diff --git a/vanetza/security/CMakeLists.txt b/vanetza/security/CMakeLists.txt
index dc385fbea..c413d1600 100644
--- a/vanetza/security/CMakeLists.txt
+++ b/vanetza/security/CMakeLists.txt
@@ -6,6 +6,7 @@ add_vanetza_component(security
     ecc_point.cpp
     ecdsa256.cpp
     hashed_id.cpp
+    hmac.cpp
     secured_message.cpp
     sha.cpp
     sign_service.cpp
diff --git a/vanetza/security/hmac.cpp b/vanetza/security/hmac.cpp
new file mode 100644
index 000000000..719ae1f03
--- /dev/null
+++ b/vanetza/security/hmac.cpp
@@ -0,0 +1,27 @@
+#include <vanetza/security/hmac.hpp>
+#include <cryptopp/osrng.h>
+#include <cryptopp/hmac.h>
+#include <cryptopp/sha.h>
+
+namespace vanetza
+{
+namespace security
+{
+
+KeyTag create_hmac_tag(const ByteBuffer& data, const HmacKey& hmacKey)
+{
+    KeyTag keyTag;
+
+    // Calculate tag.
+    CryptoPP::HMAC<CryptoPP::SHA256> mac(hmacKey.data(), hmacKey.size());
+    unsigned char tag[hmacKey.size()];
+    mac.Update(data.data(), data.size());
+    mac.Final(tag);
+
+    // Tag is truncated to leftmost 128 bits.
+    std::copy_n(tag, keyTag.size(), keyTag.data());
+    return keyTag;
+}
+
+} // namespace security
+} // namespace vanetza
diff --git a/vanetza/security/hmac.hpp b/vanetza/security/hmac.hpp
new file mode 100644
index 000000000..b94872571
--- /dev/null
+++ b/vanetza/security/hmac.hpp
@@ -0,0 +1,23 @@
+#pragma once
+#include <vanetza/common/byte_buffer.hpp>
+#include <array>
+#include <cstdint>
+
+namespace vanetza
+{
+namespace security
+{
+
+using HmacKey = std::array<uint8_t, 32>;
+using KeyTag = std::array<uint8_t, 16>;
+
+/**
+ * \brief generate HMAC key and create HMAC tag on data
+ * \param data data to be tagged
+ * \param hmacKey generated HMAC key
+ * \return tag of data generated with hmacKey
+*/
+KeyTag create_hmac_tag(const vanetza::ByteBuffer& data, const HmacKey& hmacKey);
+
+} // namespace security
+} // namespace vanetza