How can I implement HMAC Hash-based Message Authentication Code to verify the integrity of sensitive messages in Node js

+1 vote
I need to ensure the integrity and authenticity of sensitive messages in my Node.js application by using HMAC. I understand HMAC can add a layer of security to messages, but I’m not sure how to set it up correctly in Node.

Could someone provide an example of implementing HMAC in Node.js, especially focusing on choosing a secure hashing algorithm and key management? Any best practices would be helpful.
Oct 29 in Cyber Security & Ethical Hacking by Anupam
• 7,370 points
81 views

1 answer to this question.

+1 vote

To securely verify the integrity of messages using HMAC (Hash-based Message Authentication Code) in Node.js, both the sender and receiver need to share a secret key and the original data. The HMAC process ensures that the data hasn't been altered and is authentic.

Steps for Implementing HMAC in Node.js

1. Sender Side (Creating the HMAC)

The sender uses the shared secret key and the data to generate the HMAC. This is done using Node.js's crypto.createHmac() method.

const crypto = require('crypto');

const secret = 'abcdefg'; // The shared secret key
const message = 'I love cupcakes'; // The data to be authenticated

// Create the HMAC using SHA-256 (or any secure hash function)
const hash = crypto.createHmac('sha256', secret)
               .update(message)
               .digest('hex'); // Digest the HMAC as a hexadecimal string

console.log('Generated HMAC:', hash); // This HMAC will be sent with the message

2. Receiver Side (Verifying the HMAC): The receiver verifies the integrity of the received data by recalculating the HMAC with the same secret key and data. If the hashes match, it confirms that the data has not been tampered with.

const receivedHmac = 'received-hmac-from-sender'; // The HMAC received from the sender
const receivedMessage = 'I love cupcakes'; // The received message

// Recalculate the HMAC using the same secret and data
const calculatedHmac = crypto.createHmac('sha256', secret)
                               .update(receivedMessage)
                               .digest('hex');

// Compare the calculated HMAC with the received one
if (calculatedHmac === receivedHmac) {
  console.log('Message integrity verified');
} else {
  console.log('Message integrity check failed');
}
answered Nov 6 by CaLLmeDaDDY
• 9,600 points
The comparison of the calculated HMAC and the received one is essential. To strengthen the example, you could mention using crypto.timingSafeEqual for constant-time comparison, preventing timing attacks.

Related Questions In Cyber Security & Ethical Hacking

+1 vote
1 answer

How do you decrypt a ROT13 encryption on the terminal itself?

Yes, it's possible to decrypt a ROT13 ...READ MORE

answered Oct 17 in Cyber Security & Ethical Hacking by CaLLmeDaDDY
• 9,600 points
138 views
+1 vote
1 answer
+1 vote
1 answer
+1 vote
1 answer
+1 vote
1 answer
webinar REGISTER FOR FREE WEBINAR X
REGISTER NOW
webinar_success Thank you for registering Join Edureka Meetup community for 100+ Free Webinars each month JOIN MEETUP GROUP