Is it safe to use a 128 bits key in HMAC-SHA256?

cryptography hmac
15,364

Solution 1

The page says that the 256bit signature is derived from a payload (what facebook is signing) + your 128 bit salt.

So yes, it sounds like correct usage.

The secret 16 bytes (32 characters) isn't actually a key in the sense that it's used to encrypt and decrypt something. Rather, it's a bit of data (a salt) that is used to alter the result of the digital signature, by changing the input ever-so-slightly, so that only someone who knew the exact secret and the exact payload could have created the signature.

Solution 2

HMAC takes the HASH(key) and uses it as the key if the length of the key is greater than the internal block size of the hash. Thus, a key larger than the internal block size of the hash provides no better security than one of equal size. Shorter keys are zero padded to be equal to the internal block size of the hash as per the HMAC specification.

It's impossible to use a 128-bit key with HMAC-SHA-256. If you mean 128 bits padded out to 512 bits with zeroes, then it's probably alright for short-term authentication. I'd recommend at least 256 bits and ideally you would want to use something equal to the internal block size of the underlying hash.

Share:
15,364
Ethan
Author by

Ethan

SOreadytohelp

Updated on June 07, 2022

Comments

  • Ethan
    Ethan almost 2 years

    Facebook app secret is a string of 32 characters (0-9, a-f) and thus it represents a 128 bits byte array. Facebook uses this as the key to generate signed request using HMAC-SHA256. Is this a correct usage? I thought HMAC-SHA256 should use 256 bits keys.

  • Ethan
    Ethan over 11 years
    No, it use PHP's hash_hmac function where the third argument is $secret. See this line $expected_sig = hash_hmac('sha256', $payload, $secret, $raw = true);
  • Ethan
    Ethan over 11 years
    No sure how PHP's hash_hmac function handles keys that are not long enough.
  • antak
    antak over 11 years
    Returns a string containing the calculated message digest. A message digest is the same thing as a signature, and in this case, the term key is synonymous with the concept of salting. Looking at en.wikipedia.org/wiki/Hash-based_message_authentication_code shows that key is concatenated onto the payload before hashing.
  • antak
    antak over 11 years
    A 128-bit strength for the secret means just that. You benefit from that strength if someone tries to guess your secret and fraudulently sign malicious payloads to pretend they came from facebook. Whatever number of bits the hashing function produces isn't strictly related.
  • antak
    antak over 11 years
    You're right, I meant whatever 128 divide 8 would be, but wrote 32 bytes (before the update).
  • Michael J. Gray
    Michael J. Gray over 8 years
    @antak A message digest is not the same thing as a signature. I think you've confused it with a message authentication code, which is what HMAC provides. Furthermore, the HMAC key is a key and it is not a salt, it is integrated using a mixing function described in the specification; it's not just prepended unless it's an incorrect implementation of HMAC. In the end it looks like a double salt mechanism, but that's not quite the case. I suggest reading the security proof behind it for more details.
  • antak
    antak over 8 years
    @MichaelJ.Gray A message digest is not the same thing as a signature. I'm not sure what you're getting at with this.. Facebook's page that the question referred to calls it a signature, which I followed suit in my answer, while PHP's documentation calls hash_hmac's return value a message digest. One or the other may not be technically correct w.r.t HMAC's spec, but I'm pretty sure we're all talking about hash_hmac's return value.
  • antak
    antak over 8 years
    @MichaelJ.Gray the HMAC key is a key and it is not a salt, it is integrated using a mixing function described in the specification Are you saying that the HMAC function will produce an output that's less than N-bit strength if fed a key/secret of length N where N is less than 256? In that case, doing so is indeed bad and not recommended. I gathered from the Wikipedia article, albeit with my limited knowledge, that this wasn't the case, and drew the conclusion that the key, like a salt, brings no ill-proportional sufferings by being shorter than the practical maximum.
  • Ella Rose
    Ella Rose almost 8 years
    I know it's a bit late to the conversation, but some may be interested in this question on crypto.se which discusses the difference between a signature, a MAC, and a hash. The three are in fact, not the same, despite the fact that "signature" is often times inappropriately used in place of "MAC" by those who are not familiar enough with the concepts.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How do I set cryptoJS.sha256 output to binary in Postman pre-request script
How can I decrypt a HMAC?
How Do Hardware Token Devices work?
Crypto algorithm list
java equivalent to php's hmac-SHA1
Confused how to use AES and HMAC
Create HMAC_256 from a string in Golang
xcode ios HMAC SHA 256 hashing
PBKDF2-HMAC-SHA2 test vectors
UI lags during heavy computation operation in Flutter even with async