Skip to content
Blog
HMAC in Istio: Series 2/2 - Advanced Scenarios, Debugging, and Performance

HMAC in Istio: Series 2/2 - Advanced Scenarios, Debugging, and Performance

April 11, 2026

Advanced HMAC Scenarios in Istio

Now that you understand HMAC fundamentals and how Istio uses it in mTLS, let’s explore more complex scenarios you’ll encounter in production.

1. Cipher Suites and HMAC Algorithms

Different TLS cipher suites use different HMAC algorithms. When Istio negotiates a connection, both sides agree on which cipher suite to use.

Common TLS 1.2 Cipher Suites:

ECDHE-RSA-AES256-GCM-SHA384
├─ ECDHE: Elliptic Curve Diffie-Hellman for key exchange
├─ RSA: Certificate authentication
├─ AES256-GCM: AES-256 encryption with Galois Counter Mode
└─ SHA384: HMAC uses SHA-384 (48-byte output)

ECDHE-RSA-AES128-GCM-SHA256
├─ ECDHE: Key exchange
├─ RSA: Authentication
├─ AES128-GCM: AES-128 encryption
└─ SHA256: HMAC uses SHA-256 (32-byte output)

AES256-SHA
└─ HMAC-SHA1 (deprecated, don't use)

TLS 1.3 Changes:

TLS 1.3 uses AEAD (Authenticated Encryption with Associated Data) ciphers instead of separate encryption + HMAC:

TLS_AES_256_GCM_SHA384
├─ AES-256-GCM handles both encryption and authentication
├─ HMAC-SHA384 used for key derivation, not per-record
└─ More efficient: one operation instead of two

TLS_CHACHA20_POLY1305_SHA256
├─ ChaCha20 for encryption
├─ Poly1305 for authentication (similar to HMAC)
└─ Better performance on devices without AES hardware

How Istio Handles This:

Istio’s PeerAuthentication policy controls which TLS versions and cipher suites are allowed:

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: istio-system
spec:
  mtls:
    mode: STRICT  # Require mTLS for all traffic
  # Envoy automatically selects strong cipher suites
  # Default: TLS 1.2+ with AES-GCM or ChaCha20-Poly1305

Istio’s defaults are secure, but you can inspect which cipher suite was negotiated:

# Check negotiated cipher suite in Envoy
istioctl authn tls-check <pod>

# Output shows:
# TLS Version: 1.3
# Cipher Suite: TLS_AES_256_GCM_SHA384

2. TLS 1.3 vs TLS 1.2: HMAC Differences

The role of HMAC changes significantly between TLS versions.

TLS 1.2 (Traditional):

Per-record HMAC:
┌──────────────────────┐
│ Plaintext message    │
├──────────────────────┤
│ HMAC-SHA256(key, m)  │ ← Authenticates every record
├──────────────────────┤
│ Random padding       │
└──────────────────────┘
        ↓ (encrypt all)
┌──────────────────────┐
│ Ciphertext (all 3)   │
└──────────────────────┘

Two operations: HMAC + Encryption = slower

TLS 1.3 (Modern AEAD):

Authenticated Encryption:
┌──────────────────────┐
│ Plaintext message    │ ← Both encrypted AND
├──────────────────────┤   authenticated in one
│ Authentication tag   │   operation (AES-GCM)
└──────────────────────┘
        ↓ (AEAD handles both)
┌──────────────────────┐
│ Ciphertext + Tag     │
└──────────────────────┘

One operation: AES-GCM with built-in auth = faster

HMAC-SHA384 still used for:
- Key derivation (PRK)
- Master secret computation
- But NOT for per-record authentication

Performance Impact:

TLS 1.3 is faster because:

  • One cryptographic operation per record instead of two
  • Modern AEAD modes are optimized in hardware
  • Result: ~10-20% throughput improvement in mTLS

Checking TLS Version:

# Force TLS 1.3 minimum
kubectl patch peerauth default -p '{"spec":{"mtls":{"mode":"STRICT"}}}'

# Verify in Envoy stats
istioctl dashboard envoy <pod> | grep tls_version

3. Session Resumption and HMAC

When a TLS session resumes (instead of doing a full handshake), the HMAC mechanism changes.

Full Handshake:

Client ──────────────────────────────────────── Server
   │   ClientHello (random1)                      │
   │─────────────────────────────────────────────>│
   │                                              │
   │   ServerHello (random2)                      │
   │   + Certificate + ServerKeyExchange         │
   │<─────────────────────────────────────────────│
   │                                              │
   │ Derives: session_key = PRF(                  │
   │   master_secret,                             │
   │   "label", random1, random2)                │
   │                                              │
   │ Both have identical session_key              │
   │ All records now use HMAC with this key       │

Session Resumption (Abbreviated Handshake):

New connection (same client/server):
Client ──────────────────────────────────────── Server
   │   ClientHello (with session_id)              │
   │─────────────────────────────────────────────>│
   │                                              │
   │   ServerHello (reuses session_id)            │
   │   [Handshake complete! Skip expensive stuff] │
   │<─────────────────────────────────────────────│
   │                                              │
   │ Reuses: same session_key from before         │
   │ All records immediately use HMAC with it     │
   │                                              │
   │ Time saved: ~100ms per connection            │
   │ But: reusing key = less forward secrecy      │

Istio and Session Resumption:

By default, Istio Envoy proxies support session resumption, which is good for performance but requires careful key management.

Debugging HMAC Failures in Istio

When HMAC verification fails, the connection is immediately terminated. Understanding why is crucial for troubleshooting.

Common HMAC Failure Scenarios

Scenario 1: Expired Certificate (Most Common)

Client Envoy:
✓ Has valid certificate (exp: 2026-04-20)
✓ Computes session_key correctly
✓ Sends HMAC with records

Server Envoy:
✗ Certificate expired (exp: 2026-04-10)
✗ Cannot derive same session_key
✗ HMAC verification fails
└─ Connection: 403 HMAC verification failed

Error in Envoy logs:
"certificate has expired"
"failed to verify peer"

Scenario 2: Clock Skew

Client: System clock = 2026-04-11 10:00:00
Server: System clock = 2026-04-11 09:55:00 (5 minutes behind)

Certificate validity check:
- Client sees: Certificate is valid (within nbf/exp window)
- Server sees: Certificate is NOT YET valid (issued in future)

HMAC fails because:
- Even though both compute HMAC, Envoy rejects connection
- due to cert validation before HMAC check

Error: "certificate not yet valid"

Fix: Sync system clocks with NTP

Scenario 3: Mismatched Cipher Suites

Client negotiates: TLS_AES_256_GCM_SHA384
Server negotiates: TLS_AES_128_GCM_SHA256

During handshake, they should agree on same suite.
If they don't (rare bug), HMAC key derivation differs:

Client: session_key = KDF(..., SHA384)
Server: session_key = KDF(..., SHA256)

Result: Different keys → HMAC mismatch → connection dies

Debugging Tools

1. Envoy Statistics

# Get Envoy stats for a pod
kubectl exec -it <pod> -c istio-proxy -- \
  curl localhost:15000/stats/prometheus | grep tls

# Look for:
ssl.handshake_success        # Successful handshakes
ssl.handshake_failure        # Failed handshakes
ssl.session_reused           # Resumed sessions
ssl.cipher_rsa_4096          # Cipher suites in use

2. Envoy Admin Interface

# Access Envoy debug interface
kubectl port-forward <pod> 15000:15000

# Then visit:
curl http://localhost:15000/certs

# Shows:
# Certificate chain
# Subject
# Issuer
# Valid dates (nbf, exp)
# Current time

3. Istio CLI

# Check TLS configuration
istioctl authn tls-check <pod> -n <namespace>

# Output:
# Host: <service>
# Port: 8080
# AuthenticationPolicy: STRICT
# DestinationRule: N/A
# TLS Mode: STRICT
# Status: OK (mTLS configured)

# For failures:
# Status: FAILED
# Issue: Certificate validation failed

4. Envoy Logs with Debug Level

# Set Envoy log level to debug
kubectl exec -it <pod> -c istio-proxy -- \
  curl -X POST localhost:15000/logging?level=debug

# Tail logs
kubectl logs <pod> -c istio-proxy -f

# Look for lines:
# "handshake: ...HMAC verification failed"
# "certificate expired"
# "verify peer: ..."

5. tcpdump (Last Resort)

# Capture TLS handshake
kubectl exec -it <pod> -- tcpdump -i eth0 'tcp port 443' -w /tmp/capture.pcap

# Analyze with Wireshark
# Look for:
# - Certificate exchange in ServerCertificate message
# - Cipher suite in ServerHello
# - Whether ChangeCipherSpec is sent

Real-World Debugging Example 

Symptom: All requests between service-a and service-b failing
Error: 503 Service Unavailable

Step 1: Check if mTLS is enabled
$ istioctl authn tls-check service-b
Status: FAILED - Certificate validation failed

Step 2: Check certificates
$ kubectl exec -it service-b-pod -c istio-proxy -- curl localhost:15000/certs
Certificate valid_from: 2026-04-01
Certificate valid_until: 2026-04-08  ← EXPIRED!

Step 3: Check cert rotation
$ kubectl logs -n istio-system istiod-*** | grep "cert rotation"
No recent cert rotation logs

Step 4: Restart cert-manager
$ kubectl rollout restart deployment/cert-manager -n cert-manager

Step 5: Verify
$ istioctl authn tls-check service-b
Status: OK - mTLS working

Root cause: Certificate rotation failed silently
Solution: Monitor certificate expiry with Prometheus alerts

Performance Implications of HMAC in Istio

HMAC adds cryptographic overhead to every packet. Understanding this impact helps optimize your mesh.

HMAC Overhead

Per-Record Cost:

Message: 1,000 bytes

TLS 1.2 with AES-256-GCM-SHA256:
├─ HMAC-SHA256: ~50 microseconds (32-byte hash)
├─ AES-256 encryption: ~100 microseconds
├─ Total per record: ~150 microseconds
└─ For 10,000 RPS: 1.5 seconds CPU per second

TLS 1.3 with AES-256-GCM:
├─ AES-GCM (encryption + auth in one): ~60 microseconds
├─ No separate HMAC operation
└─ For 10,000 RPS: 0.6 seconds CPU per second

Savings: ~60% with TLS 1.3

Real-World Benchmarks (Envoy on 4-core machine):

Plaintext (no mTLS):
├─ Throughput: 100,000 RPS
├─ Latency P99: 5ms
└─ CPU: 10% utilization

mTLS with TLS 1.2:
├─ Throughput: 60,000 RPS (40% reduction)
├─ Latency P99: 15ms (3x increase)
└─ CPU: 70% utilization

mTLS with TLS 1.3:
├─ Throughput: 80,000 RPS (only 20% reduction)
├─ Latency P99: 8ms (minimal increase)
└─ CPU: 40% utilization

Lesson: Upgrade to TLS 1.3 when possible

Hardware Acceleration

Modern CPUs have AES-NI instructions that dramatically speed up HMAC:

Software HMAC-SHA256:
├─ Latency: 5 microseconds per operation
└─ 10,000 ops/ms = 10K messages/ms

AES-NI accelerated HMAC-SHA256:
├─ Latency: 0.5 microseconds per operation
└─ 100,000 ops/ms = 100K messages/ms
└─ 10x speedup!

Check if available:
$ grep aes /proc/cpuinfo
flags: ... aes ...  ← AES-NI present

Envoy automatically uses it if available
No configuration needed

Cipher Suite Selection Impact 

Throughput comparison on 1Gbps network (125 MB/s):

TLS_AES_128_GCM_SHA256 (128-bit encryption):
├─ Throughput: 110 MB/s (88% of line rate)
├─ CPU overhead: 15%
└─ Latency P99: 8ms

TLS_AES_256_GCM_SHA384 (256-bit encryption):
├─ Throughput: 100 MB/s (80% of line rate)
├─ CPU overhead: 25%
└─ Latency P99: 12ms

TLS_CHACHA20_POLY1305_SHA256 (ChaCha20):
├─ Throughput: 105 MB/s (84% of line rate)
├─ CPU overhead: 12%
└─ Latency P99: 7ms
├─ Better without AES-NI
└─ Better on low-end CPUs

Recommendation:
- High-security: AES-256-GCM-SHA384
- Balanced: AES-128-GCM-SHA256 (or ChaCha20 on ARM)
- Performance-critical: ChaCha20-Poly1305

When HMAC Becomes a Bottleneck

HMAC is typically NOT the bottleneck because modern CPUs are fast. But it can be in these scenarios:

Scenario 1: Very high throughput (>50K RPS per pod)
├─ CPU becomes the limit
├─ HMAC + encryption uses significant cycles
└─ Solution: Upgrade to TLS 1.3 or use ChaCha20

Scenario 2: Many small messages (microsecond latency)
├─ Cryptographic overhead is proportionally larger
├─ Example: 100-byte messages
└─ Solution: Batch messages or reduce mTLS coverage

Scenario 3: Weak CPU (embedded, ARM M1)
├─ No AES-NI hardware
├─ HMAC-SHA256 slower than on x86
└─ Solution: Use ChaCha20-Poly1305 instead

Scenario 4: Excessive certificate rotation
├─ Each rotation = new session keys
├─ Session resumption breaks
├─ Forces full handshakes
└─ Solution: Rotate less frequently (30 days, not daily)

Key Rotation and Session Security Best Practices

Managing HMAC keys securely is critical. Here’s how to do it right in Istio.

Certificate Lifecycle in Istio 

Istio's CA (Certification Authority):

istiod
├─ Root CA certificate (self-signed, 10 years)
│  └─ Never exposed, stays in istio-system
├─ Intermediate CA cert (signed by root, 1 year)
│  └─ Used to sign workload certificates
└─ Issues workload certificates (signed by intermediate, 90 days)
   ├─ Each pod gets its own unique certificate
   ├─ Valid for 24 hours (default)
   └─ Auto-rotated when near expiry

Automatic rotation:
- Workload cert expiry monitored
- New cert issued when: remaining_lifetime < 50% of cert_lifetime
- For 24h certs: rotated when <12h left
- Envoy reloads new cert without connection drop

Checking Certificate Status:

# View certificate on a pod
kubectl exec -it <pod> -c istio-proxy -- \
  openssl s_client -showcerts -connect localhost:15000

# Check istiod CA
kubectl get secret -n istio-system istio-ca-secret -o json | \
  jq '.data."ca-cert.pem"' | base64 -d | openssl x509 -text -noout

# Monitor cert rotation with Prometheus
# Query: rate(pilot_cert_issued[5m])  # Certificate issuance rate
# Query: histogram_quantile(0.99, pilot_cert_rotation_time)

Session Key Lifetime and Forward Secrecy 

Session Key Lifecycle:

TLS Handshake:
│
├─ Generate: session_key = KDF(shared_secret, nonces, labels)
│  └─ Unique to this connection
│  └─ Both sides have identical key
│
├─ Use for ~30 minutes (default session timeout)
│  └─ All HMAC operations use this key
│  └─ If compromised, this session is exposed
│
├─ Session Resumption (optional)
│  └─ Reuse session_key within 30min window
│  └─ Faster but same key risk
│
└─ Session Expiry
   └─ Key discarded
   └─ Next connection needs fresh handshake
   └─ New session_key generated
   └─ Old session is now secure (forward secrecy)

Forward Secrecy Benefit:
- Even if attacker compromises current key
- Old sessions (with expired keys) remain encrypted
- Attacker cannot decrypt past traffic

Best Practices

1. Certificate Rotation Strategy

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: istio-system
spec:
  mtls:
    mode: STRICT
  # Istio handles rotation automatically
  # Certificate lifetime: 24 hours (default)
  # Rotation threshold: 50% of lifetime (12 hours)
  
  # For production: check istiod logs
  # Look for: "issued cert for pod"

2. Monitor Certificate Expiry

# Prometheus alert
groups:
- name: istio-security
  rules:
  - alert: IstiodCertificateExpiring
    expr: |
      histogram_quantile(0.99, 
        rate(pilot_cert_lifetime_seconds_total[5m])) < 3600
    for: 1h
    annotations:
      summary: "Istio certificates expiring within 1 hour"
      
  - alert: EnvoyMTLSFailure
    expr: |
      rate(envoy_ssl_handshake_failure[5m]) > 0.1
    for: 5m
    annotations:
      summary: "High TLS handshake failures"

3. Secure Session Resumption

# Session resumption is enabled by default
# For extra security, disable it:

kubectl patch peerauth default -n istio-system \
  -p '{"spec":{"mtls":{"mode":"STRICT"}}}'

# This forces full handshake each time (more secure, less performant)
# Trade-off: ~100ms per connection for better forward secrecy

4. Key Rotation Testing

# Simulate certificate expiry (test only!)
kubectl delete secret -n default istio.default default \
  # Istio will auto-issue new cert

# Verify connection survives rotation
while true; do
  curl -s http://service-b:8080/health | grep -q "ok"
  echo "$(date): Connection OK"
  sleep 1
done
# Watch: connections should not drop during rotation

5. Clock Synchronization

# Critical: all nodes must have synchronized clocks

# Check NTP status
timedatectl
# Output should show: System clock synchronized: yes

# If not synchronized:
sudo systemctl restart chrony  # or ntpd

# For Kubernetes nodes:
kubectl top nodes  # Shows clock info

Summary: Part 2 Key Takeaways

  • Cipher Suites Matter: TLS 1.3 with AEAD is 60% faster than TLS 1.2 with HMAC
  • Session Resumption: Saves handshake time but requires careful key management
  • Debugging: Use Envoy stats, certificates endpoint, and Istio CLI to diagnose HMAC failures
  • Common Failure: Expired certificates (not the HMAC itself)
  • Performance: HMAC adds 15-25% CPU overhead; often not the bottleneck
  • Hardware Helps: AES-NI instruction set provides 10x speedup
  • Forward Secrecy: Session key expires after connection, protecting old traffic
  • Automation: Istio auto-rotates certificates; monitor it
  • Best Practice: Enable TLS 1.3, monitor cert expiry, sync clocks

What’s Next

Mastering HMAC in Istio requires understanding:

For deeper dives:

Related posts:

Tamper Detection at the Istio Gateway Layer