This website requires cookies to function. Please enable cookies in order to browse this website properly. Read more here.

C# HMAC library

Added on 2017-01-12 16:12:00 UTC


A while ago I worked on an ASP.NET Web API that used HMAC as a means of authentication. I decided to turn that into a library for possible future usage.

The project and documentation are available on GitHub here.

What is HMAC?

HMAC stands for Hash-based Message Authentication Code and can be used as a method for authenticating HTTP requests.

What is basically is, is that you have a unique key that is only known by the client and server. The client uses this key to create a signature from some important properties of the request. It then places this signature in a request header and sends the request to the server. The server will create a signature of the received request in the same way the client did, using the same key. If the resulting signature matches the one in the header, the authentication succeeded. If not, it means the client and server do not sign requests in the same way or the request has been altered before it arrived at the server.

You usually also validate the timestamp of the request, which is also one of the values that is signed. When a certain amount of time has passed between the creation of the request and the time the server received it, you can choose to treat the request as invalid. This way you can prevent replay-attacks.

So what you get is a very safe way to authenticate HTTP requests, even for unsecured connections.

What can you do with this library?

  • Sign an HTTP request;
  • Sign a RestSharp request;
  • Validate a request;
  • Easily create a Content-MD5 hash;
  • Avoid replay-attacks;
  • Easily extensible;
  • And probably some other stuff I forgot to put here.

What assemblies are there?

  • Donker.Hmac contains everything for signing and validating requests;
  • Donker.Hmac.Configuration contains code for managing HMAC configurations for signing and validating;
  • Donker.Hmac.RestSharp is an implementation/extension for signing RestSharp requests.

The following test projects are also available:

  • Donker.Hmac.Test contains unit tests for the Donker.Hmac assembly;
  • Donker.Hmac.Configuration.Test contains unit tests for the Donker.Hmac.Configuration assembly;
  • Donker.Hmac.RestSharp.Test contains unit tests for the Donker.Hmac.RestSharp assembly.

What do you need for this library?

  • Knowledge of HTTP;
  • Knowledge of HMAC;
  • Knowledge of ASP.NET;
  • Knowledge of many other things.

Wesley Donker

Software Engineer

The Netherlands