HMAC vs digital signature

preview_player
Показать описание

00:00 Difference between HMAC and digital signature
01:19 How to create an HMAC with a shared secret
01:44 How to create digital signatures
02:07 Guarantees that HMACs and digital signatures provide
04:36 Should you use digital signatures or HMACs?
05:50 What signature algorithm should you use?

HMAC stands for keyed hashed message authentication code. To create an HMAC you need to make up a secret a secret which is then used with the content and a predefined hash function (like SHA 256) to create the HMAC. To verify an HMAC, you need to know the exact same secret that was used to create it. This can sometimes be problematic if you do not trust the respective other party. If two companies collaborate and were to share a secret and one company falls victim to a hacking attack, then the other party's system is also at least partly compromised.

To avoid this, people tend to prefer digital signatures which leverage public key cryptography. The idea is to generate a key pair with a private and a public key. The private key can be used to create the digital signature. The public key can only be used to verify a digital signature, but you cannot create a new signature with the public key itself. You then keep your private key for yourself and distribute the public key. Like so you do not need a shared secret which reduces the overall risk of getting compromised. Because digital signatures leverage public key cryptography and because you do not have a shared secret with them, they offer the property of non-repudiation. This means that the party that made up the key pair and kept the private key for themselves cannot deny that it created a digital signature (unless they have been hacked).
Рекомендации по теме
Комментарии
Автор

Excellent description! Thank you! Looking forward to more cryptography videos from you

funkykong
Автор

hey, Jan
i following you from Egypt keep going ♥

AhmedSaber-rofw
Автор

Hey, Jan. Thanks for the video. Not sure why YouTube say 'no videos' under the videos tab of your channel.

Finn-jppn
Автор

Thanks Jan, this video explains a lot to me about the http message signature that i was working on. But to my surprise, i try to ask a few CA vendor to purchase X509 cert for this purpose and they all recommend me SSL cert. I do think SSL cert would work, but just feel kind of spending unnecessary money on it. Is the cert for this purpose called "client certificate" and do you know of any CA vendor that sell this? Many thanks.

sabertifa