F5 iRule Example integrating HMAC

Hi dtwesten, HMAC is basically a hash-function with added symmetric encryption (unlike digital signatures which are based on asymmetric keys). The use cases of HMAC are to identify that the sender and receiver are owning the same SharedKey (Authentication) and/or that message are not tampered on transit (Message Signing). To give you an idea what would be needed to create an HMAC-enabled solution... 1. Both parties had somehow exchanged the SharedKey in advance. 2. The Sender has PlainText (e.g. your Cookie+SSL SID) for the receiver that needs to be protected from tampering 3. The Sender computes HMAC(PlainText&SharedKey) 4. The Sender sends the PlainText in addition with the result of HMAC(PlainText&SharedKey) 5. The Receiver splits the received data into PlainText and the result of HMAC(PlainText&SharedKey). 6. The Receiver computes HMAC(PlainText&SharedKey) again. 7. The Receiver compares his computed HMAC(PlainText&SharedKey) results with the received HMAC(PlainText&SharedKey) results. 8. If both HMAC codes are identical, then the Receiver can be sure that the Sender is the origin of the received message and nothing was tampered on transit. Note: I don’t take replay attacks into consideration ;-) To integrate HMAC in your homegrown security solution, you don’t have to follow any specifications in which format the message and code is exchanged between the two parties unless you need certain interoperability. Do you? Cheers, Kai