HMAC Implementation in Python Using SHA1 Algorithm for OAuth 1.0

Implementing HMAC SHA1 FOR OAUTH 1 0

Cryptography is the study of transmitting confidential data between two trusted parties without the data being breached or stolen. Cryptography has many approaches to achieve this property, like encrypting the data, verifying the sender to the receiver and vice versa, appending certain codes to the message with the help of a shared key, and many more.

One such approach is sending a Message Authentication Code.

The sender is responsible for sending a code that only belongs to the particular message he wishes to send along with the message.
The receiver is supposed to decrypt the code with the help of a shared key agreed upon mutually.
This takes place to ensure that the data is not accessed during the transmission. If the code sent by the sender matches the one received by the person on the other end, it is safe to say that we have achieved integrity and authentication.

Related: How to write an encryption program in Python?

What Is Message Authentication Code(MAC)?

A message authentication code, just as the name suggests, is used to authenticate a message at the receiver’s side. It is often called a tag. In most cases, the tag is appended (attached at the end) to the message or is sent along with the message by the receiver.

A shared secret key is present with both the sender and receiver. The receiver calculates the code based on the key and compares it with the code sent to them. If both the codes match, the receiver decides that the message has not been tampered with in transmission, and the sender is authenticated.

Since the sender and receiver have the same key, we can say that MAC follows symmetric key cryptography.

There are two variants of a Message Authentication Code.

  • Hash-based message authentication code(HMAC)
  • Cipher-based message authentication code(CMAC)

What Is HMAC?

HMAC stands for hash-based message authentication code. It uses a combination of a hash function and a secret key. The hash function and the shared key generate a unique fixed-length code for the message.

The hash function can use any of the hash algorithms, such as Message Digest(MD5) or any one algorithm from the Secure Hash Algorithm(SHA) family.

The formula for HMAC can be simplified as follows:

HMAC = H(Text + Key)

The HMAC is the code associated with the message(Text), the Key is shared between both the principals and the hash function (H) is derived from the hash algorithms.

Let us see a flow chart to understand the working of HMAC.


The Secure Hash Algorithm was generally used to produce the hash function. It is an extension of MD5 and is used to generate a message digest or hash. The SHA has many variants based on the hash size they produce. For example, SHA-1 takes an input and creates a 160-byte hash value. It is not used last present due to security concerns and recent improvements.

Applications of HMAC

Let us see the uses of HMAC.

Message Integrity: Message Integrity ensures that the message sent and received is the same and has not been tampered with. HMAC should be the same when compared to the receiver’s side. If the message has been altered, the HMAC will also change. So the receiver comes to know that the message has been altered.

Message Authentication: If the key is only known to the sender and receiver, and the HMAC matches, it also means that the expected principal has sent the message.

API Security: HMAC is used in APIs to authenticate user requests, check the integrity of the parameters, and eliminate unauthorized activities

Secure Message Protocols: The communication protocols – SSL/TLS (Secure Socket Layer/ Transport Layer Security) and SSH (Secure Shell Protocol) incorporate HMAC for message authentication.

HMAC Use Case- Implementation of HMAC for OAuth 1.0

OAuth, or Open Authorization, is an HTTP-based authorization protocol. When we install an app on our mobile or use a web app, we might need to allow certain permissions for the application to work as intended.
OAuth does not give sensitive data but uses authorization tokens to prove an identity between consumers and service providers. OAuth is an authentication protocol that allows you to approve one application interacting with another on your behalf without giving away your password.

Many companies like Google, Facebook, and Spotify use this protocol.

Related: Implementation of AES with Padding

The HMAC is used in OAuth to generate signatures for the protocol. Let us see how we can generate HMAC, which can further be used to generate signatures.

import hmac
import hashlib
import base64

def gen_hmac_sha1(key, msg):
    hmac_sha1 ='utf-8'), msg.encode('utf-8'), hashlib.sha1)
    signature = base64.b64encode(hmac_sha1.digest()).decode('utf-8')
    return signature
consumer_secret = "yourconsumersecret"
token_secret = "yourtokensecret"
base_string = "yourbasestring"

key = f"{consumer_secret}&{token_secret}"
signature = gen_hmac_sha1(key, base_string)
print("HMAC-SHA1 Signature:", signature)

In the first three lines, we import the necessary libraries for generating the hash and the base string.

We are creating a function called gen_hmac_sha1 which takes a key and a message as parameters. The hmac_sha1 is HMAC generated for the message with the help of the key. This HMAC is used to generate a signature in the next line.

Lines 9-11 should be filled with the credentials of the OAuth you wish to use.

The key passed to the function we created earlier is generated by concatenating the consumer credentials and the token.

The function is called in the next line to generate the signature.

Lastly, the signature is printed using the print function.

Let us see the output of the code.

Signature Using HMAC
Signature Using HMAC

There is one thing we need to keep in mind; for the given credentials, the signature remains the same no matter how many times the code is executed. This ensures the integrity of the messages.


Cryptography is used to ensure data confidentiality, integrity, and authenticity of the confidential data that is transmitted over the web or an insecure channel. One application of cryptography is the message authentication code which is used to ensure the integrity of the message by appending it with a unique code that can be calculated at the receiver’s side and compared. It also ensures the authentication of the sender.

In this article, we discussed one variant of MAC, which is HMAC. HMAC incorporates a key and a hash value generated by SHA or MD5. We discussed the applications of HMAC and understood one such use case- OAuth.

OAuth is a protocol that enables the user to share certain necessary information without having to share their private credentials like username and password. HMAC is used in OAuth to generate a signature which can further be used in OAuth.


You can read more about HMAC in Python here.