Written on 21 September 2014, 04:10pm
Don’t hash secrets, HMAC them!
This is an old but incredibly useful article written by Ben Adida, currently director of engineering at Square, previously working at Mozilla.
The idea is that simply hashing + salting the secrets is not enough. You need to HMAC them (Hash-function Message Authentication Code). HMAC always uses a hashing function (like MD5, SHA1, etc), but this hashing function is not used to hash the secret alone.
If you know SHA1(secret || message), then you can compute SHA1(secret || message || ANYTHING)
You don’t need to know exactly how HMAC works, just like you don’t need to know exactly how SHA1 works. Under the hood, what’s approximately going on is two hashes, one after the other, with the secret combined after the first hash.
– Don’t hash secrets, HMAC them!
PHP has the hash_hmac function starting with the version 5.1.2. Interesting enough, CakePHP’s default authentication mechanism only uses hashing+salt, not HMAC. And MediaWiki uses something closer to HMAC.
And this leads to the following problem:
`plnlrtfpijpuhqylxbgqiiyipieyxvfsavzgxbbcfusqkozwpngsyejqlmjsytrmd` and `eBkXQTfuBqp'cTcar&g*` have the same PBKDF2-HMAC-SHA1 hash
— CodesInChaos (@CodesInChaos) January 11, 2014
Mathias Bynens elaborates this:
SHA-1 has a block size of 512 bits, which equals 64 bytes.
So in this case, if the supplied key takes up more than 64 bytes, then SHA1(key) is used as the key. More generally, for any chosen_password larger than 64 bytes, the following holds true (pseudo-code):
PBKDF2_HMAC_SHA1(chosen_password) == PBKDF2_HMAC_SHA1(HEX_TO_STRING(SHA1(chosen_password))
Takeaway? Don’t hash secrets, HMAC them. But make sure that the length of the secret is not larger than the block size of the hashing algorithm.
On the same line, maybe using passwords longer than 64 bytes is not such a good idea… 🙂