hmac module and key format

Discussion in 'Python' started by Stuart Longland, Feb 20, 2011.

  1. Hi,

    Maybe I'm completely dense with regards to the hmac module and HMAC in
    general, but I've searched and cannot find for the life of me the
    answer to this very basic question.

    What format does hmac require the key to be in?

    I have a key in hexadecimal, do I give it the hex? Do I decode that
    to binary and give it that? Do I try to figure out what passphrase
    generated the hex and give it that instead? Nowhere in the
    documentation does it appear to mention what form the key must take,
    or how you tell it what form it's in for it to "figure it out". If
    someone could enlighten me, I'd be most grateful.

    Regards,
    Stuart Longland
    Stuart Longland, Feb 20, 2011
    #1
    1. Advertising

  2. Stuart Longland

    Paul Rubin Guest

    Stuart Longland <> writes:
    > What format does hmac require the key to be in?


    It's an arbitrary string.

    I have a key in hexadecimal, do I give it the hex? Do I decode that
    to binary and give it that?

    Probably yes. Do you have test vectors? See if they work.
    Paul Rubin, Feb 20, 2011
    #2
    1. Advertising

  3. On Sun, 20 Feb 2011 04:01:20 -0800, Paul Rubin <> wrote:
    > Stuart Longland <> writes:
    >> What format does hmac require the key to be in?

    >
    > It's an arbitrary string.
    >
    > I have a key in hexadecimal, do I give it the hex? Do I decode that
    > to binary and give it that?
    >
    > Probably yes. Do you have test vectors? See if they work.


    Test case from http://www.faqs.org/rfcs/rfc2104.html :


    key = 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
    key_len = 16 bytes
    data = "Hi There"
    data_len = 8 bytes
    digest = 0x9294727a3638bb1c13f48ef8158bfc9d

    Using the hmac module:

    >>> hmac.hmac_md5( "Hi There", 16*"\x0b" )

    '\x92\x94rz68\xbb\x1c\x13\xf4\x8e\xf8\x15\x8b\xfc\x9d'


    --
    To email me, substitute nowhere->spamcop, invalid->net.
    Peter Pearson, Feb 20, 2011
    #3
  4. On Feb 21, 4:59 am, Peter Pearson <> wrote:
    > On Sun, 20 Feb 2011 04:01:20 -0800, Paul Rubin <> wrote:
    > > Stuart Longland <> writes:
    > >> What format does hmac require the key to be in?

    >
    > > It's an arbitrary string.  

    >
    > >     I have a key in hexadecimal, do I give it the hex?  Do I decode that
    > >     to binary and give it that?  

    >
    > > Probably yes.  Do you have test vectors?  See if they work.

    >
    > Test case from http://www.faqs.org/rfcs/rfc2104.html:

    [...]
    > >>> hmac.hmac_md5( "Hi There", 16*"\x0b" )

    >
    > '\x92\x94rz68\xbb\x1c\x13\xf4\x8e\xf8\x15\x8b\xfc\x9d'


    No worries, thanks to both you Peter and Paul, I'll give this a shot.
    By the looks of things it is possible to just decode the hexadecimal
    to a binary string and give it that.

    I should perhaps elaborate on what I'm doing in case the specifics
    make a difference. I have a YubiKey which internally supports a
    challenge-response mode based on HMAC-SHA1. I've got a key, a sample
    challenge and the sample output which is included in the python-yubico
    module demos:

    https://github.com/yubico/python-yubico

    Before I worried about that though, I needed to have some kind of
    understanding as to how the hmac module was used. "Arbitrary string",
    sounds to me like I give it something akin to a passphrase, and that
    is hashed(?) to provide the symmetric key for the HMAC. Wikipedia
    seems to suggest it depends on the length of the key given, so if I
    give it a string that's exactly 160-bits (for HMAC-SHA1) it'll use it
    unmodified. Would that be a correct assertion?
    Stuart Longland, Feb 21, 2011
    #4
  5. On Mon, 21 Feb 2011 02:27:36 -0800 (PST), Stuart Longland wrote:
    [snip]
    > Before I worried about that though, I needed to have some kind of
    > understanding as to how the hmac module was used. "Arbitrary string",
    > sounds to me like I give it something akin to a passphrase, and that
    > is hashed(?) to provide the symmetric key for the HMAC. Wikipedia
    > seems to suggest it depends on the length of the key given, so if I
    > give it a string that's exactly 160-bits (for HMAC-SHA1) it'll use it
    > unmodified. Would that be a correct assertion?


    Yes. I predict that you will be glad you look at RFC 2104,

    http://www.ietf.org/rfc/rfc2104.txt

    where you will find HMAC summarized as

    H(K XOR opad, H(K XOR ipad, text))

    Here, opad is a block filled with the byte 0x5C, and ipad is
    a block filled with the byte 0x36. If the key is no longer
    than one block (and a block is 64 bytes for SHA and MD5), then
    K is just the key itself; otherwise, K is a hash of the key.

    --
    To email me, substitute nowhere->spamcop, invalid->net.
    Peter Pearson, Feb 21, 2011
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. ed

    portable sha1 hmac sources

    ed, Apr 6, 2006, in forum: C Programming
    Replies:
    2
    Views:
    344
    William Ahern
    Apr 8, 2006
  2. Replies:
    4
    Views:
    5,792
    Thomas J. Gritzan
    Sep 22, 2006
  3. Kless

    HMAC with RIPEMD-160

    Kless, Dec 21, 2008, in forum: Python
    Replies:
    2
    Views:
    360
    Kless
    Dec 22, 2008
  4. Prabir Kr Sarkar

    TypeError in HMAC module.

    Prabir Kr Sarkar, Mar 24, 2014, in forum: Python
    Replies:
    0
    Views:
    73
    Prabir Kr Sarkar
    Mar 24, 2014
  5. Chris Angelico

    Re: TypeError in HMAC module.

    Chris Angelico, Mar 24, 2014, in forum: Python
    Replies:
    0
    Views:
    57
    Chris Angelico
    Mar 24, 2014
Loading...

Share This Page