search

spaniakos / Cryptosuite

Cryptographic suite for Arduino & RPi (SHA, HMAC-SHA)
http://spaniakos.github.io/Cryptosuite/
GNU Affero General Public License v3.0
23 stars 11 forks source link

Test: RFC4231 4.6 result not at expected #5

Closed budnail closed 7 years ago

budnail commented 8 years ago

HMAC SHA256 example, Test:RFC4231 4.6.

Expected:"a3b6167473100ee06e0c796c2955552b-------------------------------" according to the example code in Cryptosuite and RFC4231 4.6. A truncated result.

Actual Result:"a3b6167473100ee06e0c796c2955552bfa6f7c0a6a8aef8b93f860aab0cd20c5", not truncated.(corrected a copy and paste error where I cut off the leading "a". 12-29-2015)

The actual result appears to behave more like PRF-HMAC-SHA-256 of RFC 4868, which is better for my purposes. I tried a couple of random online HMAC-SHA-256 implementations, and they also seem to match my actual result. So maybe most implementations are using the same algorithm and/or there is some understanding that this is an acceptable implementation. If that is the case, it is fine by me.

A couple of ideas: (1) simply note that although RFC4231 calls for truncation, this implementation fails in that aspect and follows PRF-HMAC-SHA-256 of RFC 4868 instead. (2) Add code to truncate the result.

Note: I have only tested this using my slightly modified version for the Photon, but I didn't alter anything that should have affected the results of this test. It would be nice if someone could confirm they get the same result.

spaniakos commented 8 years ago

I will check the results when i have success to my computer. On Dec 14, 2015 4:52 PM, "Bud Nail" notifications@github.com wrote:

HMAC SHA256 example, Test:RFC4231 4.6.

Expected:"a3b6167473100ee06e0c796c2955552b-------------------------------" according to the example code in Cryptosuite and RFC4231 4.6. A truncated result.

Actual Result:"3b6167473100ee06e0c796c2955552bfa6f7c0a6a8aef8b93f860aab0cd20c5", not truncated.

The actual result appears to behave more like PRF-HMAC-SHA-256 of RFC 4868, which is better for my purposes. I tried a couple of random online HMAC-SHA-256 implementations, and they also seem to match my actual result. So maybe most implementations are using the same algorithm and/or there is some understanding that this is an acceptable implementation. If that is the case, it is fine by me.

A couple of ideas: (1) simply note that although RFC4231 calls for truncation, this implementation fails in that aspect and follows PRF-HMAC-SHA-256 of RFC 4868 instead. (2) Add code to truncate the result.

Note: I have only tested this using my slightly modified version for the Photon, but I didn't alter anything that should have affected the results of this test. It would be nice if someone could confirm they get the same result.

— Reply to this email directly or view it on GitHub https://github.com/spaniakos/Cryptosuite/issues/5.

axelbusch commented 8 years ago

I got

Test: RFC4231 4.6 Expect:a3b6167473100ee06e0c796c2955552b------------------------------- Result:b5d822588417b0fac1b7d99ba44772842f95818d418aca4a7ba739be7e445ac5