Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Python (http://www.velocityreviews.com/forums/f43-python.html)
-   -   hmac module and key format (http://www.velocityreviews.com/forums/t743888-hmac-module-and-key-format.html)

Stuart Longland 02-20-2011 10:58 AM

hmac module and key format
 
Hi,

Maybe I'm completely dense with regards to the hmac module and HMAC in
general, but I've searched and cannot find for the life of me the
answer to this very basic question.

What format does hmac require the key to be in?

I have a key in hexadecimal, do I give it the hex? Do I decode that
to binary and give it that? Do I try to figure out what passphrase
generated the hex and give it that instead? Nowhere in the
documentation does it appear to mention what form the key must take,
or how you tell it what form it's in for it to "figure it out". If
someone could enlighten me, I'd be most grateful.

Regards,
Stuart Longland

Paul Rubin 02-20-2011 12:01 PM

Re: hmac module and key format
 
Stuart Longland <redhatter@gentoo.org> writes:
> What format does hmac require the key to be in?


It's an arbitrary string.

I have a key in hexadecimal, do I give it the hex? Do I decode that
to binary and give it that?

Probably yes. Do you have test vectors? See if they work.

Peter Pearson 02-20-2011 06:59 PM

Re: hmac module and key format
 
On Sun, 20 Feb 2011 04:01:20 -0800, Paul Rubin <no.email@nospam.invalid> wrote:
> Stuart Longland <redhatter@gentoo.org> writes:
>> What format does hmac require the key to be in?

>
> It's an arbitrary string.
>
> I have a key in hexadecimal, do I give it the hex? Do I decode that
> to binary and give it that?
>
> Probably yes. Do you have test vectors? See if they work.


Test case from http://www.faqs.org/rfcs/rfc2104.html :


key = 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
key_len = 16 bytes
data = "Hi There"
data_len = 8 bytes
digest = 0x9294727a3638bb1c13f48ef8158bfc9d

Using the hmac module:

>>> hmac.hmac_md5( "Hi There", 16*"\x0b" )

'\x92\x94rz68\xbb\x1c\x13\xf4\x8e\xf8\x15\x8b\xfc\ x9d'


--
To email me, substitute nowhere->spamcop, invalid->net.

Stuart Longland 02-21-2011 10:27 AM

Re: hmac module and key format
 
On Feb 21, 4:59*am, Peter Pearson <ppear...@nowhere.invalid> wrote:
> On Sun, 20 Feb 2011 04:01:20 -0800, Paul Rubin <no.em...@nospam.invalid> wrote:
> > Stuart Longland <redhat...@gentoo.org> writes:
> >> What format does hmac require the key to be in?

>
> > It's an arbitrary string. *

>
> > * * I have a key in hexadecimal, do I give it the hex? *Do I decode that
> > * * to binary and give it that? *

>
> > Probably yes. *Do you have test vectors? *See if they work.

>
> Test case from http://www.faqs.org/rfcs/rfc2104.html:

[...]
> >>> hmac.hmac_md5( "Hi There", 16*"\x0b" )

>
> '\x92\x94rz68\xbb\x1c\x13\xf4\x8e\xf8\x15\x8b\xfc\ x9d'


No worries, thanks to both you Peter and Paul, I'll give this a shot.
By the looks of things it is possible to just decode the hexadecimal
to a binary string and give it that.

I should perhaps elaborate on what I'm doing in case the specifics
make a difference. I have a YubiKey which internally supports a
challenge-response mode based on HMAC-SHA1. I've got a key, a sample
challenge and the sample output which is included in the python-yubico
module demos:

https://github.com/yubico/python-yubico

Before I worried about that though, I needed to have some kind of
understanding as to how the hmac module was used. "Arbitrary string",
sounds to me like I give it something akin to a passphrase, and that
is hashed(?) to provide the symmetric key for the HMAC. Wikipedia
seems to suggest it depends on the length of the key given, so if I
give it a string that's exactly 160-bits (for HMAC-SHA1) it'll use it
unmodified. Would that be a correct assertion?

Peter Pearson 02-21-2011 06:55 PM

Re: hmac module and key format
 
On Mon, 21 Feb 2011 02:27:36 -0800 (PST), Stuart Longland wrote:
[snip]
> Before I worried about that though, I needed to have some kind of
> understanding as to how the hmac module was used. "Arbitrary string",
> sounds to me like I give it something akin to a passphrase, and that
> is hashed(?) to provide the symmetric key for the HMAC. Wikipedia
> seems to suggest it depends on the length of the key given, so if I
> give it a string that's exactly 160-bits (for HMAC-SHA1) it'll use it
> unmodified. Would that be a correct assertion?


Yes. I predict that you will be glad you look at RFC 2104,

http://www.ietf.org/rfc/rfc2104.txt

where you will find HMAC summarized as

H(K XOR opad, H(K XOR ipad, text))

Here, opad is a block filled with the byte 0x5C, and ipad is
a block filled with the byte 0x36. If the key is no longer
than one block (and a block is 64 bytes for SHA and MD5), then
K is just the key itself; otherwise, K is a hash of the key.

--
To email me, substitute nowhere->spamcop, invalid->net.


All times are GMT. The time now is 04:08 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.