I Know HMAC, But What’s CMAC?
With public-key encryption, we can create a signature where we sign with the private key, and then prove with the public key. Typical methods used are ECDSA and EdDSA. But this is rather heavyweight for signing messages that go back and forth between users. So one method is to use HMAC, and where the users have a shared secret key. This might be pre-arranged and long-term, or could be a short-term session key that they use for just one session. Using this shared key will then protect against a session hi-jack. So let’s look at the most common method (HMAC) and at an alternative (CMAC).
HMAC (hash-based message authentication code)
HMAC (hash-based message authentication code) supports the usage of a key to hash data. This key is kept secret between Bob and Alice, and can be used to authentication both the data and that the sender still knows the secret. Overall HMAC can be used with a range of different hashing methods, such as MD5, SHA-1, SHA-256 (SHA-2) and SHA-3:
One of the most useful library for crypto primitives in Python is called cryptography. It contain both “secure” primitives and a “hazmat” layer. Overall the “hazmat” layer should be…
