What is the difference between 'sign' & 'generate' HMAC of Vault Transit?

Yossi Cohen

unread,

Jun 13, 2017, 11:40:32 AM6/13/17

to Vault

Best Regards,

Yossi C.

Joel Thompson

unread,

Jun 13, 2017, 12:22:21 PM6/13/17

to vault...@googlegroups.com

"Generate" (as I believe you intended the term) produces an HMAC-SHA2 of the input value using the specified key. "sign" takes in an asymmetric key and uses it to generate an asymmetric signature (currently ECDSA-P256 and Ed2519 are the supported algorithms).

The main differences between an asymmetric signature and an HMAC are around security of the verification key and perf. With HMAC, you need the same key used to generate the HMAC to verify it (so the verifier would also be able to generate a valid HMAC). With signature algorithms, you don't -- the verifier would need the private key to generate a valid signature. With a tool like Vault, which can allow you to verify HMACs without sharing the private key, this distinction is lessened. HMAC is also generally considered more performant, but there might still be reasons you want a signature with Vault (e.g., compliance obligations).

This post does a pretty reasonable job explaining this more in depth: https://crypto.stackexchange.com/a/30658

--Joel

On Tue, Jun 13, 2017 at 11:40 AM Yossi Cohen <yossi...@gmail.com> wrote:

Best Regards,
Yossi C.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.

GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/2cbc30ee-90f4-499f-b182-e0aee56ddbff%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Jeff Mitchell

unread,

Jun 13, 2017, 12:29:06 PM6/13/17

to Vault

Thanks for chiming in Joel!

As a bit of extra context, one of the reasons it's different is that since you can HMAC with any key regardless of what type of key the main key is (AES, p256, ed25519), there needed to be a way in the API to differentiate. Rather than make it a flag to sign, we made it a separate endpoint so that it could be easily ACL'd and also be more visible/less confusing.

Best,

Jeff

On Jun 13, 2017 4:22 PM, "Joel Thompson" <jatho...@gmail.com> wrote:

"Generate" (as I believe you intended the term) produces an HMAC-SHA2 of the input value using the specified key. "sign" takes in an asymmetric key and uses it to generate an asymmetric signature (currently ECDSA-P256 and Ed2519 are the supported algorithms).

The main differences between an asymmetric signature and an HMAC are around security of the verification key and perf. With HMAC, you need the same key used to generate the HMAC to verify it (so the verifier would also be able to generate a valid HMAC). With signature algorithms, you don't -- the verifier would need the private key to generate a valid signature. With a tool like Vault, which can allow you to verify HMACs without sharing the private key, this distinction is lessened. HMAC is also generally considered more performant, but there might still be reasons you want a signature with Vault (e.g., compliance obligations).

This post does a pretty reasonable job explaining this more in depth: https://crypto.stackexchange.com/a/30658

--Joel

On Tue, Jun 13, 2017 at 11:40 AM Yossi Cohen <yossi...@gmail.com> wrote:

Best Regards,
Yossi C.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.

GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/2cbc30ee-90f4-499f-b182-e0aee56ddbff%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.

GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAOXnK5Q0QPeLjBo%2B0Y6SYF6skzFstA9-xOMiDcW5nnLC_LSC1Q%40mail.gmail.com.

Yossi Cohen

unread,

Jun 14, 2017, 4:58:25 AM6/14/17

to Vault

Thank you Guys. The reason i raised this question is because the documentation Vault Transit API. Is there an error in the documentation in the highlighted line below?

Sign Data

This endpoint returns the cryptographic signature of the given data using the named key and the specified hash algorithm. The key must be of a type that supports signing.

Method	Path	Produces
`POST`	`/transit/sign/:name(/:algorithm)`	`200 application/json`

»Parameters

name (string: <required>) – Specifies the name of the encryption key to generate hmac against. This is specified as part of the URL.

Joel Thompson

unread,

Jun 14, 2017, 10:15:26 AM6/14/17

to vault...@googlegroups.com

Yeah, that looks like a typo in the docs.

--Joel

--

This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.

GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/56b62e9b-1cb5-4952-8531-b232e99d8adf%40googlegroups.com.

Jeff Mitchell

unread,

Jun 14, 2017, 11:51:03 AM6/14/17

to Vault

Hi Yossi,

Thanks for pointing that out! I've fixed it.

Best,

Jeff

On Wed, Jun 14, 2017 at 10:15 AM, Joel Thompson <jatho...@gmail.com> wrote:

Yeah, that looks like a typo in the docs.

--Joel

On Wed, Jun 14, 2017 at 4:58 AM Yossi Cohen <yossi...@gmail.com> wrote:

Thank you Guys. The reason i raised this question is because the documentation Vault Transit API. Is there an error in the documentation in the highlighted line below?

Sign Data
This endpoint returns the cryptographic signature of the given data using the named key and the specified hash algorithm. The key must be of a type that supports signing.
Method Path Produces
POST /transit/sign/:name(/:algorithm) 200 application/json
»Parameters
name (string: <required>) – Specifies the name of the encryption key to generate hmac against. This is specified as part of the URL.

On Tuesday, June 13, 2017 at 6:40:32 PM UTC+3, Yossi Cohen wrote:

Best Regards,
Yossi C.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.

GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/56b62e9b-1cb5-4952-8531-b232e99d8adf%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.

GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAOXnK5Qr2DNBcpeirSOrCR33aw1eG5_mRp8CM7KK0N2Guu4RHA%40mail.gmail.com.

Reply all

Reply to author

Forward