Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A few questions #1

Open
To-mos opened this issue Feb 22, 2018 · 2 comments
Open

A few questions #1

To-mos opened this issue Feb 22, 2018 · 2 comments

Comments

@To-mos
Copy link

To-mos commented Feb 22, 2018
edited
Loading

It states in the readme that "This has been tested to work.", yet I can't seem to generate an HMAC hash that matches existing generators.
I used this to test the output with the message digest set to SHA1. The secret key I'm using is de5868364551a577acc1ed9e276ce7a7 the test message is Hello, Avatar!.
The website indicates that the HMAC will be f2299a4d48b89817ab87d84fb2b2ad3c60980ad7 but this script is giving me 7urZ3pGzQOVFOns1HixWiWnjtm0 a completely different length and hash all together.
Now I noticed the script says "length = 40 GET FROM READER SCRIPT/NOTECARD" but I haven't found an HMAC hashing function that can't take a variable length, even the website I used indicates "This [secret] key will vary in length depending on the algorithm that you use.".
Regardless, I tried padding the key until it was 40 chars long and tested again. Still it generated a completely different hash than the site. I even compared using a php, java, and python HMAC hashing function set to SHA1 and they all matched the sites hash but this script doesn't seem to.
Am I doing something wrong to get these different results?

Also since SHA1 is prone to length extension attacks and had the first public collision published on 2/23/2017, will you ever make a 256 version? Even certain frameworks I use won't allow HMAC signing with SHA1 for security reasons. So this would be beneficial to have at some point for many people.

Caveat: The script doesn't compile because "skey=YOURSECRETKEYHERE" needs the quotes escaped. The A variable doesn't get defined anywhere even though the dataserver event loads it. Also, in the 4 years this script has been up llXorBase64StringsCorrect was deprecated for llXorBase64.
@samuelguesnier
Copy link

Did you find a better version ?

@vinzenz
Copy link

vinzenz commented Sep 20, 2018
edited
Loading

just btw this is a base64 encoded result your hmac is hex however so it's a different encoding.
Your HMAC would be 8imaTUi4mBerh9hPsrKtPGCYCtc= in hex however the script produces a completely different one. The hex representation of 7urZ3pGzQOVFOns1HixWiWnjtm0 (which misses the pending =) is eeead9de91b340e5453a7b351e2c568969e3b66d

So it's different too and this seems off

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@vinzenz @To-mos @samuelguesnier