HMAC vs digital signature

🔥More exclusive content: https://productioncoder.com/you-decid...
Twitter:   / _jgoebel  
Website: https://jangoebel.com
Blog: https://productioncoder.com

00:00 Difference between HMAC and digital signature
01:19 How to create an HMAC with a shared secret
01:44 How to create digital signatures
02:07 Guarantees that HMACs and digital signatures provide
04:36 Should you use digital signatures or HMACs?
05:50 What signature algorithm should you use?

HMAC stands for keyed hashed message authentication code. To create an HMAC you need to make up a secret a secret which is then used with the content and a predefined hash function (like SHA 256) to create the HMAC. To verify an HMAC, you need to know the exact same secret that was used to create it. This can sometimes be problematic if you do not trust the respective other party. If two companies collaborate and were to share a secret and one company falls victim to a hacking attack, then the other party's system is also at least partly compromised.


To avoid this, people tend to prefer digital signatures which leverage public key cryptography. The idea is to generate a key pair with a private and a public key. The private key can be used to create the digital signature. The public key can only be used to verify a digital signature, but you cannot create a new signature with the public key itself. You then keep your private key for yourself and distribute the public key. Like so you do not need a shared secret which reduces the overall risk of getting compromised. Because digital signatures leverage public key cryptography and because you do not have a shared secret with them, they offer the property of non-repudiation. This means that the party that made up the key pair and kept the private key for themselves cannot deny that it created a digital signature (unless they have been hacked).