There are various digital authentication methods that use symmetric and asymmetric keys. One such authentication method that uses a symmetric key is known as HMAC which stands for Hash-based Message Authentication Code.

It is important to note that HMAC “authenticates” messages. HMAC is not used to “sign” messages but to “authenticate” them. A signature ties the signed document back to the originator. For example, I can use my private key to create an RSA or DSA signature and the assumption is that my private key is used only by myself. My private key uniquely identifies me as the originator of documents signed by me. But a symmetric key is shared by two people. And since the key is shared by two people then the two people are considered the owners of the symmetric key. So a message that is “authenticated” with a symmetric key may have been originated by either of the two owners of the key – we don’t know who originated the message until we know more about the context. The point is that a message authenticated with a symmetric key cannot be considered as having been signed.

So be clear in your understanding that when you use HMAC you are not signing any messages.

Cryptographic hashing functions used by HMAC include MD5 and SHA-1. More detail can be found in the memo RFC2104 (Request For Comments 2104) published by the Network Working Group (February 1997).

The hash function iterates a basic compression function on blocks of data. An example of HMAC being used occurs with XML Signatures which use the SHA-1 hash function. A 20-byte hash is created based on a symmetric key and an original message. Only the person with the correct symmetric key and original message can recreate the correct authentication code. This is what gives HMAC its security.

HMAC is a one-way operation. This means that the sender creates the 20-byte hash code value using the symmetric key and the original message. It is then left for the receiver to recreate the authentication code 20-byte value and compare this value against the HMAC sent along with the original message. There is no reverse verification process – just a one-way transformation.