diff --git a/demo/client/client.go b/demo/client/client.go
index bd4d919..ac8838d 100644
--- a/demo/client/client.go
+++ b/demo/client/client.go
@@ -128,7 +128,9 @@ func main() {
 	_, err = conn.Write(rec.who)
 	_, err = conn.Write(rec.cmd)
 	_, err = conn.Write(rec.authCookie)
-
+	
+	conn.EnableHMAC()
+	
 	//client reader (from server) goroutine
 	wg.Add(1)
 	go func() {
diff --git a/demo/server/server.go b/demo/server/server.go
index e0bad6c..3441050 100644
--- a/demo/server/server.go
+++ b/demo/server/server.go
@@ -210,7 +210,9 @@ func main() {
 				log.Println("[Bad cmdSpec.authCookie]")
 				return err
 			}
-
+			
+			conn.EnableHMAC()
+			
 			log.Printf("[cmdSpec: op:%c who:%s cmd:%s auth:****]\n",
 				rec.op[0], string(rec.who), string(rec.cmd))
 
diff --git a/hkexnet.go b/hkexnet.go
index 0ed1d5c..dee47a9 100644
--- a/hkexnet.go
+++ b/hkexnet.go
@@ -40,6 +40,8 @@ import (
 type Conn struct {
 	c          net.Conn // which also implements io.Reader, io.Writer, ...
 	h          *HerraduraKEx
+	hmacOn     bool // turned on once channel param negotiation is done
+	byteCount  int
 	cipheropts uint32        // post-KEx cipher/hmac options
 	opts       uint32        // post-KEx protocol options (caller-defined)
 	r          cipher.Stream //read cipherStream
@@ -48,6 +50,10 @@ type Conn struct {
 	wm         hash.Hash
 }
 
+func (c *Conn) EnableHMAC() {
+	c.hmacOn = true
+}
+
 // ConnOpts returns the cipher/hmac options value, which is sent to the
 // peer but is not itself part of the KEx.
 //
@@ -310,6 +316,13 @@ func (c Conn) Read(b []byte) (n int, err error) {
 	rs := &cipher.StreamReader{S: c.r, R: db}
 	n, err = rs.Read(b)
 	log.Printf("  <-ptext:\r\n%s\r\n", hex.Dump(b[:n])) //EncodeToString(b[:n]))
+
+	if c.hmacOn {
+			c.rm.Write(b[:n])
+			c.byteCount += len(b[:n])
+		fmt.Printf("(%x) HMAC:%x\r\n", c.byteCount, c.rm.Sum(nil))
+	}
+
 	return
 }
 
@@ -319,6 +332,13 @@ func (c Conn) Read(b []byte) (n int, err error) {
 func (c Conn) Write(b []byte) (n int, err error) {
 	//log.Printf("[Encrypting...]\r\n")
 	log.Printf("  :>ptext:\r\n%s\r\n", hex.Dump(b)) //EncodeToString(b))
+
+	if c.hmacOn {
+		c.wm.Write(b)
+		c.byteCount += len(b)
+		fmt.Printf("(%x) HMAC:%x\r\n", c.byteCount, c.wm.Sum(nil))
+	}
+
 	var wb bytes.Buffer
 	// The StreamWriter acts like a pipe, forwarding whatever is
 	// written to it through the cipher, encrypting as it goes