An online webhook API I have started using uses HMAC to verify the authenticity of the HTTP POST request.
From my understanding you can only verify the contents of the body of the request if you have the secret key (which was supplied to the service originally).
However, the secret key is included in the JSON data in the body of the request itself.
Is this still reliable? Couldn't a man-in-the-middle read the key, then change the POST contents, recalculate the HASH using the key and change the header as well before forwarding the data? Or am I totally on the wrong track here?
RFC 6234: US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF) explains only how the initial hash values (H(0)) for SHA-256, SHA-384, and SHA-512 were obtained. How was the H(0) for SHA-224 obtained?
§6.1. SHA-224 and SHA-256 Initialization
For SHA-224, the initial hash value, H(0), consists of the following 32-bit words in hex:
H(0)0 = c1059ed8H(0)1 = 367cd507H(0)2 = 3070dd17H(0)3 = f70e5939H(0)4 = ffc00b31H(0)5 = 68581511H(0)6 = 64f98fa7H(0)7 = befa4fa4
For SHA-256, the initial hash value, H(0), consists of the following eight 32-bit words, in hex. These words were obtained by taking the first 32 bits of the fractional parts of the square roots of the first eight prime numbers.
H(0)0 = 6a09e667H(0)1 = bb67ae85H(0)2 = 3c6ef372H(0)3 = a54ff53aH(0)4 = 510e527fH(0)5 = 9b05688cH(0)6 = 1f83d9abH(0)7 = 5be0cd19
§6.3. SHA-384 and SHA-512 Initialization
For SHA-384, the initial hash value, H(0), consists of the following eight 64-bit words, in hex. These words were obtained by taking the first 64 bits of the fractional parts of the square roots of the ninth through sixteenth prime numbers.
H(0)0 = cbbb9d5dc1059ed8H(0)1 = 629a292a367cd507H(0)2 = 9159015a3070dd17H(0)3 = 152fecd8f70e5939H(0)4 = 67332667ffc00b31H(0)5 = 8eb44a8768581511H(0)6 = db0c2e0d64f98fa7H(0)7 = 47b5481dbefa4fa4
For SHA-512, the initial hash value, H(0), consists of the following eight 64-bit words, in hex. These words were obtained by taking the first 64 bits of the fractional parts of the square roots of the first eight prime numbers.
H(0)0 = 6a09e667f3bcc908H(0)1 = bb67ae8584caa73bH(0)2 = 3c6ef372fe94f82bH(0)3 = a54ff53a5f1d36f1H(0)4 = 510e527fade682d1H(0)5 = 9b05688c2b3e6c1fH(0)6 = 1f83d9abfb41bd6bH(0)7 = 5be0cd19137e2179
I would like to get (programmatically) the native length of the HMAC function from an instance (or static method) of that class. (160 bits for SHA1, 512 for SHA512. AFAIK) Is there a way?
If not, perhaps there's a way to get it from SHA1Managed or SHA1 (and their SHA512 counterparts)?
i installed a pod successfully "cryptoSwift' to get sha-2 in my xcode project using swift2. but after pod installation when i build project it shows me a lot of error in pod files. why i am getting this error. what's i am doing wrong?
Thanks in advance.
Am i going crazy? Here's my scala code with
"org.bouncycastle" % "bcprov-jdk15on" % "1.59"
import java.util.Base64import java.security.MessageDigestimport org.bouncycastle.jce.provider.BouncyCastleProviderimport java.security.Securityimport java.nio.charset.CharsetSecurity.addProvider(new BouncyCastleProvider)val sha1 = MessageDigest.getInstance("SHA1", "BC")val digest = sha1.digest("foo".getBytes(Charset.forName("UTF-8")))Base64.getEncoder.encodeToString(digest)
this produces, for
openssl dgst -binary -sha1 <<< "foo" | openssl enc -base64
The same is happening for MD5 and SHA256Obviously someone is doing something different than the other.. but what?
I verified base64 encoding in isolation between openssl enc -base64 and java.util.Base64, and it seems like there's an extra character(..) in the openssl output, plus java.util.Base64 pads, otherwise it's a match
scala> Base64.getEncoder.encodeToString("foo,bar,etc".getBytes(Charset.forName("UTF-8")))res6: String = Zm9vLGJhcixldGM=$ openssl enc -base64 <<< "foo,bar,etc"Zm9vLGJhcixldGMK