A typical application of HMAC is in "Challenge/Response" (Challenge/response) identity authentication. Certification Process (1) The client sends a validation request to the server first. (2) When the server receives this request, a random number is generated and transmitted over the network to the client (this is a challenge). (3) The client provides the random number received to Epass, which is used by Epass to perform a hmac-md5 operation with the key stored in epass and a result to be passed to the server as the authentication evidence (in response). (4) At the same time, the server also uses this random number and stored in the server database of the customer key for the hmac-md5 operation, if the server operation results and the client returns the same response results, the client is considered a legitimate user security analysis by the above introduction, We can see that the HMAC algorithm is more like a cryptographic algorithm, it introduces a key, its security is not completely dependent on the hash algorithm used, security mainly has the following assurances: (1) The use of the key is agreed by the parties in advance, third parties can not know. The application process introduced by 3.2 shows that, as a third party that illegally intercepts information, the information that can be obtained is only a random number of "challenges" and an HMAC result as a "response", and it is not possible to derive the key from these two data. Unable to replicate a consistent response because the key is not known
Typical application of HMAC in authentication
