How to create an HMAC in crystal-lang

See the OpenSSL::HMAC documentation.I am trying this:require "openssl"puts OpenSSL::HMAC.hexdigest(:sha256, "secret key", "data")and I am getting this error: undefined constant OpenSSL::HMACOther OpenSSL methods are working fine, like"SHA256").What am I doing wrong?...Read more

sha256 - Validating JWT signed with hmac-sh256

I am working on a project to use the Katana OpenID Connect middleware to authenticate with a third party (OpenAM) provider. The provider is signing the JWT with hmac-sh256. When the OpenID middleware is validating the JWT via a call to ValidateToken it is throwing the following exception: {"IDX10503: Signature validation failed. Keys tried: 'System.IdentityModel.Tokens.X509AsymmetricSecurityKey\r\n'.\nExceptions caught:\n 'System.InvalidOperationException: IDX10618: AsymmetricSecurityKey.GetHashAlgorithmForSignature( ... ) threw an exception.\n...Read more

Writing a Hmac function in Vala

I am writing a cross platform application in Vala for Windows and Linux. I need to implement Hmac for security; but unfortunately the GHmac class (link) has not been ported to windows yet. I found the algorithm for Hmac on wikipedia (link) and I believe I implemented it correctly but when compared with the built in class I don't get the same result. Here is my function below if anyone can give me a hand finding the bug(s) that would be amazing.public static string compute_for_data(ChecksumType type, uint8[] key, ...Read more

sha256 - How does one generate an HMAC string in Elixir?

I'm attempting to write an Amazon Product Advertising API client in Elixir. The developer guide describes the process for signing an API request in which the an HMAC-SHA26 hash must be created using the request and the "Secret Access Key." This is the function I wrote to handle signing the request:defp sign_request(url) do url_parts = URI.parse(url) request = "GET\n" <> <> "\n" <> url_parts.path <> "\n" <> url_parts.query url <> "&Signature=" <> :crypto.hmac(:sha256, 'ThisIsMySecre...Read more

Why does hmac use two solid pad paramaters?

Hi I just understand it from a piece of code at wikipedia.The problem is there're too many implementations that use solid pad parameters,for eg: ipad would be [0x36 * blocksize] opad would be [0x5c * blocksize].The questions are:Why do people use this two solid pads in the code? Are they the best choice?and Since it's solid, is this algorithm really securer than H(H(key+msg)+key)?By the way, I must say many documents about hashes and authentication are really horrible.Is it because the NSA asks them to not be clear?...Read more

hmac - Implementing a side channel timing attack

I'm working on a project implementing a side channel timing attack in C on HMAC. I've done so by computing the hex encoded tag and brute forcing byte-by-byte by taking advantage of strcmp's timing optimization. So for every digit in my test tag, I calculate the amount of time it takes for every hex char to verify. I take the hex char that corresponds to the highest amount of time calculated and infer that it is the correct char in the tag and move on to the next byte. However, strcmp's timing is very unpredictable. Although it is easy to see th...Read more

How to guarantee counter synchronisation between client and server for counter in hmac-based one time password implementation?

We are trying to implement a hmac-based one time password protocol for use authenticating users over our api.The idea is to encrypt a unique identifier for the user (uid) against a private key and an incremental counter. Then increment the counter for the next call.encrypt(uid, private_key, counter)# now increment the counter for the next callThen on the server side, decrypt using the private key and the counter to get the user identifier (uid).decrypt(encrpyted_string, private_key, counter)# now increment the counter for the next received requ...Read more

How and when do I use HMAC?

I was reading HMAC on wikipedia and I was confused about a few points.Where do I use HMAC?Why is the key part of the hash?Even if someone successfully used a "length-extension attack", how would that be useful to the attacker?...Read more

SGX calculating HMAC inside enclave

I'm trying to calculate an HMAC with SHA512 inside an Intel SGX enclave. I got the code to work but receive the wrong results. I have an example that uses static pre-defined key and nonce from which the HMAC is calculated, but when verifying the received result it does not match the correct one.Apparantely there are two different variants to calculate the HMAC (according to this enter link description here, I've tried both.Here is the function from the enclave:int calculateHMAC(uint8_t *key, uint8_t *nonce, uint8_t *res_hmac) { IppsHMACState...Read more