Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST SP 800-224 (Initial Public Draft)

Keyed-Hash Message Authentication Code (HMAC): Specification of HMAC and Recommendations for Message Authentication

Date Published: June 28, 2024
Comments Due: September 6, 2024
Email Comments to:


Meltem Sönmez Turan (NIST), Luís T. A. N. Brandão (Strativia)


This publication includes the HMAC specification from Federal Information Processing Standard (FIPS) 198-1, The Keyed-Hash Message Authentication Code (HMAC) (2008) and incorporates some requirements from SP 800-107r1 (Revision 1), Recommendation for Applications Using Approved Hash Algorithms (2012). This development was proposed by the Crypto Publication Review Board based on the reviews of FIPS 198-1 and SP 800-107r1 in 2022. The final version of SP 800-224 is expected to be published concurrently with the withdrawal of FIPS 198-1.

The public comment period is open through September 6, 2024. Submit comments to; comments received in response to this request will be posted here after the due date.



cryptography; hash function; HMAC; MAC; message authentication code; PRF; pseudorandom function; standard; truncation
Control Families

None selected


Download URL

Supplemental Material:
None available

Document History:
06/28/24: SP 800-224 (Draft)


Security and Privacy

message authentication