On Friday 24 September 2010 17:15:07 Bryan Dixon wrote: > I think this could possibly work as a temporary fix; however, an > HMAC-SHA1 is a known mechanism and since I'm trying to publish my work, > and not just use it for a course. I'm also not sure what would happen > when I pipe a cat of a binary file & pipe into a sha1sum on an android > phone. Thanks for the idea though, hadn't occurred to me to attempt this > an alternative... additionally could try and force the HMAC algorithm > via a shell script. Though would prefer a compiled binary, as it > wouldn't be as easy to alter. > > -Bryan
Heh, the question at the end should have been "What do you want?" (Sleep deprivation, the breakfast of champions!) My question was really about the purpose of this HMAC thing. If you _can_ just prepend (or append) the password to the input data, what's HMAC for? My understanding is that a one way hash algorithm produces a number uniquely identifying its input data, from which its input data cannot easily be reconstructed. For web login stuff, I've sometimes prepended a password and a datestamp to the input data, and then appended the datestamp in cleartext as part of the resulting cookie. If there's a valid cryptographic reason _not_ to do this, I'd like to know what it is. If some standards body went to the trouble of creating an HMAC standard, it would be nice to know _why_. (General distaste for in-band signaling? What advantage does it have over the cat-it-together method?) Rob P.S. I wouldn't say I'm an expert here, but I _did_ hack together own sha1sum.c for toybox (which is 185 lines of C code; the busybox version is 480 lines). This is _not_ the same as understanding the mathematical proof behind the algorithm. I know _what_ it's doing. Understanding _why_ involves not just a lot more math than I really care for, but memorizing the 8 gazillion known potential ways to attack this sort of thing, which aren't necessarily obvious from said math. Cryptography is like kernel development, you have to do it full time just to stay current. -- GPLv3: as worthy a successor as The Phantom Menace, as timely as Duke Nukem Forever, and as welcome as New Coke. _______________________________________________ busybox mailing list [email protected] http://lists.busybox.net/mailman/listinfo/busybox
