Noratrieb/blog
1
0
Fork 0
mirror of https://github.com/Noratrieb/blog.git synced 2026-01-14 04:25:01 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

explain HMAC

Browse source
This commit is contained in:
nora 2024-08-21 22:32:14 +02:00
parent e9712b2233
commit cd5fa515d6
1 changed files with 2 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

3
content/posts/ssh-security/index.md
View file

@ -120,7 +120,7 @@ SSH usually uses raw SHA-256, hashing the shared secret [and a few other things]
This process is called "Key Derivation".
Another popular solution for this is HKDF (HMAC Key Derivation Function), which is used by TLS, used to serve you this web page.
I hope you appreciate this web page.
HKDF is based on HMAC and essentially also boils down to a hash (also commonly SHA-256) with some sparkly extra bits that we won't worry about.
HKDF is based on HMAC (which we're gonna see again later) and essentially also boils down to a hash (also commonly SHA-256) with some sparkly extra bits that we won't worry about.
So our next version of the protocol looks like this:
1. Alice generates a Diffie-Hellman key and sends the public key
@ -216,6 +216,7 @@ We need to ensure this doesn't happen.
The way to do this is to use a Message Authenticate Code (MAC).
The MAC is a hash of the message, but also includes the shared key in the hashed content, so that Eve can't just re-create the hash after tampering.
HMAC is the most popular algorithm for this, so we're gonna use it with some cryptographic hash like SHA-256.
HMAC is a clever and secure way to hash a key and a message to prove that the message originates from someone with the key.
After encrypting the message, we run HMAC over the message and the key and get back a hash, which we put at the end of the message.
The receiver then first computes the hash themselves and only when it matches do they decrypt the message.