Noratrieb/blog
1
0
Fork 0
mirror of https://github.com/Noratrieb/blog.git synced 2026-01-14 12:35:00 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

explain HMAC

Browse source
This commit is contained in:
nora 2024-08-21 22:32:14 +02:00
parent e9712b2233
commit cd5fa515d6
1 changed files with 2 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

3
content/posts/ssh-security/index.md
View file

@ -120,7 +120,7 @@ SSH usually uses raw SHA-256, hashing the shared secret [and a few other things]
This process is called "Key Derivation". This process is called "Key Derivation".
Another popular solution for this is HKDF (HMAC Key Derivation Function), which is used by TLS, used to serve you this web page. Another popular solution for this is HKDF (HMAC Key Derivation Function), which is used by TLS, used to serve you this web page.
I hope you appreciate this web page. I hope you appreciate this web page.
HKDF is based on HMAC and essentially also boils down to a hash (also commonly SHA-256) with some sparkly extra bits that we won't worry about. HKDF is based on HMAC (which we're gonna see again later) and essentially also boils down to a hash (also commonly SHA-256) with some sparkly extra bits that we won't worry about.
So our next version of the protocol looks like this: So our next version of the protocol looks like this:
1. Alice generates a Diffie-Hellman key and sends the public key 1. Alice generates a Diffie-Hellman key and sends the public key
@ -216,6 +216,7 @@ We need to ensure this doesn't happen.
The way to do this is to use a Message Authenticate Code (MAC). The way to do this is to use a Message Authenticate Code (MAC).
The MAC is a hash of the message, but also includes the shared key in the hashed content, so that Eve can't just re-create the hash after tampering. The MAC is a hash of the message, but also includes the shared key in the hashed content, so that Eve can't just re-create the hash after tampering.
HMAC is the most popular algorithm for this, so we're gonna use it with some cryptographic hash like SHA-256. HMAC is the most popular algorithm for this, so we're gonna use it with some cryptographic hash like SHA-256.
HMAC is a clever and secure way to hash a key and a message to prove that the message originates from someone with the key.
After encrypting the message, we run HMAC over the message and the key and get back a hash, which we put at the end of the message. After encrypting the message, we run HMAC over the message and the key and get back a hash, which we put at the end of the message.
The receiver then first computes the hash themselves and only when it matches do they decrypt the message. The receiver then first computes the hash themselves and only when it matches do they decrypt the message.