Don’t hash secrets

Written on 21 September 2014, 04:10pm

Tagged with: , , ,

Don’t hash secrets, HMAC them!
This is an old but incredibly useful article written by Ben Adida, currently director of engineering at Square, previously working at Mozilla.
The idea is that simply hashing + salting the secrets is not enough. You need to HMAC them (Hash-function Message Authentication Code). HMAC always uses a hashing function (like MD5, SHA1, etc), but this hashing function is not used to hash the secret alone.

If you know SHA1(secret || message), then you can compute SHA1(secret || message || ANYTHING)
You don’t need to know exactly how HMAC works, just like you don’t need to know exactly how SHA1 works. Under the hood, what’s approximately going on is two hashes, one after the other, with the secret combined after the first hash.
Don’t hash secrets, HMAC them!

PHP has the hash_hmac function starting with the version 5.1.2. Interesting enough, CakePHP’s default authentication mechanism only uses hashing+salt, not HMAC. And MediaWiki uses something closer to HMAC.

But there’s a catch. If the secret is longer than the block size of the hash function, then HMAC will use the hash of the secret. See here and here (screenshots below)


And this leads to the following problem:

Mathias Bynens elaborates this:

SHA-1 has a block size of 512 bits, which equals 64 bytes.

So in this case, if the supplied key takes up more than 64 bytes, then SHA1(key) is used as the key. More generally, for any chosen_password larger than 64 bytes, the following holds true (pseudo-code):

PBKDF2_HMAC_SHA1(chosen_password) == PBKDF2_HMAC_SHA1(HEX_TO_STRING(SHA1(chosen_password))

PBKDF2+HMAC hash collisions explained

Takeaway? Don’t hash secrets, HMAC them. But make sure that the length of the secret is not larger than the block size of the hashing algorithm.
On the same line, maybe using passwords longer than 64 bytes is not such a good idea… 🙂

Photo: istockphoto

HTTP basic authentication

Written on 3 November 2013, 12:28pm

Tagged with: , ,

A few notes:

– it only uses HTTP headers
– it does not encrypt the username:password, it only base64 encodes them to obtain a string (think about a password containig two newlines 🙂 )
– so it is highly recommended to be used over HTTPS
– if this is not possible, then HTTP digest authentication should be used instead
– initially, the server responds with a HTTP 401 Non Authorized response code
– the HTTP headers must be sent by the browser with every subsequent request, so caching is necessary
– the web server does not provide a ‘log out’ mechanism; each browser has its own way of logging out. Example for Chrome: load

More details on the Wikipedia page:
HTTP Digest Access Authentication:
How to set up HTTP Basic Authentication in Apache:

Photo: iStockPhoto