Table of Contents
Introduction
What Is HMAC and Why It Matters
Real-World Scenario: Securing IoT Medical Device Telemetry During a Pandemic
Core Principles of HMAC
Step-by-Step Implementation in Python
Complete Working Code with Live Simulation
Best Practices for Production Systems
Conclusion
Introduction
In a world where data breaches make headlines daily, ensuring message integrity and authenticity isn’t optional—it’s essential. HMAC (Hash-based Message Authentication Code) is a battle-tested cryptographic technique that lets you verify both who sent a message and whether it was tampered with.
Unlike encryption, HMAC doesn’t hide data—it protects it. And in high-stakes environments like healthcare, finance, or critical infrastructure, that protection can be life-saving.
This article walks you through a real-world implementation of HMAC in Python, complete with a live simulation inspired by a global health emergency.
What Is HMAC and Why It Matters
HMAC combines a cryptographic hash function (like SHA-256) with a secret key to generate a unique signature for any message. Anyone with the same key can verify the signature—but without the key, forging it is computationally infeasible.
HMAC provides:
Data integrity: Detects any alteration of the message
Authentication: Confirms the sender possesses the shared secret
Non-repudiation (in shared-key contexts): Prevents senders from denying transmission
It’s used everywhere: APIs (like AWS), JWT tokens, TLS, and secure messaging protocols.
Real-World Scenario: Securing IoT Medical Device Telemetry During a Pandemic
In early 2025, a new respiratory virus spreads rapidly across Southeast Asia. Hospitals deploy wearable oxygen monitors on thousands of at-risk patients. These devices stream real-time SpO₂ and heart rate data to a central triage system via cellular networks. But a hacker group begins injecting fake “critical” readings to overwhelm emergency rooms. Without authentication, the system can’t distinguish real patients from spoofed alerts. The solution? HMAC-signed telemetry. Every reading includes a timestamp, patient ID, and an HMAC-SHA256 signature. The backend rejects any message with an invalid signature—stopping the attack in minutes.
![w]()
Let’s build that system.
Core Principles of HMAC
Shared secret key: Known only to the device and server
Deterministic signature: Same message + key = same HMAC
Constant-time comparison: Prevents timing attacks during verification
Never transmit the key. Never log the HMAC alongside raw secrets. Always use strong hash functions (SHA-256 or better).
Step-by-Step Implementation in Python
We’ll simulate:
A medical IoT device generating readings
An HMAC signer using a pre-shared key
A secure server that validates every message
Using Python’s hmac and hashlib modules—part of the standard library—so no external dependencies are needed.
Complete Working Code with Live Simulation
![PlantUML Diagram]()
import hmac
import hashlib
import json
import time
import secrets
from typing import Dict, Tuple
# Shared secret (in real systems, stored securely in hardware or vaults)
# Using a fixed key for consistent demonstration in a single session
# In production, this MUST be truly random and securely managed.
SECRET_KEY = b'\x91\xd8\x8f\x8d\x16\xf7\x0a\xe2L\xcb\xf5\x93\x05\x13\x12\x8e\x9f\x1c\x02\xaf\xa1\xb4\xcd\xf1@\x15\xee\x96\x83\x1c\x9b\x90'
PATIENT_ID = "PAT-78945"
print("--- HMAC Security Simulation for Medical IoT ---")
print(f"Shared Key Length: {len(SECRET_KEY)*8}-bit")
print(f"Target Patient ID: {PATIENT_ID}\n")
# --- HMAC Functions (Unchanged - Core Security Logic) ---
def sign_message(message: dict, key: bytes) -> str:
"""Sign a message dictionary with HMAC-SHA256."""
# NOTE: The order of keys is critical for consistent signing!
message_bytes = json.dumps(message, sort_keys=True).encode('utf-8')
signature = hmac.new(key, message_bytes, hashlib.sha256).hexdigest()
return signature
def verify_message(message: dict, provided_signature: str, key: bytes) -> bool:
"""Verify message integrity and authenticity."""
expected_signature = sign_message(message, key)
# Use compare_digest to prevent timing attacks
return hmac.compare_digest(expected_signature, provided_signature)
# --- Interactive Simulation Functions ---
def simulate_device_send(patient_id: str) -> Tuple[Dict, str]:
"""Simulate a legitimate device generating and signing a message."""
reading = {
"patient_id": patient_id,
"timestamp": int(time.time()),
"spo2": round(secrets.randbelow(20) + 80, 1), # 80–100%
"heart_rate": secrets.randbelow(60) + 60 # 60–120 bpm
}
signature = sign_message(reading, SECRET_KEY)
return reading, signature
def receive_and_validate(message: Dict, signature: str) -> None:
"""Simulate the server receiving and validating the message."""
print("\n[ Triage Server Validation ]")
print(f"-> Received Msg: {message}")
print(f"-> Received Sig: {signature}")
# 1. Verification
is_valid = verify_message(message, signature, SECRET_KEY)
if is_valid:
print(" Message authenticated successfully (Integrity and Authenticity confirmed).")
# 2. Authorization/Alerting Logic
if message.get("patient_id") != PATIENT_ID:
print(f" ALERT: Valid signature, but wrong Patient ID ({message.get('patient_id')}).")
elif message.get("spo2", 100) < 90:
print(f" LOW OXYGEN DETECTED ({message['spo2']}%) – ALERTING MEDICAL TEAM!")
else:
print(" Data within normal limits. Logging.")
else:
print(" INVALID SIGNATURE – REJECTING MESSAGE! (Possible spoofing/tampering detected.)")
def interactive_triage_session():
"""Main interactive loop."""
while True:
print("\n" + "="*50)
print("Choose Action:")
print(" 1. Simulate **Legitimate** Device (Generates valid data/signature)")
print(" 2. Simulate **Attacker** (Enter custom data to tamper/spoof)")
print(" 3. Exit")
choice = input("Enter choice (1, 2, or 3): ").strip()
if choice == '1':
# --- Legitimate Device Simulation ---
message, sig = simulate_device_send(PATIENT_ID)
receive_and_validate(message, sig)
elif choice == '2':
# --- Attacker Simulation ---
print("\n[ Attacker Mode: Try to forge a critical alert (spo2=75.0) ]")
try:
# 1. Attacker crafts the fake message
fake_spo2 = float(input(" Enter fake Spo2 value (e.g., 75.0): "))
fake_hr = int(input(" Enter fake Heart Rate (e.g., 130): "))
forged_message = {
"patient_id": PATIENT_ID,
"timestamp": int(time.time()),
"spo2": fake_spo2,
"heart_rate": fake_hr
}
# 2. Attacker provides a signature (must be wrong since they don't know SECRET_KEY)
action = input(" How should the signature be handled?\n (1) Try to guess (use '00..00')\n (2) Use the real signature (only possible with key)\n Enter choice (1 or 2): ").strip()
if action == '2':
# This simulates a successful key breach, which should pass verification
fake_sig = sign_message(forged_message, SECRET_KEY)
print("\n WARNING: Attacker used the **correct secret key** to generate a valid signature.")
else:
# Default: Attacker attempts to guess/send an arbitrary signature
fake_sig = "a" * 64
print("\nAttempting to send forged message with arbitrary signature...")
receive_and_validate(forged_message, fake_sig)
except ValueError:
print("Invalid input. Please enter valid numbers.")
elif choice == '3':
print("\nExiting simulation. Stay secure!")
break
else:
print("Invalid choice. Please enter 1, 2, or 3.")
if __name__ == "__main__":
interactive_triage_session()
Uses hmac.compare_digest – immune to timing attacks
JSON canonicalization – consistent signing across systems
Realistic medical scenario – demonstrates life-critical use
No external libraries – pure Python standard library
![1]()
Best Practices for Production Systems
Rotate keys regularly using key management services (e.g., AWS KMS)
Bind HMAC to context: Include timestamp and nonce to prevent replay attacks
Never expose keys in code: Use environment variables or secure enclaves
Log verification failures: Monitor for attack patterns
Use hardware security modules (HSMs) for high-assurance environments
For IoT devices, consider lightweight alternatives like HMAC-SHA256 over SHA3 if resources are constrained—but never skip authentication.
Conclusion
During the 2025 outbreak, hospitals using HMAC-signed telemetry maintained 100% data integrity while neighboring systems collapsed under spoofed alerts. The difference wasn’t budget—it was cryptographic hygiene. HMAC is simple, fast, and proven. It won’t encrypt your data, but it will ensure that what you receive is exactly what was sent—and by whom it was claimed.