HMAC-SHA1-80 example
Ajey
Is there any example available for HMAC-SHA1-80
Thanks.
- Ajey
William Stacey [MVP]
uses the sha1 20 byte hash like so:
HMACSHA1 hsha = (HMACSHA1)HMACSHA1.Create();
hsha.Key = new byte[]{1,2,3,4,5};
byte[] hHash = hsha.ComputeHash(clear);
Console.WriteLine("HMACSHA1 Hash:"+BitConverter.ToString(hHash));
--
William Stacey, MVP
http://mvp.support.microsoft.com
"Ajey" <aj...@hotmail.com> wrote in message
news:uyLF965B...@TK2MSFTNGP10.phx.gbl...
Ajey
key for HMAC? Can both generate same hash for same input?
"William Stacey [MVP]" <stacey...@mvps.org> wrote in message
news:%23tds9i6...@tk2msftngp13.phx.gbl...
William Stacey [MVP]
the
> key for HMAC?
The key is the difference. You can use this to prove both sides know the
same key.
> Can both generate same hash for same input?
Not supposed to. I am sure it can happen with some currently unknown
combination of data bytes and key bytes, but is very unlikely.
Pieter Philippaerts
HMAC-SHA1-80 is simply a truncated version of the HMAC-SHA1 hash. So,
compute the hash using the HMACSHA1 class (there are examples on MSDN and
other sites) and only use the first 80 bits of the output.
Regards,
Pieter Philippaerts
Valery Pryamikov
HMAC is specified as following algorithm:
HASH = iterated keyless hash (SHA1 in case of HMACSHA1)
ipad = {0x36} repeated to full hash block size (512 bits for SHA1)
opad={0x5C} repeated to full hash block size (512 bits for SHA1)
K'=K zero padded to full hash block size (512 bits for SHA1)
|| - concatenation
HMAC = HASH(K' XOR ipad || HASH(K' XOR opad || message))
Double appliance of HASH is required for protecting against various MAC
forging attacks on iterated hash functions by adding full hash blocks.
Double hash ensures that outer hash always processing message with length of
two blocks.
Using ipad and opad ensures that four bits of every byte of key is modified
by the masks 0x36 = 00110110 and 0x5c = 01011100, provides high Hamming
distance between the pads and prevents attempts of using little MAC
collision attack for the MAC forger.
Each element of HMAC algorithm is important for the security prove (ie.
remove anything from HMAC algorithm and no security prove may be provided).
So, to answer question about whether it is possible to use SHA1 to calculate
HMAC is yes - just use it with SHA1(K' XOR ipad || SHA1(K' XOR opad ||
message)).
If you asking whether it's possible that some combination of K and Message
produce value of HMAC(K, Message) to be the same as SHA1(Message) ... well,
its possible, but probability is negligibly low (ie. more difficult than
finding SHA1 collisions due to extra requirement on input structure of
HMAC... and none has managed to find SHA1 collisions yet).
-Valery.
http://www.harper.no/valery
"Ajey" <aj...@hotmail.com> wrote in message
news:eDDaEn6B...@TK2MSFTNGP12.phx.gbl...
William Stacey [MVP]
force the key that was used to produce the HMAC-SHA1 hash of the data? Say
with random key lengths of 16, 32, or 64 bytes. TIA
--
William Stacey, MVP
http://mvp.support.microsoft.com
"Valery Pryamikov" <Val...@nospam.harper.no> wrote in message
news:OEKYLb#BFHA...@TK2MSFTNGP10.phx.gbl...
Valery Pryamikov
if we assume that key is perfectly random and consists of n bits then brute
force takes in average 2^(n-1) trials. HMAC security is good and actually is
stronger than security of underlying hash (for example security of HMAC-MD5
was not affected by Wang at al. work in finding MD5 collisions).
From the other side - randomness of key is difficult to achieve (true
randomness is literally impossible). And smart brute force will trial source
of the lowest entropy. Good example is 1994/1995 successful attack on
Netscape's implementation of SSL by David Wagner due to low entropy output
of pseudo random function used by Netscape's for session key generation (it
David has shown that brute force of 128 bit key could be reduced to brute
force of less than 40 bits).
-Valery.
http://www.harper.no/valery
P.S. I saw your other thread. Regarding your protocol - you are weakening it
by using session key as hmac key. Assuming that asymmetric encryption is
RSA - combination of Bleichenbaher attack on RSA padding with
man-in-the-middle allows to convey key-related attacks on the protocol (with
possibility of total break of protocol). Means that any symmetric algorithm
that is vulnerable to key-related attacks would make your protocol insecure.
From the other side - scenario of original poster in that (other) thread
looks to be solvable by using some Identity based techniques (for example
Guillou-Quisquater or Gunter's selfcertified ID based keys) or multiparty
conferencing protocols (ex. Burmester-Desmedt).
simplest (GQ) could look like following:
- Bob uses RSA priv key. calculates SHA1(Alices_identity)^d mod n = s,
calculates multiplicative inverse of s mod n and sends s^(-1) =s_A to Alice
by using a secure channel;
- at some time later Bob generates random number r, calculates r^d*s mod n =
v and sends it to Alice by open channel;
- Alice calculates (v*s_A)^e mod n which gives her r;
Now Bob and Alice shares random number r that they can use as seed for
encryption key for data that Bob sends to Alice. Note that all operations
could be done offline.
And at last - IV doesn't need to be encrypted - it only requires authentity
assurance. Encryption doesn't provide authentity guarantee - signature or
MAC or authentic hash could be used for assuring IV authentity. Another good
way of generating IV could be using SHA1 hash of packet counter. In that
case you don't send IV, but calculate it on both ends (it additionally
allows detection of packet replay or packet remove attacks).
"William Stacey [MVP]" <stacey...@mvps.org> wrote in message
news:Oj0j2oXC...@TK2MSFTNGP09.phx.gbl...