Hi, i'm working with some codes that has a: begin require 'digest/hmac' USE_EMBEDDED_HMAC = false rescue puts "HMAC, not found in standard lib." + $!.message require 'hmac-sha1' USE_EMBEDDED_HMAC = true end As i could see, at least in rails 1.8.6 its not part of the standard lib. Is it part from the ruby 1.9 lib? If not, should i in...
I have created a WBXML document from my SyncML ota configuration XML document. To send this configuration to cellphone I need to encode this document with user-pin which is by default always taken as "1234" This requires me to calculate HMAC of the WBXML document with the pin "1234". I'm stuck at this and would appreciate any help on th...
I need to generate HMAC-SHA256 signatures for the Amazon web services API. The old DCPcrypt library has sha256 routines but does not do HMAC signing. Anyone know of a free hashing library I could use? ...
The very basic issue all developers face: Whenever user submits the form, the password is sent via network and it must be protected. The site I develop for doesn't have HTTPS. Neither does the owner want to buy a SSL certificate, nor is he interested in a self-signed one. So I want to protect the password sent via HTTP using Javascript w...
Hello, I am on a MediaTemple Dedicated Virtual server and have enabled Pear using the instructions found at: http://kb.mediatemple.net/questions/514/Enabling+PEAR+by+setting+your+open_basedir+and+include_path Here's the problem... In my PHP script, I have this: require_once 'Crypt/HMAC.php'; When I execute the script, I get this me...
To generate a valid pairwise master key for a WPA2 network a router uses the PBKDF2-HMAC-SHA1 algorithm. I understand that the sha1 function is performed 4096 times to derive the PMK, however I have two questions about the process. Excuse the pseudo code. 1) How is the input to the first instance of the SHA1 function formatted? SHA1("...
Hello, I am wondering whether I can use a shared secret key established between two clients as the HMAC key too. I saw that there is a problem when it is used as a CBC-MAC but I haven't found any evidence it is bad practice for HMACs. Thanks, Vladimir ...
I want my application to encrypt a user password, and at one time password will be decrypted to be sent to the server for authentication. A friend advise me to use HMAC. I wrote the following code in C#: System.Text.ASCIIEncoding encoding = new System.Text.ASCIIEncoding(); byte[] key = encoding.GetBytes("secret"); HMACSHA256 myhmacsha25...
Hello, I am trying to take an AES HMAC of a file using the openssl command line program on Linux. I have been looking at the man pages but can't quite figure out how successfully make a HMAC. I can encrypt a file using the enc command with openssl however I can't seem to create a HMAC. The encryption looks like the following: opens...
SSL Documentation Analaysis This question is pertaining the usage of the HMAC routines in OpenSSL. Since Openssl documentation is a tad on the weak side in certain areas, profiling has revealed that using the: unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len, const unsigned char *d, int n, ...
Hello, In an app we are calculating a SHA1Hmac in java using the following: SecretKey key = new SecretKeySpec(secret, "HmacSHA1"); Mac m = Mac.getInstance("HmacSHA1"); m.init(key); byte[] hmac = m.doFinal(data); And later, the hmac is verified in C# - on a SmartCard - using: HMACSHA1 hmacSha = new HMACSHA1(secret); hmacSha.Initi...
Hi, I would like to get the original query (in the exact same format as sent) from Django. Currently, django sends me a query dict object, wherein if I do querydict.urlencode(), I get the query back, but in a different format from what is sent, since dictionary mangles the positions. For GET, we can use, request.get_full_path(). I ha...
Please help! I have been pulling out my hair over this one. :) I have a site that I need to HMAC SHA1 for authentication. It currently works with another language but now I need to move it to ColdFusion. For the life of me I cannot get the strings to match. Any assistance would be much appreciated. Data: https%3A%2F%2Fwww%2Etestwe...
Hey, first, let me say, I'm not asking about things like md5(md5(..., there are already topics about it. My question is this: We allow our clients to store their passwords locally. Naturally, we don't want them stored in plan text, so we hmac them locally, before storing and/or sending. Now, this is fine, but if this is all we did, the...
My team and I are implementing a centralized API authentication system so that one set of API credentials can be shared among several different API-publishing services. These are all Rails apps. Long explanation For any given API transaction, there will typically be 3 apps involved: End-user-facing app that consumes API X. Has API ...
I'm looking at implementing an app getting Twitter authorization via Oauth in Java. The first step is getting a request token. Here is a Python example for app engine. To test my code, I am running Python and checking output with Java. Here is an example of Python generating a Hash-Based Message Authentication Code (HMAC): #!/usr/bin...
Is the security of the HMAC based on SHA-1 affected by the collisions attacks on SHA-1? ...
EDIT: http://stackoverflow.com/questions/1609899/java-equivalent-to-phps-hmac-sha1 (well hopefully, trying a.t.m.) My understanding is that to create a signature I need a 'base string' and a 'key'. I guess I know how to create the base string, and I assume I'm supposed to use 'OAuth Consumer Secret' that Google have assigned to my app a...
Hi Everyone, I'm kinda new to this topic so please be gentle ;) I'm attempting to use a 3rd-party Health API called Dossia (http://dossia.org). I setup a test account and have received my OAuth Consumer Key and Secret, in the config there's a line which says define('USER_SIG_METHOD','HMAC-SHA1'); My question is how do I make my ...
Hi all, I have a working implementation of an OAUTH 2.0 Authentication solution using the standard HMAC shared key mechanism. A new requirement has been added: The servers issuing the tokens are secure, but some of the servers which will "trust" issued tokens are considered "semi secure", and should not have access to the shared secret...