Hash-based message authentication code (HMAC) is a mechanism for message authentication using a cryptographic hash function and a secret key. The algorithm takes a key and data of any length as input, and produces HMAC code with length defined by the underlying hash function. The HMAC standard is described in RFC 2104.
The nrf_crypto HMAC module supports SHA-256 and SHA-512.
The HMAC frontend (Hash-based message authentication code (HMAC) related functions) provide a common API that is independent of the backends. The application has control of the memory usage, as the work memory is part of the context structure that is provided to the HMAC API. This is a thin wrapper layer that provides input validation and normalization of the backend APIs.
The following backends can be used for HMAC:
For information on configuring the backends, see Configuring nrf_crypto frontend and backends. It is possible to use a different backend for each hash. The following configuration defines are used to enable backend support for specific modes in the sdk_config
file.
Hash | Backend | Implementation | Enable define |
---|---|---|---|
SHA-256 | CC310 | Hardware | NRF_CRYPTO_BACKEND_CC310_HMAC_SHA256_ENABLED |
Oberon | Software | NRF_CRYPTO_BACKEND_OBERON_HMAC_SHA256_ENABLED | |
mbed TLS | Software | NRF_CRYPTO_BACKEND_MBEDTLS_HMAC_SHA256_ENABLED | |
SHA-512 | CC310 | Software | NRF_CRYPTO_BACKEND_CC310_HMAC_SHA512_ENABLED |
Oberon | Software | NRF_CRYPTO_BACKEND_OBERON_HMAC_SHA512_ENABLED | |
mbed TLS | Software | NRF_CRYPTO_BACKEND_MBEDTLS_HMAC_SHA512_ENABLED |
The most flexible way of using the HMAC module is using the nrf_crypto_init, nrf_crypto_hmac_update, and nrf_crypto_hmac_finalize functions. This allows processing data as it becomes available by repeatedly calling nrf_crypto_hmac_update.
The following example code demonstrates how to calculate HMAC SHA-256.
There is an integrated version of the HMAC frontend, nrf_crypto_hmac_calculate, which can be used when all data is available up front. The context is optional in this case, and is allocated internally using the Dynamic memory management module if the first parameter is set to NULL. The following example code demonstrates how to do the same calculation using the integrated function with internally allocated context memory.
Refer to HMAC Example for a usage example of this library.
For an example showing the verification procedure of HMAC, see Test Example.