This article is the summary of a HMAC video: https://www.youtube.com/watch?v=KglnT_KwO0M
Below is the tradition private / public key applicaiton. Mostly, they are for encrypting data and signing signature:
The problem is that encrypting/decryptingcomputation takes a lot of CPU. It is slow.
Instead, we can choose a symmetric key, like below:
x is the message, it could be large. So we define x=x1, x2, …, xn
If we define hash function like h(k, x), which is called secret prefix:
1. m=MACk(x)=h(k, x1, x2, …, xn)
Hacker may append xn+1, and loop again hash algorithm to generate m’, which m’=MACk(x)=h(k, x1, x2, …, xn, xn+1). In this way, m’ is valid with k.
If we define hash function like h(x,h), which is called secret suffix:
2. m=MACk(x)=h(x, k)
Hacker may find a x’, which h(x’,k) has same collission value m, which m=MACk(x’)=h(x’,k)
So, we present HMAC. The formula of HMAC is like below.
In only computes the whole message for only 1 time.
An HMAC is smaller in size and takes much less CPU to compute and verify than any know public key operation for comparable security levels.