|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Simple Keyed hash questionI have some simple question relative to Keyed hash algorithm. I have understand from different reading that this type of hashing with secret key ( a common password) is used to avoid malicious person to modified the hash value. This by using following code sample : Dim myhash As HMACSHA1 = New HMACSHA1(secretkey) For my sample I have file which is read and then a hash value is issue from that file based on the given password. In that way it is explain that whatever change occurs either in File content or given password, a new hash value will be generated. What I did not cath here is that how can you proceed to file validation then because haker can modifi the file content anyway ?? If you do such validation with hash value, this hash value need to be store somewhere in order to be compare the next time, where it is store then ??? thnaks for your help regards serge Typically, you just include the hash along with the data, much like you
might include a signature with the signed data. HMAC's are conceptually very much like the symmetric key equivalent of a signature. Instead of using a certificate (pub key/private key), both the party generating the HMAC and the party validating it must know the secret key. The HMAC does not provide identity information, but it does tell you if the file has been tampered with. Joe K. -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "serge calderara" <sergecalder***@discussions.microsoft.com> wrote in message news:C82781A5-DE96-448D-889D-A102C705A288@microsoft.com... > Dear all, > > I have some simple question relative to Keyed hash algorithm. > I have understand from different reading that this type of hashing with > secret key ( a common password) is used to avoid malicious person to > modified > the hash value. > > This by using following code sample : > > Dim myhash As HMACSHA1 = New HMACSHA1(secretkey) > > For my sample I have file which is read and then a hash value is issue > from > that file based on the given password. In that way it is explain that > whatever change occurs either in File content or given password, a new > hash > value will be generated. > > What I did not cath here is that how can you proceed to file validation > then > because haker can modifi the file content anyway ?? > > If you do such validation with hash value, this hash value need to be > store > somewhere in order to be compare the next time, where it is store then ??? > > thnaks for your help > regards > serge > Thnaks for you reply
So if I understand well, in real life people using that stuff is for instance attaching the HASH value to an encrypted file content ( example at the begining of the file). Then the reciver will know that the first part of the file is the HASH in addition to the secret key. This is what you mean ? Based on symetric encryption, the secret key need to be transfert by one way or an other to the receiver. In that case how the secret key can be safely transimited ? regards serge Show quoteHide quote "Joe Kaplan (MVP - ADSI)" wrote: > Typically, you just include the hash along with the data, much like you > might include a signature with the signed data. HMAC's are conceptually > very much like the symmetric key equivalent of a signature. Instead of > using a certificate (pub key/private key), both the party generating the > HMAC and the party validating it must know the secret key. The HMAC does > not provide identity information, but it does tell you if the file has been > tampered with. > > Joe K. > > -- > Joe Kaplan-MS MVP Directory Services Programming > Co-author of "The .NET Developer's Guide to Directory Services Programming" > http://www.directoryprogramming.net > -- > "serge calderara" <sergecalder***@discussions.microsoft.com> wrote in > message news:C82781A5-DE96-448D-889D-A102C705A288@microsoft.com... > > Dear all, > > > > I have some simple question relative to Keyed hash algorithm. > > I have understand from different reading that this type of hashing with > > secret key ( a common password) is used to avoid malicious person to > > modified > > the hash value. > > > > This by using following code sample : > > > > Dim myhash As HMACSHA1 = New HMACSHA1(secretkey) > > > > For my sample I have file which is read and then a hash value is issue > > from > > that file based on the given password. In that way it is explain that > > whatever change occurs either in File content or given password, a new > > hash > > value will be generated. > > > > What I did not cath here is that how can you proceed to file validation > > then > > because haker can modifi the file content anyway ?? > > > > If you do such validation with hash value, this hash value need to be > > store > > somewhere in order to be compare the next time, where it is store then ??? > > > > thnaks for your help > > regards > > serge > > > > > Thnaks for you reply
So if I understand well, in real life people using that stuff is for instance attaching the HASH value to an encrypted file content ( example at the begining of the file). Then the reciver will know that the first part of the file is the HASH in addition to the secret key. This is what you mean ? Based on symetric encryption, the secret key need to be transfert by one way or an other to the receiver. In that case how the secret key can be safely transimited ? regards serge Show quoteHide quote "Joe Kaplan (MVP - ADSI)" wrote: > Typically, you just include the hash along with the data, much like you > might include a signature with the signed data. HMAC's are conceptually > very much like the symmetric key equivalent of a signature. Instead of > using a certificate (pub key/private key), both the party generating the > HMAC and the party validating it must know the secret key. The HMAC does > not provide identity information, but it does tell you if the file has been > tampered with. > > Joe K. > > -- > Joe Kaplan-MS MVP Directory Services Programming > Co-author of "The .NET Developer's Guide to Directory Services Programming" > http://www.directoryprogramming.net > -- > "serge calderara" <sergecalder***@discussions.microsoft.com> wrote in > message news:C82781A5-DE96-448D-889D-A102C705A288@microsoft.com... > > Dear all, > > > > I have some simple question relative to Keyed hash algorithm. > > I have understand from different reading that this type of hashing with > > secret key ( a common password) is used to avoid malicious person to > > modified > > the hash value. > > > > This by using following code sample : > > > > Dim myhash As HMACSHA1 = New HMACSHA1(secretkey) > > > > For my sample I have file which is read and then a hash value is issue > > from > > that file based on the given password. In that way it is explain that > > whatever change occurs either in File content or given password, a new > > hash > > value will be generated. > > > > What I did not cath here is that how can you proceed to file validation > > then > > because haker can modifi the file content anyway ?? > > > > If you do such validation with hash value, this hash value need to be > > store > > somewhere in order to be compare the next time, where it is store then ??? > > > > thnaks for your help > > regards > > serge > > > > > HMACs are frequently used to provide tamper resistance. If I send you out
some data and an HMAC for it, if I have the key that was used with the HMAC and I get that same data again, I can recompute the HMAC and determine whether the data I got is the same as the data I sent out. A simple example might be providing tamper resistance for a query string on a URL. From the server side, I can set some data in the query string and also include an HMAC of the data. When I receive that same query string back in another request from the browser, I can check if the data I set in the query string is the same as the data I received in the request. If it is different, I know the user tampered with it and I have a potential security issue. You can do the same thing with cookies. Lots of applications lend themselves to this type cryptography, where my goal is to make sure some data does not change, but I don't have control over it all the time. Joe K. -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "serge calderara" <sergecalder***@discussions.microsoft.com> wrote in message news:79B30985-4234-40EC-ABE1-F38315079E9A@microsoft.com... > Thnaks for you reply > > So if I understand well, in real life people using that stuff is for > instance attaching the HASH value to an encrypted file content ( example > at > the begining of the file). Then the reciver will know that the first part > of > the file is the HASH in addition to the secret key. > > This is what you mean ? > > Based on symetric encryption, the secret key need to be transfert by one > way > or an other to the receiver. In that case how the secret key can be safely > transimited ? > > regards > serge > > > "Joe Kaplan (MVP - ADSI)" wrote: > >> Typically, you just include the hash along with the data, much like you >> might include a signature with the signed data. HMAC's are conceptually >> very much like the symmetric key equivalent of a signature. Instead of >> using a certificate (pub key/private key), both the party generating the >> HMAC and the party validating it must know the secret key. The HMAC does >> not provide identity information, but it does tell you if the file has >> been >> tampered with. >> >> Joe K. >> >> -- >> Joe Kaplan-MS MVP Directory Services Programming >> Co-author of "The .NET Developer's Guide to Directory Services >> Programming" >> http://www.directoryprogramming.net >> -- >> "serge calderara" <sergecalder***@discussions.microsoft.com> wrote in >> message news:C82781A5-DE96-448D-889D-A102C705A288@microsoft.com... >> > Dear all, >> > >> > I have some simple question relative to Keyed hash algorithm. >> > I have understand from different reading that this type of hashing with >> > secret key ( a common password) is used to avoid malicious person to >> > modified >> > the hash value. >> > >> > This by using following code sample : >> > >> > Dim myhash As HMACSHA1 = New HMACSHA1(secretkey) >> > >> > For my sample I have file which is read and then a hash value is issue >> > from >> > that file based on the given password. In that way it is explain that >> > whatever change occurs either in File content or given password, a new >> > hash >> > value will be generated. >> > >> > What I did not cath here is that how can you proceed to file validation >> > then >> > because haker can modifi the file content anyway ?? >> > >> > If you do such validation with hash value, this hash value need to be >> > store >> > somewhere in order to be compare the next time, where it is store then >> > ??? >> > >> > thnaks for your help >> > regards >> > serge >> > >> >> >> 
Other interesting topics
Decryptionfailed to bring original text back....
Help encrypt conn string - no ASP, no server, can't protect keys, can't use Windows Authentication Non Administrator creating shares on a DC How to ByPass Protected Storage Prompt random passwords Getting the Access Permissions for a specific SID on a File / folder Security problems Native RC4 code System.Text.Encoding help ???? PROTECT FROM DECOMPILERS |
|||||||||||||||||||||||
