Hubert Gregoire, profile picture
Uploaded byHubert Gregoire
PDF, PPTX694 views

HMAC a signature alternative

HMAC is a message authentication code (MAC) that uses a cryptographic hash function and secret key to authenticate messages and verify their integrity. It was standardized in 1995 and is commonly used to provide security for browser communications, network protocols, REST APIs, wireless technologies, and more. HMAC works by hashing the key concatenated with the hashed key and message. It provides authentication and integrity but not confidentiality.

Embed presentation

Download as PDF, PPTX
HMAC a signature alternative Montpellier 9 / 1 /2018
Agenda About me Introduction History Usages Principles Code sample…
About the speaker Open standards, Java, JS, Agility and infoSec passionate since lthe last century… @hgregoire CTO @ Agysoft
Introduction • CIA Security principles Confidentiality Integrity Availability
HMAC, What’s for ? • Wikipedia : In cryptography, a keyed-hash message authentication code (HMAC) is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secret cryptographic key. Features: • Authentification of message • Integrity of message • NOT Confidentiality Source: https://en.wikipedia.org/wiki/Message_authentication_code
HMAC History • RFC 2104 , in 1995 experts from IBM and l’USCD • Many attacks based on key length, hash function , and brute force • Initialy: MAC = H(key || message) , vulnerable to length attack • then: MAC = H(message || key), vulnerable to collisions • then: MAC = H(key || message || key) better, but still cracked • Many variants called VMAC, NMAC that are rarely used • FIPS PUB 198 generalizes and standardizes the use of HMACs. • RFC 6151, in 2011 MD5 vulnerability proof but prefer SHA3
HMAC principles (2011 version) • H(key || H(key || message)) • Key is XOR’ed Source: http://www.unixwiz.net/techtips/iguide-ipsec.html
HMAC Usages •Almost everywhere… •Brower : TLS •Network : VPN •Rest service : Token JWS •Wireless : WPA, Bluetooth
HMAC Code sample • Java implementation since jdk5, better use Apache Commons Codec • JSON Web Signature (JWS) with HMAC protection https://connect2id.com/products/nimbus-jose-jwt/examples/jws-with-hmac • Here's a sample in NodeJS using the NodeJS crypto library: var hmac = crypto.createHmac('sha256', secret_key); hmac.update(request.body.message); var signature = hmac.digest('hex')); SecretKeySpec signingKey = new SecretKeySpec(key.getBytes(), HMAC_SHA1_ALGORITHM); final Mac mac = Mac.getInstance(HMAC_SHA1_ALGORITHM); mac.init(signingKey); mac.doFinal(message.getBytes());
HMAC in your Browser • W3C Javascript API WebCrypto implements HMAC, use Polyfill or crypto.js library for older browsers LIVE DEMO: https://jameshfisher.com/2017/10/31/web-cryptography-api-hmac.html
Merci à vous ! Rejoignez nous ! Agysoft recrute 1 dev et 1 archi

More Related Content

PPTX
Cryptography ppt
byGowarthini
 
PPTX
Cryptography in networks
byKajal Chaudhari
 
PPTX
Cryptography Training Level 1 : Tonex Training
byBryan Len
 
PPTX
Encryption
byZeeshan Butt
 
PDF
Blockchain_ver0.5_MIT_security_and Privacy_am_final_upload
byAnish Mohammed
 
PPT
cryptography deepan fav subject
bydeepan v
 
PPT
Cryptogaphy
byMustahid Ali
 
PDF
Group Presentation Slide Week13
byYorito Tamura
 
Cryptography ppt
byGowarthini
 
Cryptography in networks
byKajal Chaudhari
 
Cryptography Training Level 1 : Tonex Training
byBryan Len
 
Encryption
byZeeshan Butt
 
Blockchain_ver0.5_MIT_security_and Privacy_am_final_upload
byAnish Mohammed
 
cryptography deepan fav subject
bydeepan v
 
Cryptogaphy
byMustahid Ali
 
Group Presentation Slide Week13
byYorito Tamura
 

Similar to HMAC a signature alternative

PPTX
Hash Function
bySiddharth Srivastava
 
PPT
Message authentication
byCAS
 
PPT
Distribution of public keys and hmac
byanuragjagetiya
 
PDF
HMAC authentication
bySiu Tin
 
PDF
Message Authentication and Hash Function.pdf
bysunil sharma
 
PPT
Information and data security cryptography and network security
byMazin Alwaaly
 
PPTX
HMAC - HASH FUNCTION AND DIGITAL SIGNATURES
byPACHIYAPPAN PACHIYAPPAS
 
PDF
HMAC SHA 256- PROPOSED AUTHENTICATION ALGORITHM-PRINCE DUAH MENSAH-MPhil IT (...
bySIR SUCCESS PRINCE DUAH DUAH
 
PPT
Message Authentication Requirement-MAC
bySou Jana
 
PDF
Computer network system presentation pdf
byprajjavalsingh2629
 
PPTX
unit4- predicate logic in artificial intelligence
bythirugnanasambandham4
 
PPT
Message Authentication Code & HMAC
byKrishna Gehlot
 
PPTX
final ppt TS.pptx
bypaluribalu2001
 
PPTX
MESSAGE AUTHENTICATION CODE in cryp.pptx
bysoundariya20
 
PPT
6.hash mac
byVirendrakumar Dhotre
 
PPT
lec-05-Message authentication, hashing, basic number theory.ppt
byssuser6c0026
 
PPTX
Message authentication code presentation.pptx
bynitindr773
 
PDF
BAIT1103 Chapter 2
bylimsh
 
PPTX
Message auth. code Based on Hash Functions.pptx
byaribariaz507
 
PPT
CS283_hash.ppt
byvicepy
 
Hash Function
bySiddharth Srivastava
 
Message authentication
byCAS
 
Distribution of public keys and hmac
byanuragjagetiya
 
HMAC authentication
bySiu Tin
 
Message Authentication and Hash Function.pdf
bysunil sharma
 
Information and data security cryptography and network security
byMazin Alwaaly
 
HMAC - HASH FUNCTION AND DIGITAL SIGNATURES
byPACHIYAPPAN PACHIYAPPAS
 
HMAC SHA 256- PROPOSED AUTHENTICATION ALGORITHM-PRINCE DUAH MENSAH-MPhil IT (...
bySIR SUCCESS PRINCE DUAH DUAH
 
Message Authentication Requirement-MAC
bySou Jana
 
Computer network system presentation pdf
byprajjavalsingh2629
 
unit4- predicate logic in artificial intelligence
bythirugnanasambandham4
 
Message Authentication Code & HMAC
byKrishna Gehlot
 
final ppt TS.pptx
bypaluribalu2001
 
MESSAGE AUTHENTICATION CODE in cryp.pptx
bysoundariya20
 
6.hash mac
byVirendrakumar Dhotre
 
lec-05-Message authentication, hashing, basic number theory.ppt
byssuser6c0026
 
Message authentication code presentation.pptx
bynitindr773
 
BAIT1103 Chapter 2
bylimsh
 
Message auth. code Based on Hash Functions.pptx
byaribariaz507
 
CS283_hash.ppt
byvicepy
 

Recently uploaded

PPTX
Universidad Internacional Villanueva Transcripts
bynxv6x4gd42
 
PDF
Meta (Facebook) Extracts Hundreds of Billions of Wealth from European Citizens
byJulieMeyer42
 
PDF
The Guide on how to pray the rosary and the mysteries.pdf
byGianneCarloIway
 
PPTX
Cloud Computing ppt - SP.pptx by ankit kumar gurjar
byankitingame
 
PPTX
7G (7th generation of technology) seminar presentation
bymitalijally6
 
PDF
Mastering ROS 2 for Robotics Programming.pdf
byssuser4e6c051
 
PPT
The Digital Opportunities Taskforce: How to Govern the Internet
byJeffrey Hart
 
PDF
Why Some Online Profiles Cannot Be Found in Search Results
bySocial Searcher
 
PDF
Guide: Essential Google Search Operators
bySocial Searcher
 
PDF
Oracle Services Company in Riyadh - Grey Space Computing
byseoconsultantandy
 
Universidad Internacional Villanueva Transcripts
bynxv6x4gd42
 
Meta (Facebook) Extracts Hundreds of Billions of Wealth from European Citizens
byJulieMeyer42
 
The Guide on how to pray the rosary and the mysteries.pdf
byGianneCarloIway
 
Cloud Computing ppt - SP.pptx by ankit kumar gurjar
byankitingame
 
7G (7th generation of technology) seminar presentation
bymitalijally6
 
Mastering ROS 2 for Robotics Programming.pdf
byssuser4e6c051
 
The Digital Opportunities Taskforce: How to Govern the Internet
byJeffrey Hart
 
Why Some Online Profiles Cannot Be Found in Search Results
bySocial Searcher
 
Guide: Essential Google Search Operators
bySocial Searcher
 
Oracle Services Company in Riyadh - Grey Space Computing
byseoconsultantandy
 

HMAC a signature alternative

  • 1.
  • 2.
  • 3.
    About the speaker Openstandards, Java, JS, Agility and infoSec passionate since lthe last century… @hgregoire CTO @ Agysoft
  • 4.
    Introduction • CIA Securityprinciples Confidentiality Integrity Availability
  • 5.
    HMAC, What’s for? • Wikipedia : In cryptography, a keyed-hash message authentication code (HMAC) is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secret cryptographic key. Features: • Authentification of message • Integrity of message • NOT Confidentiality Source: https://en.wikipedia.org/wiki/Message_authentication_code
  • 6.
    HMAC History • RFC2104 , in 1995 experts from IBM and l’USCD • Many attacks based on key length, hash function , and brute force • Initialy: MAC = H(key || message) , vulnerable to length attack • then: MAC = H(message || key), vulnerable to collisions • then: MAC = H(key || message || key) better, but still cracked • Many variants called VMAC, NMAC that are rarely used • FIPS PUB 198 generalizes and standardizes the use of HMACs. • RFC 6151, in 2011 MD5 vulnerability proof but prefer SHA3
  • 7.
    HMAC principles (2011version) • H(key || H(key || message)) • Key is XOR’ed Source: http://www.unixwiz.net/techtips/iguide-ipsec.html
  • 8.
    HMAC Usages •Almost everywhere… •Brower: TLS •Network : VPN •Rest service : Token JWS •Wireless : WPA, Bluetooth
  • 9.
    HMAC Code sample •Java implementation since jdk5, better use Apache Commons Codec • JSON Web Signature (JWS) with HMAC protection https://connect2id.com/products/nimbus-jose-jwt/examples/jws-with-hmac • Here's a sample in NodeJS using the NodeJS crypto library: var hmac = crypto.createHmac('sha256', secret_key); hmac.update(request.body.message); var signature = hmac.digest('hex')); SecretKeySpec signingKey = new SecretKeySpec(key.getBytes(), HMAC_SHA1_ALGORITHM); final Mac mac = Mac.getInstance(HMAC_SHA1_ALGORITHM); mac.init(signingKey); mac.doFinal(message.getBytes());
  • 10.
    HMAC in yourBrowser • W3C Javascript API WebCrypto implements HMAC, use Polyfill or crypto.js library for older browsers LIVE DEMO: https://jameshfisher.com/2017/10/31/web-cryptography-api-hmac.html
  • 11.
    Merci à vous! Rejoignez nous ! Agysoft recrute 1 dev et 1 archi