hmac | 易学教程

How can I create a signature for AWS in Javascript?

阅读更多关于 How can I create a signature for AWS in Javascript?

问题 I am trying to create the signature for AWS Mechanical Turk, using Node.js, but am having trouble doing so. At the moment I am using the following, but keep getting errors: CryptoJS.HmacSHA1(service + operation + timestamp, process.env.SECRET_ACCESS_KEY); The explanation of the signature is at this link. It states that to create a signature A request signature, an HMAC, is calculated by concatenating the values of the Service, Operation, and Timestamp parameters, in that order, and then

Node Hmac Authentication

阅读更多关于 Node Hmac Authentication

问题 My understanding of the authentication process. The host creates a secret and a public api key . The client is crypting the payload with the help of the secret, this is the signature. Then sends its public key, payload, signature to the host. Example client The host checks if the public key is allowed to do an operation and gets the secret according to the clients public key. With the help of the secret the host decrypts the signature and compares it to the payload. Question Is the above

FIPS validated application with HMAC function based on SHA512?

阅读更多关于 FIPS validated application with HMAC function based on SHA512?

问题 I'm building a FIPS validated application and have the FIPS mode turned on on my computer. I need an HMAC function hopefully based on SHA512. I understand that the HMAC SHA1 function is FIPS validated but I have a hash function SHA512CryptoServiceProvider which is FIPS validated and I know that FIPS does in fact allow for SHA512. Is there a similar HMAC function in C# that does FIPS validated HMAC SHA512? 回答1: There is a HMACSHA512 Class, but it uses the SHA512Managed Class internally, which

HMAC SHA1 Digest in python

阅读更多关于 HMAC SHA1 Digest in python

问题 I'm using the Moves API to get some fitness data. Instead of querying the API on a regular basis I would like to use the storyline notifications. It works, I get a request from the API but I'm unable to verify the hmac sha1 signature provided in the request. The Documentation says: All notification requests are signed with Base64 encoded HMAC-SHA1 signature. The signature is calculated as HMAC_SHA1(<your client secret>,<request body>|<timestamp>|<nonce>), in other words the client secret as

HttpContent.ReadAsByteArrayAsync() fails without error inside DelegatingHandler

阅读更多关于 HttpContent.ReadAsByteArrayAsync() fails without error inside DelegatingHandler

问题 I'm trying to implement HMAC security for an API. Everything works fine until I try to post a file. The HMAC solution can be found here - https://github.com/gavinharriss/WebAPI.HMAC - it's a fork from the original to allow GET requests as well as POST requests. The code to attach a file: var requestContent = new MultipartFormDataContent(); var fileContent = new ByteArrayContent(file); requestContent.Add(fileContent, "file", filename); if I immediately call HttpContent.ReadAsByteArrayAsync()

PHP代码审计-小题一道

阅读更多关于 PHP代码审计-小题一道

PHP代码： 1 <?php 2 3 if (empty($_POST['hmac']) || empty($_POST['host'])) { 4 header('HTTP/1.0 400 Bad Request'); 5 exit; 6 } 7 8 $secret = getenv("SECRET"); 9 10 if (isset($_POST['nonce'])) 11 $secret = hash_hmac('sha256', $_POST['host'], $secret); 12 13 $hmac = hash_hmac('sha256', $_POST['host'], $secret); 14 15 if ($hmac !== $_POST['hmac']) { 16 header('HTTP/1.0 403 Forbidden'); 17 exit; 18 } 19 20 echo exec("host ".$_POST['host']); 21 ?> 解读代码，整个流程就是POST方式传送hmac和hmac，最后绕过判断，POST传送的hmac与加密后的hmac相同，最终执行echo exec("host ".$_POST['host']); 表示成功。 2个判断: if (empty($_POST['hmac']) || empty($_POST['host

How are these 2 lines of PHP different?

阅读更多关于 How are these 2 lines of PHP different?

问题 Assuming we have a salt that's in the database and that has been generated like this $salt = time(); What is the difference between these 2 lines. $pass1 = hash('sha1', $password . $salt); $pass2 = hash_hmac('sha1', $password, $salt); They don't produce the same output. The first one, the hash function takes 2 params, while the hash_hmac needs 3 params. You would therefore think that we can get that third extra param by using the $salt separately (to fulfill the third param) as opposed to

HMAC, Elixir, Plug.Conn (trying to call read_body more than once)

阅读更多关于 HMAC, Elixir, Plug.Conn (trying to call read_body more than once)

问题 I'm struggling with an issue where something is reading the body of an http request before Plug.Parsers.JSON gets it in the pipeline. Because of this, read_body in the plug for json times out--you can't read the body twice. We have an HMAC implementation in an earlier plug in our pipeline and it reads the body in some cases. Is there a pattern for how use of the body is to behave in Plug? I mean, if we can only read it once, and it has to be decoded in Plug.Parsers.JSON, well...it's not going

NodeJS hmac digest issue with accents

阅读更多关于 NodeJS hmac digest issue with accents

问题 I'm doing a side by side comparison with Ruby, PHP and NodeJS for the following code, getting an incorrect response in NodeJS using the crypto module. PHP hash_hmac('sha256', 'text', 'á'); Ruby OpenSSL::HMAC.hexdigest('sha256', 'á', 'text') NodeJS var signer = crypto.createHmac('sha256', 'á'); var expected = signer.update("text").digest('hex'); Both Ruby and PHP return 34b3ba4ea7e8ff214f2f36b31c6a6d88cfbf542e0ae3b98ba6c0203330c9f55b , while, NodeJS returns

Converting HMAC-SHA1 from node.js to Java

阅读更多关于 Converting HMAC-SHA1 from node.js to Java

问题 I have been tasked with converting some existing piece of node.js code to Java. I think I'm well on my way, but I'm kind of stuck right now. The output of the methods do not seem to match. What I'm doing is creating a SHA-1 signature based on a query string. This query string contains some query-related data (not relevant for this question) and an API key. Important The api_secret string in node.js is equivalent to Config.API_SECRET in Java. Example query string (these are equal in the node