Questions tagged [hmac]
a method for constructing a message authentication code based on a cryptographic hash function.
290 questions
1
vote
1
answer
92
views
Authenticate web application generated data
I am currently developing a web application where I need to ensure that retrieved data (stored in database) have been generated by one or multiple (in the case of clustered applications) application. ...
- 113
2
votes
0
answers
177
views
Searchable encryption for phone numbers
I have a table in Postgres that stores phone numbers. Since phone
numbers are considered PII, I cannot store them as plaintext.
For other PII fields, I use AES-256-CBC. However, the requirements are ...
8
votes
2
answers
438
views
Why are HMAC signatures frequently used for webhook authorization but not other HTTP API requests?
HMAC signatures are very commonly used for webhook authorization from service to consumer.
Examples:
Stripe
Slack
Twilio
Twitter
GitHub
and hundreds and hundreds more. This seems a near universal ...
- 980
1
vote
2
answers
230
views
Why does TLS use two separate sequence numbers?
In TLS separate implicit sequence numbers for sent and received packets are used to calculate the HMAC in the record layer. The RFC 5246 says:
Each connection state contains a sequence number, which ...
- 13
2
votes
1
answer
2k
views
CSRF: Signed Double Submit Cookie & 'Referer' validation vs MITM and vulnerable subdomains
I have been researching various techniques for preventing CSRF attacks, such as SOP, SameSite, Secure, Referer validation, and CSRF Tokens, and their potential bypasses. During my research, I ...
- 141
0
votes
1
answer
632
views
Session based CSRF Tokens - What value do i use with JWT?
The Double Submit Cookie CSRF Token pattern is a stateless technique that doesn't require storage or a database. However, it's vulnerable to session hijacking attacks and sub-/sibling domains that are ...
- 141
1
vote
1
answer
181
views
javascript: how to apply block cipher to byte stream
I am writing browser javascript that has a pre-shared key with nonce, and creates a binary websocket connection. How can I apply block encryption-authentication such as AES-GCM to the messages?
Is it ...
- 389
2
votes
1
answer
227
views
I using sha256 after adding a secret enough if the message includes its length?
I've been reading about HMAC protecting from length extension attacks, but if the message already specifies it size, is HMAC adding any advantange to simple hashing after prepending a secret?
As ...
- 123
2
votes
0
answers
165
views
What would be the most complete procedure to get a simple login system working securely?
I don't have formal CS education but i've written one or 2 little websites. I have troubles communicating even in my native language but i hope this is understandable.
With simple i mean something ...
0
votes
1
answer
762
views
Key derivation for HMAC, concatenate vs multiple HMAC passes
I'm trying to build a generic function to encrypt HMAC values with a single global secret key, but that can be "scoped" or salted by application/uses. For instance, an HMAC for a session ...
0
votes
1
answer
480
views
Is an HMAC of an email address with a permanent secret key a good way to generate security tokens for unsubscribing from an email list?
I'm writing a mailing list manager program. For subscribing and unsubscribing, I'm considering using HMACs of email addresses with secret keys to generate unsubscribe links. This key would be ...
- 189
0
votes
1
answer
340
views
Is is safe to pass an API key in a HMAC hash?
I have 2 websites: a.com and b.com
To avoid using SAML for Single-Sign-On and making things complicated, I've taken this approach:
a.com is the identity provider. All users will be asked to sign in on ...
- 3
1
vote
1
answer
617
views
What exactly happens when you use 2FA with "Password" + "Yubikey HMAC" Login in KeepassXC?
Usecase: KeepassXC is configured with a Passward + Yubikey HMAC.
I am trying to understand the exact steps that happen.
I think the first five Steps are clear:
Open KeepassXC
Enter Password
Select ...
- 21
1
vote
0
answers
817
views
How exactly does OpenVPN's tls-auth option apply HMAC to packet messages?
Update: I've been able to work out everything I was asking about packet structure when I was finally able to get Wireshark to work, but there is one last thing I'm confused on which I detail at the ...
- 109
0
votes
1
answer
314
views
How does HMAC fit in BLE?
In BLE there is events like authentication, pairing, bonding, exchange of LTK to secure a link, etc...
How does HMAC fit in BLE? I know that HMAC is used to ensure the integrity of a message so does ...
- 101