Skip to main content
Version: 2.x

HMAC

In this section, we will dive into various methods for applying cryptographic HMAC hash-based message authentication code both generically and securely. We will cover best practices to ensure that the hmac process is robust against common vulnerabilities. Additionally, we will explore secure techniques for comparing hmac values, focusing on the use of time-safe comparison functions to prevent timing attacks. These methods are crucial for ensuring the integrity and security of sensitive data in cryptographic operations.

Create a custom HMAC

Method to create a hmac of a text where you could choose the desired digest algorithm to use sha1, sha256, sha3-256,...

createCustomHmac

public createCustomHmac (
algorithm: string,
key: Buffer,
data: string,
): Buffer;

Parameters:

NameTypeDefaultDescription
algorithm RequiredstringDigest algorithm to use (sha1, sha256, sha3-256,...)
key RequiredBufferSecret key to use on the hmac
data RequiredstringString to hmac

Outputs:

As output, it will return a Buffer <Buffer cc 2b.....cd a1 08>

Usage:

async exampleHmac(
data: string,
): string {
const key = this.cryptographyService.generateSymmetricKey(128);
const hmacResult = this.cryptographyService.createCustomHmac('sha-512', key, data);
return hmacResult.toString('hex')
}

Verify a custom HMAC

Method to verify if an existing hmac matches the hmac of the desired text. You need choose the existing hmac algorithm type used sha1, sha256, sha3-256,...

verifyCustomHmac

public verifyCustomHmac (
algorithm: string,
key: Buffer,
data: string,
oldHmac: string | Buffer,
): boolean;

Parameters:

NameTypeDefaultDescription
algorithm RequiredstringDigest algorithm to use (sha1, sha256, sha3-256,...)
key RequiredBufferSecret key to use on the hmac
data RequiredstringString to hmac
oldHmac Requiredstring | BufferBuffer or string of the existing hmac

Outputs:

As output, it will return true if both matches, or false if not.

This method uses a time-safe comparison function to prevent timing attacks

Usage:

async checkHmac(
oldKey: string,
existingHmac: string,
data: string,
): boolean {
const bufferExistingHmac = Buffer.from(existingHmac, 'hex');
const bufferOldKey = Buffer.from(oldKey, 'hex');
return this.cryptographyService.verifyCustomHmac('sha-512', bufferOldKey, data, bufferExistingHmac);
}

Create a secure HMAC

Method to create an extra secure hmac of a text.

In this case the sha3-256 digest algorithm will be used.

createSecureHmac

public createSecureHmac (
data: string
): Buffer;

Parameters:

NameTypeDefaultDescription
data RequiredstringString to hmac

Outputs:

As output, it will return a Buffer <Buffer cc 2b.....cd a1 08>

Usage:

async exampleSecureHmac(
data: string,
): string {
const hmacResult = this.cryptographyService.createSecureHmac(data);
return hmacResult.toString('hex')
}

Verify a secure HMAC

Method to verify if an existing hmac matches the hmac of the desired text.

warning

Remember that the previous hmac must have been generated using createSecureHmac method.

verifySecureHmac

public verifySecureHmac (
data: string,
oldHmac: string | Buffer
): boolean;

Parameters:

NameTypeDefaultDescription
data RequiredstringString to hmac
oldHmac RequiredBuffer | stringBuffer or string of the existing hmac

Outputs:

As output, it will return true if both matches, or false if not.

This method uses a time-safe comparison function to prevent timing attacks

Usage:

async exampleVerifySecureHmac(
data: string,
existingHmac: string,
): boolean {
const bufferExistingHmac = Buffer.from(existingHmac, 'hex');
return this.cryptographyService.verifySecureHmac(data, bufferExistingHmac);
}

🛟 Tips

Remember that...
info

Remember that buffers could be transformed to utf8, hex, base64, latin,... using the toString() method.

let passwordAsBuffer: Buffer = someMethodThatReturnsABuffer();

console.log(passwordAsBuffer.toString('hex')) // f32.....4ee
console.log(passwordAsBuffer.toString('base64')) // 8OI.....ZQ=