Swagger description clarification. JSON body as SHA256 digest?

[asiridissa]

In Swagger there is a note added about HMAC body parameter as follows.

Did we make a decision to use SHA256 digest of the JSON body to feed in to the HMAC function?

[spedsta]

Correct. The JSON body would hashed to a hex value by SHA256.

[asiridissa]

As I remember, we agreed to do SHA256 on the total INPUT_STRING to generate the HMAC. Doing hash only on the body is something I don't recall from our discussions. @spedsta Can you please provide pseudocode to explain this body only hashing with HMAC creation? (#8 contains code sample that you may use)

[NomeQ]

I also feel uncertain about this. The HMAC function will already perform a SHA256 on the entire string, and there's no savings in efficiency or code to do it otherwise. Here is a slightly simplified version of the code we have right now (we aren't done implementing everything):

const value = [nonce, timestamp, JSON.stringify(orderedParams), reqBody].join(':')
const sigAsByteArray = Utilities.computeHmacSignature(Utilities.MacAlgorithm.HMAC_SHA_256, value, secret)
return byteArrayToHexString(sigAsByteArray)

[spedsta]

Including two references on HMAC implementation here: https://docs.aws.amazon.com/IAM/latest/UserGuide/create-signed-request.html https://dotnettutorials.net/lesson/hmac-authentication-web-api/#google_vignette We've also seen both the URI and hashed message body methodology (either base64 or SHA256) in other API implementations.

Please advise on direction and update swagger description if anything different decided. We are ok with any changes.

[asiridissa]

Here is the part of the same AWS documentation. It mentioned 3 reasons to sign the request or do the HMAC. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html#why-requests-are-signed

Here is my explanation of how our solution covers the mentioned topics.

1. Verify the identity of the requester We use the secret key to hash the HMAC INPUT_STRING. This is unique for the requester. So this will prove the identity of the requester. We can decide on using a stronger key (ex :32 chars long, include numbers, letters, symbols etc.).
2. Protect data in transit Again, the secret key makes the HMAC unique for requester. Because we are using the telegram JSON as a part of HMAC INPUT_STRING, integrity of the message content is protected.
3. Protect against potential replay attacks AWS only accepts the requests within 5 minutes from the mentioned timestamp. I believe we should do the same. We talked about this but did not came to a conclusion.

I suggest that we don't need to do body hashing before the HMAC hashing because, we can fulfill the requirements of message authentication with only one SHA256 hashing on HMAC function.

[asiridissa]

Decided to get the body string as it is in to the INPUT_STRING. Not going to do the SHA256 digest of the body before the final HMAC function. Closing this issue with updating swagger 0.5.a3.