HMAC stands for Hash-Based Message Authentication Code, and it’s a clever cryptographic tool used to verify both the integrity and authenticity of data—like making sure a message wasn’t altered and really came from the sender.

🧠 How HMAC Works

HMAC combines two things:

• A hash function (like SHA-256, SHA-3, or BLAKE2)
• A secret key known only to the sender and recipient

Together, these produce a unique code (called a MAC, or message authentication code) that can be used to check if the message is valid.

🧪 Step-by-Step Breakdown

1. The sender has a message and a shared secret key.
2. They run the message + key through a hash function to generate the HMAC.
3. They send the message and the HMAC to the receiver.
4. The receiver uses the same key to recreate the HMAC—if it matches, the message is authentic!

📌 Why HMAC Is Useful

• Tamper-proofing: If even one byte changes in the message, the HMAC won’t match.
• Authentication: Only someone with the secret key can produce the correct HMAC.
• Speed and Simplicity: It’s efficient and widely supported in secure systems (like TLS, SSH, and APIs).

🔬 Example Use Case

Message: "Hello World"
Secret Key: "S3cret!"
Hash Function: SHA-256
HMAC: abf0d956349fde816e029bf4212137e8...

Even changing “Hello World” to “hello world” would produce a completely different HMAC.