Previous Tip  |  Next Tip  |  Index (recent)   |  Design Tips   | [Bill's Home]

298. HMAC in .NET

HMAC (Hash Message Authentication Code is a message authentication code (MAC) and can be used to verify the integrity and authentication of a message. It involves hashing a message with a secret key. As with any MAC, it can be used with standard hash function, such as MD5 or SHA-1, which results in methods such as HMAC-MD5 or HMAC-SHA-1. As with any hashing function, the strength depends on the quality of the hashing function, and the resulting number of code bits. Along with this the number of bits in the secret key is a factor. The following gives C# code for: [Code][ASP 2.0 Example]:

using System;
using System.IO;
using System.Text;
using System.Security.Cryptography;
// Verify with
// Verify: Message="testing123", key="hello"
// gives ac2c2e614882ce7158f69b7e3b12114465945d01
namespace hmac
  class Class1
    static void Main(string[] args)
      string message = "testing123";
      string key = "hello";
      System.Text.ASCIIEncoding encoding=new System.Text.ASCIIEncoding();
      byte [] keyByte = encoding.GetBytes(key);
      HMACSHA1 hmac = new HMACSHA1(keyByte);
      byte [] messageBytes = encoding.GetBytes(message);
      byte [] hashmessage = hmac.ComputeHash(messageBytes);
      Console.WriteLine("Hash code is "+ByteToString(hashmessage));
public static string ByteToString(byte [] buff)
string sbinary="";
 for (int i=0;i<buff.Length;i++)
   sbinary+=buff[i].ToString("X2"); // hex format

For a key of “hello”, and a message of “testing123” gives:

Hash code is AC2C2E614882CE7158F69B7E3B12114465945D01

With HMAC, the text string is broken-up into blocks of a fixed size, and then are iterated over with a compression function. Typically, such as for MD5 and SHA-1, these blocks are 512 bytes each. With MD5 the output is 128 bits and for SHA-1 it is 160 bits, which is the same as the standard hash functions. HMAC is used in many applications, such as in IPSec and in tunneling sockets (TLS). An outline of its operation is:

An example run of the ASP 2.0 site is:

Other related .NET articles I've written include:

- Design Tip 298. [.NET] HMAC-SHA1.
- Design Tip 243. [.NET] Base-64 or Hex hash values.
- Design Tip 242. [.NET] Digital Certificates.
- Design Tip 241. [.NET] Public-key Encryption.
- Design Tip 240. [.NET] Diffie-Hellman Method.
- Design Tip 239. [.NET] Symmetric Encryption (Private-key).
- Design Tip 238. [.NET] Obfuscation Part II.
- Design Tip 237. [.NET] Obfuscation Part I
- Design Tip 236. [.NET] Data packet capture (filters: IP, TCP, and so on).
- Design Tip 235. [.NET] Data packet capture.
- Design Tip 234. [.NET] Interface to network adapter.
- Design Tip 232. [.NET] Creating an SSH client.
- Design Tip 231. [.NET] Creating an SNMP client.
- Design Tip 216. [.NET] Client/server communications.
- Design Tip 210. [XML/.NET] XML and .NET.
- Design Tip 207. [.NET] Treeviews for interest.
- Design Tip 206. [.NET/Design] Design, evaluate, design, .....
- Design Tip 205. [.NET] Treeviews.
- Design Tip 203. [.NET] Replacing menus with Treeviews.
- Design Tip 202. [.NET/Flash] .NET and Flash - the perfect pair.