| Groups | Blog | Home |
dotnet security : Simple Keyed hash question
Dear all,
I have some simple question relative to Keyed hash algorithm. I have understand from different reading that this type of hashing with secret key ( a common password) is used to avoid malicious person to modified the hash value. This by using following code sample : Dim myhash As HMACSHA1 = New HMACSHA1(secretkey) For my sample I have file which is read and then a hash value is issue from that file based on the given password. In that way it is explain that whatever change occurs either in File content or given password, a new hash value will be generated. What I did not cath here is that how can you proceed to file validation then because haker can modifi the file content anyway ?? If you do such validation with hash value, this hash value need to be store somewhere in order to be compare the next time, where it is store then ??? thnaks for your help regards serge
Typically, you just include the hash along with the data, much like you
might include a signature with the signed data. HMAC's are conceptually very much like the symmetric key equivalent of a signature. Instead of using a certificate (pub key/private key), both the party generating the HMAC and the party validating it must know the secret key. The HMAC does not provide identity information, but it does tell you if the file has been tampered with. Joe K. -- Joe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "serge calderara" <sergecalderara@discussions.microsoft.com> wrote in message news:C82781A5-DE96-448D-889D-A102C705A288@microsoft.com... [quoted text, click to view] > Dear all, > > I have some simple question relative to Keyed hash algorithm. > I have understand from different reading that this type of hashing with > secret key ( a common password) is used to avoid malicious person to > modified > the hash value. > > This by using following code sample : > > Dim myhash As HMACSHA1 = New HMACSHA1(secretkey) > > For my sample I have file which is read and then a hash value is issue > from > that file based on the given password. In that way it is explain that > whatever change occurs either in File content or given password, a new > hash > value will be generated. > > What I did not cath here is that how can you proceed to file validation > then > because haker can modifi the file content anyway ?? > > If you do such validation with hash value, this hash value need to be > store > somewhere in order to be compare the next time, where it is store then ??? > > thnaks for your help > regards > serge >
Thnaks for you reply
So if I understand well, in real life people using that stuff is for instance attaching the HASH value to an encrypted file content ( example at the begining of the file). Then the reciver will know that the first part of the file is the HASH in addition to the secret key. This is what you mean ? Based on symetric encryption, the secret key need to be transfert by one way or an other to the receiver. In that case how the secret key can be safely transimited ? regards serge [quoted text, click to view] "Joe Kaplan (MVP - ADSI)" wrote:
> Typically, you just include the hash along with the data, much like you > might include a signature with the signed data. HMAC's are conceptually > very much like the symmetric key equivalent of a signature. Instead of > using a certificate (pub key/private key), both the party generating the > HMAC and the party validating it must know the secret key. The HMAC does > not provide identity information, but it does tell you if the file has been > tampered with. > > Joe K. > > -- > Joe Kaplan-MS MVP Directory Services Programming > Co-author of "The .NET Developer's Guide to Directory Services Programming" > http://www.directoryprogramming.net > -- > "serge calderara" <sergecalderara@discussions.microsoft.com> wrote in > message news:C82781A5-DE96-448D-889D-A102C705A288@microsoft.com... > > Dear all, > > > > I have some simple question relative to Keyed hash algorithm. > > I have understand from different reading that this type of hashing with > > secret key ( a common password) is used to avoid malicious person to > > modified > > the hash value. > > > > This by using following code sample : > > > > Dim myhash As HMACSHA1 = New HMACSHA1(secretkey) > > > > For my sample I have file which is read and then a hash value is issue > > from > > that file based on the given password. In that way it is explain that > > whatever change occurs either in File content or given password, a new > > hash > > value will be generated. > > > > What I did not cath here is that how can you proceed to file validation > > then > > because haker can modifi the file content anyway ?? > > > > If you do such validation with hash value, this hash value need to be > > store > > somewhere in order to be compare the next time, where it is store then ??? > > > > thnaks for your help > > regards > > serge > > > >
Thnaks for you reply
So if I understand well, in real life people using that stuff is for instance attaching the HASH value to an encrypted file content ( example at the begining of the file). Then the reciver will know that the first part of the file is the HASH in addition to the secret key. This is what you mean ? Based on symetric encryption, the secret key need to be transfert by one way or an other to the receiver. In that case how the secret key can be safely transimited ? regards serge [quoted text, click to view] "Joe Kaplan (MVP - ADSI)" wrote:
> Typically, you just include the hash along with the data, much like you > might include a signature with the signed data. HMAC's are conceptually > very much like the symmetric key equivalent of a signature. Instead of > using a certificate (pub key/private key), both the party generating the > HMAC and the party validating it must know the secret key. The HMAC does > not provide identity information, but it does tell you if the file has been > tampered with. > > Joe K. > > -- > Joe Kaplan-MS MVP Directory Services Programming > Co-author of "The .NET Developer's Guide to Directory Services Programming" > http://www.directoryprogramming.net > -- > "serge calderara" <sergecalderara@discussions.microsoft.com> wrote in > message news:C82781A5-DE96-448D-889D-A102C705A288@microsoft.com... > > Dear all, > > > > I have some simple question relative to Keyed hash algorithm. > > I have understand from different reading that this type of hashing with > > secret key ( a common password) is used to avoid malicious person to > > modified > > the hash value. > > > > This by using following code sample : > > > > Dim myhash As HMACSHA1 = New HMACSHA1(secretkey) > > > > For my sample I have file which is read and then a hash value is issue > > from > > that file based on the given password. In that way it is explain that > > whatever change occurs either in File content or given password, a new > > hash > > value will be generated. > > > > What I did not cath here is that how can you proceed to file validation > > then > > because haker can modifi the file content anyway ?? > > > > If you do such validation with hash value, this hash value need to be > > store > > somewhere in order to be compare the next time, where it is store then ??? > > > > thnaks for your help > > regards > > serge > > > >
HMACs are frequently used to provide tamper resistance. If I send you out
some data and an HMAC for it, if I have the key that was used with the HMAC and I get that same data again, I can recompute the HMAC and determine whether the data I got is the same as the data I sent out. A simple example might be providing tamper resistance for a query string on a URL. From the server side, I can set some data in the query string and also include an HMAC of the data. When I receive that same query string back in another request from the browser, I can check if the data I set in the query string is the same as the data I received in the request. If it is different, I know the user tampered with it and I have a potential security issue. You can do the same thing with cookies. Lots of applications lend themselves to this type cryptography, where my goal is to make sure some data does not change, but I don't have control over it all the time. Joe K. -- Joe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "serge calderara" <sergecalderara@discussions.microsoft.com> wrote in message news:79B30985-4234-40EC-ABE1-F38315079E9A@microsoft.com... [quoted text, click to view] > Thnaks for you reply > > So if I understand well, in real life people using that stuff is for > instance attaching the HASH value to an encrypted file content ( example > at > the begining of the file). Then the reciver will know that the first part > of > the file is the HASH in addition to the secret key. > > This is what you mean ? > > Based on symetric encryption, the secret key need to be transfert by one > way > or an other to the receiver. In that case how the secret key can be safely > transimited ? > > regards > serge > > > "Joe Kaplan (MVP - ADSI)" wrote: > >> Typically, you just include the hash along with the data, much like you >> might include a signature with the signed data. HMAC's are conceptually >> very much like the symmetric key equivalent of a signature. Instead of >> using a certificate (pub key/private key), both the party generating the >> HMAC and the party validating it must know the secret key. The HMAC does >> not provide identity information, but it does tell you if the file has >> been >> tampered with. >> >> Joe K. >> >> -- >> Joe Kaplan-MS MVP Directory Services Programming >> Co-author of "The .NET Developer's Guide to Directory Services >> Programming" >> http://www.directoryprogramming.net >> -- >> "serge calderara" <sergecalderara@discussions.microsoft.com> wrote in >> message news:C82781A5-DE96-448D-889D-A102C705A288@microsoft.com... >> > Dear all, >> > >> > I have some simple question relative to Keyed hash algorithm. >> > I have understand from different reading that this type of hashing with >> > secret key ( a common password) is used to avoid malicious person to >> > modified >> > the hash value. >> > >> > This by using following code sample : >> > >> > Dim myhash As HMACSHA1 = New HMACSHA1(secretkey) >> > >> > For my sample I have file which is read and then a hash value is issue >> > from >> > that file based on the given password. In that way it is explain that >> > whatever change occurs either in File content or given password, a new >> > hash >> > value will be generated. >> > >> > What I did not cath here is that how can you proceed to file validation >> > then >> > because haker can modifi the file content anyway ?? >> > >> > If you do such validation with hash value, this hash value need to be >> > store >> > somewhere in order to be compare the next time, where it is store then >> > ??? >> > >> > thnaks for your help >> > regards >> > serge >> > >> >> >>
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
| home · blog · groups | Questions? Comments? Contact the dn |