Hash HMAC

[Danyfirex]

Hello guys. Here is a small function to create a hash hmac  similar to hash_hmac PHP function.  

Supported are: SHA512,SHA256,SHA1,SHA384,MD5 and RIPEMD160.

 

Local $sSecret = "SecretKey"
Local $sMessage = "AutoIt Rocks!!!"


ConsoleWrite("HMAC-SHA256: " & @TAB & @TAB & _HashHMAC("SHA512", $sMessage, $sSecret) & @CRLF)
ConsoleWrite("HMAC-SHA256: " & @TAB & @TAB & _HashHMAC("SHA256", $sMessage, $sSecret) & @CRLF)
ConsoleWrite("HMAC-SHA1: " & @TAB & @TAB & _HashHMAC("SHA1", $sMessage, $sSecret) & @CRLF)
ConsoleWrite("HMAC-SHA384: " & @TAB & @TAB & _HashHMAC("SHA384", $sMessage, $sSecret) & @CRLF)
ConsoleWrite("HMAC-MD5: " & @TAB & @TAB & _HashHMAC("MD5", $sMessage, $sSecret) & @CRLF)
ConsoleWrite("HMAC-RIPEMD160: " & @TAB &  _HashHMAC("RIPEMD160", $sMessage, $sSecret) & @CRLF)

Func _HashHMAC($sAlgorithm, $bData, $bKey, $bRaw_Output = False)
    Local $oHashHMACErrorHandler = ObjEvent("AutoIt.Error", "_HashHMACErrorHandler")
    Local $oHMAC = ObjCreate("System.Security.Cryptography.HMAC" & $sAlgorithm)
    If @error Then SetError(1, 0, "")
    $oHMAC.key = Binary($bKey)
    Local $bHash = $oHMAC.ComputeHash_2(Binary($bData))
    Return SetError(0, 0, $bRaw_Output ? $bHash : StringLower(StringMid($bHash, 3)))
EndFunc   ;==>_HashHMAC


Func _HashHMACErrorHandler($oError)
    ;Dummy Error Handler
EndFunc   ;==>_HashHMACErrorHandler

It requires .NET Framework  2.0 or higher.

Saludos

Edited December 9, 2017 by Danyfirex

[argumentum]

I asked myself ( google really ),  what's the difference and/or use of this vs. a regular hash.

from https://crypto.stackexchange.com/questions/6493/what-is-the-difference-between-a-hmac-and-a-hash-of-data

---------------------------

TL;DR, an HMAC is a keyed hash of data.

A good cryptographic hash function provides one important property: collision resistance. It should be impractical to find two messages that result in the same digest.

An HMAC also provides collision resistance. But it also provides unforgeability. In order to generate an HMAC, one requires a key. If you only share this key with trusted parties, given an HMAC signature, you can be confident that only one of the trusted parties could have generated that signature.

Due to common properties of hash functions, an HMAC is not as simple as hashing the data appended to the key. This construct is vulnerable to length-extension attacks where an attacker can take a message and its HMAC signature, and use this to construct a longer message with a valid signature (thus breaking the guarantee of unforgeability).

---------------------------

Put simply, if you're using a simple hash of a file to guarantee file-integrity, then an attacker could modify the file, re-calculate the hash of the modified file, and replace the old hash with the modified one. With a HMAC, a key is used when calculating the hash value, so unless the attacker has the key, they're unable to calculate a valid hash value of the modified data.

So now I know.

Thanks for sharing

PS: so, what would be the function to hash files @Danyfirex ?

Edited December 10, 2017 by argumentum
add a question

[Danyfirex]

Hello. I really dont know too much about  hashing files. I usally use this for Web API. I think you're talking about something like this.

I'll check deeply later.

 

Saludos

[argumentum]

no need to look too deep for my question. In any case, a salted hash, of the file's hash as string, would do just fine for the purpose. 
I have no need for this implementation. I was just curious about it. 

[Vovsla]

When i use function above, i get result

HMAC-SHA512:        42b39eb438b98554dd4512170bb521bb8f736b778d306e77f61983d052f2cd5ea471f3c20d1e3c759174ca7c7fe00508dad78b30b559f22c6685aa6129ff5d71
HMAC-SHA256:        11b75d845a07fc5c0a6cc3dbdb9c5c53d3034129e3394f56a2f16649b61a5c54
HMAC-SHA1:      4ed7ba3c4e31298d5b7f6e8bfd78da2a7448db61
HMAC-SHA384:        a867fed954c4930b949ac1c0aedddaa3b317b96d8dade84e98d2d7221a11322b4c0c7ec0a5dacc019b7a414c209c3dee
HMAC-MD5:       528e95c677558a6533ef3133f181ae52
HMAC-RIPEMD160:     3570f66d68160bd89fa73965aa0a3e5819e92470

When i use python i get another result

import hmac, hashlib
API_SECRET = b'SecretKey'
URL = b'AutoIt Rocks!!!'
Sign = hmac.new(API_SECRET, URL, hashlib.sha512).digest()
print(Sign)

b'B\xb3\x9e\xb48\xb9\x85T\xddE\x12\x17\x0b\xb5!\xbb\x8fskw\x8d0nw\xf6\x19\x83\xd0R\xf2\xcd^\xa4q\xf3\xc2\r\x1e<u\x91t\xca|\x7f\xe0\x05\x08\xda\xd7\x8b0\xb5Y\xf2,f\x85\xaaa)\xff]q'

Why results so different? How i can get the same result with autoit?

[Danyfirex]

I got same result with this:

 

import hmac, hashlib
API_SECRET = b'SecretKey'
URL = b'AutoIt Rocks!!!'
Sign = hmac.new(API_SECRET, URL, hashlib.sha512).hexdigest()
print((Sign))
 

 

Saludos

 

 

[mgresorte]

Genius !!!

thank you !

thank you !

thank you !

[oceanwind]

On 6/9/2018 at 10:54 PM, Danyfirex said:

I got same result with this:

 

import hmac, hashlib
API_SECRET = b'SecretKey'
URL = b'AutoIt Rocks!!!'
Sign = hmac.new(API_SECRET, URL, hashlib.sha512).hexdigest()
print((Sign))
 

 

Saludos

 

 

Can you help to modify your code to match python digest() version not the hexdigest() version?

[jchd]

See the answer in the new thread you posted.

 

Edited December 26, 2021 by jchd