If you enable HTTP/2, you'll absolutely need acceptable cipher suites (which include AES-GCM with DHE or ECDHE key exchange, but not HMAC, regardless of the key size). For example, it makes stronger guarantees about collision resistance. hmac_function(message, key) -> hash: hmac.md5 (message, key) -> HMAC-MD5 hash: Compute HMAC-MD5 (requires md5). This is an implementation of the HMAC-SHA384 algorithm. keyValue. Internet-Draft AES-CTS HMAC-SHA2 For Kerberos 5 August 26, 2016 where "prf" is the octet-string 0x707266 6.Checksum Parameters The following parameters apply to the checksum types hmac-sha256-128- aes128 and hmac-sha384-192-aes256, which are the associated checksums for aes128-cts-hmac-sha256-128 and aes256-cts-hmac-sha384-192, respectively. This module supports the SHA-2 suite of algorithms for HMAC making it backwards compatible, in sizes, with existing HMAC authentication. They have provided a PHP example which I don’t quite understand: If the length is less than the digest block size, it will be zero padded up to the block size. If the key is shorter than this block size, zeroes need to be appended to the key. Third, there is a good reason to prefer non-HMAC cipher suites: HTTP/2 encourages it. Constructors ; Constructor and Description; ... byte engineDoFinal() Completes the HMAC computation and resets the HMAC for further use, maintaining the secret key that the HMAC was initialized with. Possible values: MD2, MD4, MD5, SHA1, SHA224, SHA256, SHA384, SHA512. Returns a HMAC function that can be used with a specific hash function. Implementing the cipher suite blacklist is optional, but Chrome and Firefox both do so. The key can be any length (up to a NetScaler-imposed maximum of 255 bytes). hmac.sha1 (message, key) -> HMAC-SHA256 hash: Compute HMAC-SHA1 (requires [sha1]). Generate the symmetric key. Determine the key length in bytes to pass to the dd command. Divide the minimum and maximum key sizes by 8. Both are hashed by HMAC SHA384, converted to Base64 and sent via the request header as “X-ICObench-Sig”. Generate a SHA hash with 384 Bits with this free online hash generator. Even if SHA384 is resistant to length-extension attacks, there are still valid reasons to prefer HMAC. Even for SHA3, which is not vulnerable to length-extension attacks, you should prefer a standardized MAC algorithm, such as KMAC, as recommended by NIST. If the key is longer than this block size, then it is hashed with the HMAC cryptographic hash. protected int: engineGetMacLength() ... the HMAC length in bytes. For example, the value 8, 16, or 64 can be passed to the dd command for the sha1_hmac and md5_hmac functions. The public key is used to identify the API user and is sent via the request header as “X-ICObench-Key”.