hmac module and key format

Stuart Longland redhatter at gentoo.org
Mon Feb 21 11:27:36 CET 2011


On Feb 21, 4:59 am, Peter Pearson <ppear... at nowhere.invalid> wrote:
> On Sun, 20 Feb 2011 04:01:20 -0800, Paul Rubin <no.em... at nospam.invalid> wrote:
> > Stuart Longland <redhat... at gentoo.org> writes:
> >> What format does hmac require the key to be in?
>
> > It's an arbitrary string.  
>
> >     I have a key in hexadecimal, do I give it the hex?  Do I decode that
> >     to binary and give it that?  
>
> > Probably yes.  Do you have test vectors?  See if they work.
>
> Test case from http://www.faqs.org/rfcs/rfc2104.html:
[...]
> >>> hmac.hmac_md5( "Hi There", 16*"\x0b" )
>
> '\x92\x94rz68\xbb\x1c\x13\xf4\x8e\xf8\x15\x8b\xfc\x9d'

No worries, thanks to both you Peter and Paul, I'll give this a shot.
By the looks of things it is possible to just decode the hexadecimal
to a binary string and give it that.

I should perhaps elaborate on what I'm doing in case the specifics
make a difference.  I have a YubiKey which internally supports a
challenge-response mode based on HMAC-SHA1.  I've got a key, a sample
challenge and the sample output which is included in the python-yubico
module demos:

https://github.com/yubico/python-yubico

Before I worried about that though, I needed to have some kind of
understanding as to how the hmac module was used.  "Arbitrary string",
sounds to me like I give it something akin to a passphrase, and that
is hashed(?) to provide the symmetric key for the HMAC.  Wikipedia
seems to suggest it depends on the length of the key given, so if I
give it a string that's exactly 160-bits (for HMAC-SHA1) it'll use it
unmodified.  Would that be a correct assertion?



More information about the Python-list mailing list