = CryptoJS.HmacSHA512(message, secret);
    return message + "." + signature.toString(CryptoJS.enc.Base64);
}

var token = createToken({userId: 123, exp: Date.now() + 86400000}, "jwt-secret");
console.log("JWT Token:", token);

HMAC-SHA3

HMAC using SHA-3 (Keccak) hash function.

/**
 * Computes HMAC using SHA-3 hash function
 * @param message - String or WordArray message to authenticate
 * @param key - String or WordArray secret key
 * @returns WordArray containing the HMAC
 */
CryptoJS.HmacSHA3(message, key)

HMAC-RIPEMD160

HMAC using RIPEMD-160 hash function.

/**
 * Computes HMAC using RIPEMD-160 hash function
 * @param message - String or WordArray message to authenticate
 * @param key - String or WordArray secret key
 * @returns WordArray containing the HMAC
 */
CryptoJS.HmacRIPEMD160(message, key)

Common HMAC Patterns

API Request Signing

var CryptoJS = require("crypto-js");

function signApiRequest(method, path, body, timestamp, secretKey) {
    // Create string to sign
    var stringToSign = method + "\n" + path + "\n" + body + "\n" + timestamp;
    
    // Generate HMAC signature
    var signature = CryptoJS.HmacSHA256(stringToSign, secretKey);
    
    return {
        signature: signature.toString(),
        timestamp: timestamp
    };
}

// Usage
var signature = signApiRequest("POST", "/api/data", '{"key":"value"}', Date.now(), "secret");
console.log("Authorization: HMAC-SHA256 " + signature.signature);

Message Integrity Verification

var CryptoJS = require("crypto-js");

function createMessage(data, key) {
    var message = JSON.stringify(data);
    var hmac = CryptoJS.HmacSHA256(message, key);
    
    return {
        data: data,
        hmac: hmac.toString()
    };
}

function verifyMessage(messageObj, key) {
    var expectedHmac = CryptoJS.HmacSHA256(JSON.stringify(messageObj.data), key);
    return expectedHmac.toString() === messageObj.hmac;
}

// Usage
var key = "integrity-key";
var secureMessage = createMessage({id: 1, value: "important data"}, key);
var isValid = verifyMessage(secureMessage, key);
console.log("Message integrity:", isValid ? "verified" : "compromised");

Progressive HMAC Computation

var CryptoJS = require("crypto-js");

// For large messages or streaming data
var hmac = CryptoJS.algo.HMAC.create(CryptoJS.algo.SHA256, "secret-key");
hmac.update("First part of message");
hmac.update("Second part of message");
hmac.update("Final part of message");

var result = hmac.finalize();
console.log("Progressive HMAC:", result.toString());

// Equivalent to:
var directHmac = CryptoJS.HmacSHA256("First part of messageSecond part of messageFinal part of message", "secret-key");
console.log("Direct HMAC:", directHmac.toString());
console.log("Results match:", result.toString() === directHmac.toString());

Key Derivation for HMAC

var CryptoJS = require("crypto-js");

// Derive HMAC key from password
function deriveHmacKey(password, salt) {
    return CryptoJS.PBKDF2(password, salt, {
        keySize: 256/32,  // 256-bit key
        iterations: 10000
    });
}

// Usage with derived key
var password = "user-password";
var salt = CryptoJS.lib.WordArray.random(128/8);
var derivedKey = deriveHmacKey(password, salt);

var message = "Authenticated message";
var hmac = CryptoJS.HmacSHA256(message, derivedKey);

console.log("Salt:", salt.toString());
console.log("HMAC with derived key:", hmac.toString());

Types

// HMAC Algorithm Interface
HMAC {
  init(hasher, key): HMAC;        // Initialize with hasher and key
  update(messageUpdate): HMAC;    // Add data to HMAC computation
  finalize(messageUpdate?): WordArray; // Compute final HMAC
  reset(): void;                  // Reset HMAC state
  clone(): HMAC;                  // Clone HMAC instance
}

// All HMAC functions return WordArray with these methods:
WordArray {
  toString(encoder?): string;     // Convert to string (hex by default)
  words: number[];                // Raw 32-bit word array
  sigBytes: number;              // Significant bytes count
}