什么是双HMAC验证，它如何工作？

发布于 2025-01-25 04:25:10 字数 1020 浏览 4 评论 0原文

API不会存储用户发送的未经要求的身份验证密钥。它仅存储Hashed身份验证密钥，以防止“通过”攻击（在其中泄漏的数据库的情况下，攻击者只会通过Hashed身份验证密钥来获得身份验证并作为真实用户执行操作）。服务器始终将从客户端收到的身份验证密钥放置，以防止此攻击向量。

如果Hashed身份验证密钥与数据库中的结果不匹配，则API以负面响应对失败表示负面响应。 API端通过使用双HMAC验证（ https://www.nccgroup.trust/us/about-us/newsroom-and---------------------------/blog/2011/february/double-hmac-verification/ ）。

不幸的是，该链接已经死了，Google搜索通常会指向相同的来源。当您需要原始键来验证签名时，您能解释一下双HMAC验证如何工作？谢谢

原文

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

◇流星雨 2025-02-01 04:25:10

该URL已通过Wayback Machine存档，因此您仍然可以阅读完整的博客文章： http://web.archive.org/web/201602030444316/https:/https://wwwwwww.nccgroup 。

最后，很容易，就像“双HMAC”的名称表示它使用相同的HMAC键执行了两次HMAC。

public void validateHMACSHA256(byte[]receivedHMAC, byte[]message, byte[]key) {
    HashAlgorithm hashAlgorithm = new HMACSHA256(key);

    // size and algorithm choice are not secret; no weakness in failing fast here.
    if (receivedHMAC.Length != hashAlgorithm.HashSize / 8) {
        Throw new CryptographicException("HMAC verification failure.");
    }
    byte[]calculatedHMAC = hashAlgorithm.ComputeHash(message);
    // Now we HMAC both values again before comparing to randomize byte order.
    // These two lines are all that is required to prevent many existing implementations
    // vulnerable to adaptive chosen ciphertext attacks using the timing side channel.
    receivedHMAC = hashAlgorithm.ComputeHash(receivedHMAC);
    calculatedHMAC = hashAlgorithm.ComputeHash(calculatedHMAC);

    for (int i = 0; i < calculatedHMAC.Length; i++) {
        if (receivedHMAC[i] != calculatedHMAC[i]) {
            throw new CryptographicException("HMAC verification failure.");
        }
    }
}

That URL has been archived by Wayback Machine so you can still read the full blog post: http://web.archive.org/web/20160203044316/https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/february/double-hmac-verification/

The post contains a C# code snippet that demonstrates how to perform a double HMAC verification. In the end is pretty easy, just as the name "double HMAC" indicates it performs an HMAC two times, using the same HMAC-key.

public void validateHMACSHA256(byte[]receivedHMAC, byte[]message, byte[]key) {
    HashAlgorithm hashAlgorithm = new HMACSHA256(key);

    // size and algorithm choice are not secret; no weakness in failing fast here.
    if (receivedHMAC.Length != hashAlgorithm.HashSize / 8) {
        Throw new CryptographicException("HMAC verification failure.");
    }
    byte[]calculatedHMAC = hashAlgorithm.ComputeHash(message);
    // Now we HMAC both values again before comparing to randomize byte order.
    // These two lines are all that is required to prevent many existing implementations
    // vulnerable to adaptive chosen ciphertext attacks using the timing side channel.
    receivedHMAC = hashAlgorithm.ComputeHash(receivedHMAC);
    calculatedHMAC = hashAlgorithm.ComputeHash(calculatedHMAC);

    for (int i = 0; i < calculatedHMAC.Length; i++) {
        if (receivedHMAC[i] != calculatedHMAC[i]) {
            throw new CryptographicException("HMAC verification failure.");
        }
    }
}

回复收藏 0 原文

~没有更多了~