HMAC

HMAC is a MAC built on SHA-256.

Most widely used MAC on the internet. It works as follows:

THe ipad and opad are fixed in the standard.

Timing Attacks

There is a problem with verification algorithms that naively depend on equality comparison. But if you look at how equality works in many programming languages is that it compares byte by byte, and terminates when it finds an inequality.

This introduces a timing attack. You try to find the correct first byte. Wait for a longer response. Repeat until you identify all bytes.

Defences available - but bottom line is don’t implement these yourself.