Hello, this is Aiden from the Marketing Team.

Following our discussion on PX4 MAVLink-Python Programming: MAVLink 2 Message Signing, today we will take a closer look at HMAC-SHA256. This content is the copyrighted intellectual property of QUAD Drone Lab. Please refrain from unauthorized distribution.

✳️ HMAC = Hash-based Message Authentication Code

HMAC is a specific type of message authentication code involving a cryptographic hash function and a secret cryptographic key. It is a mechanism used to simultaneously verify both the data integrity and the authenticity of a message.

• HMAC operates based on a specific hash algorithm.

Example: HMAC-SHA256 refers to the HMAC method utilizing the SHA-256 hash function.

⚙️ How Does It Work?

INPUT:

• message : The data to be protected (e.g., the entire MAVLink packet).
• secret key : A shared private key used during the signing process.
• SHA-256 Hash Function : The cryptographic engine.

OUTPUT:

• A unique 32-byte (256-bit) hash value.

🔁 Internal Operation Summary

1. The Secret Key and the Message are combined.
2. The process performs SHA-256 hashing twice internally (inner and outer passes).
3. The result is a hash value that will never match unless both the message and the key are perfectly identical to the originals.

🔒 Why is HMAC-SHA256 Powerful?

📦 Why use HMAC-SHA256 in MAVLink 2?

• Since MAVLink is an open protocol, packets can be sniffed (eavesdropped) by anyone.
• By signing with HMAC-SHA256, an eavesdropper cannot forge a signature without the Secret Key.
• The drone verifies the signature upon receipt and rejects any forged or unauthorized commands.

🧪 Implementation Examples (Python)

import hmac
import hashlib

key = b'secret_shared_key_32_bytes____1234567890'
message = b'hello drone'

signature = hmac.new(key, message, hashlib.sha256).digest()

print(signature.hex())

import hmac
import hashlib

key = b'secret_shared_key_32_bytes____1234567890'
message = b'hello drone'

signature = hmac.new(key, message, hashlib.sha256).digest()

print(signature.hex())

This always produces a 64-character hexadecimal string, which equivalent to 32 bytes (since 1 hex digit represents 4 bits)

🧪 Verification Code (Example)

import hmac
import hashlib

# Received message and signature
message = b'hello drone'
received_signature_hex = '...'  # Hex signature received from the example above

# Verify if the signature is authentic
key = b'secret_shared_key_32_bytes____1234567890'
expected_signature = hmac.new(key, message, hashlib.sha256).digest().hex()

if received_signature_hex == expected_signature:
    print("✅ Signature is valid!")
else:
    print("❌ Signature is invalid.")

import hmac
import hashlib

# Received message and signature
message = b'hello drone'
received_signature_hex = '...'  # Hex signature received from the example above

# Verify if the signature is authentic
key = b'secret_shared_key_32_bytes____1234567890'
expected_signature = hmac.new(key, message, hashlib.sha256).digest().hex()

if received_signature_hex == expected_signature:
    print("✅ Signature is valid!")
else:
    print("❌ Signature is invalid.")

🧪 Actual MAVLink Signing Implementation (Example)

import hmac
import hashlib
from pymavlink import mavutil

# 32-byte Secret Key shared between the Drone and GCS
SECRET_KEY = b'secret_shared_key_32_bytes____1234567890'

# Create connection (Not using built-in signing to demonstrate manual verification)
the_connection = mavutil.mavlink_connection('udp:127.0.0.1:14550')

while True:
    msg = the_connection.recv_msg()

    if msg is None:
        continue

    # Message signing is only available in MAVLink 2 (STX = 0xFD)
    if msg.get_msgbuf()[0] != 0xFD:
        continue

    # Get the raw bytes of the entire message
    raw_packet = msg.get_msgbuf()

    # Extract the 13-byte signature block from the end of the packet
    signature_block = raw_packet[-13:]
    link_id = signature_block[0]
    timestamp = signature_block[1:7]
    received_signature = signature_block[7:]

    # The part to be signed consists of: Message Body + link_id + timestamp
    signed_part = raw_packet[:-13] + signature_block[:7]

    # Compute HMAC
    computed_signature = hmac.new(
        SECRET_KEY,
        signed_part,
        hashlib.sha256
    ).digest()[:6]  # Compare only the first 6 bytes

    if received_signature == computed_signature:
        print(f"✅ Signature Verified: {msg.get_type()}")
    else:
        print(f"❌ Signature Forged or Key Mismatch: {msg.get_type()}")

import hmac
import hashlib
from pymavlink import mavutil

# 32-byte Secret Key shared between the Drone and GCS
SECRET_KEY = b'secret_shared_key_32_bytes____1234567890'

# Create connection (Not using built-in signing to demonstrate manual verification)
the_connection = mavutil.mavlink_connection('udp:127.0.0.1:14550')

while True:
    msg = the_connection.recv_msg()

    if msg is None:
        continue

    # Message signing is only available in MAVLink 2 (STX = 0xFD)
    if msg.get_msgbuf()[0] != 0xFD:
        continue

    # Get the raw bytes of the entire message
    raw_packet = msg.get_msgbuf()

    # Extract the 13-byte signature block from the end of the packet
    signature_block = raw_packet[-13:]
    link_id = signature_block[0]
    timestamp = signature_block[1:7]
    received_signature = signature_block[7:]

    # The part to be signed consists of: Message Body + link_id + timestamp
    signed_part = raw_packet[:-13] + signature_block[:7]

    # Compute HMAC
    computed_signature = hmac.new(
        SECRET_KEY,
        signed_part,
        hashlib.sha256
    ).digest()[:6]  # Compare only the first 6 bytes

    if received_signature == computed_signature:
        print(f"✅ Signature Verified: {msg.get_type()}")
    else:
        print(f"❌ Signature Forged or Key Mismatch: {msg.get_type()}")

YOUTUBE Class

This concludes our look at What is HMAC-SHA256?, a key reference for ensuring MAVLink reliability in the fifth stage of our PX4 MAVLink-Python programming series. I will return in the next post to discuss Flight Modes (PX4 Multicopter).

Author: Aiden, Marketing Team at QUAD Drone Lab

Date: March 08, 2026