- From: Brad Hill <hillbrad@gmail.com>
- Date: Fri, 3 Jun 2011 13:23:24 -0700
- To: public-web-security@w3.org
(*Test...this didn't seem to hit the full list.*)
You've included a SHA-256 hash function, but not an HMAC-SHA-256 function.
Having looked at many, many webapps as a pentester, I can assure that
99% of folks will do message authentication insecurely without better
API support than a raw hash function.
They will: (a) create insecure constructions using secret prefix or
secret suffix concatenations instead of implementing real HMAC, and
then (b) they will leak timing information during verification
I would propose the following APIs: (if you only support SHA256 and
have no plans to implement other algorithms)
hmac: {
createHMAC: function (plaintext, key, function callback(mac){ }) { }
verifyHMAC: function(plaintext, key, receivedMac, function
callback(booleanVerified){ }){ }
}
Where verifyHMAC implements double-HMAC verification to prevent timing
leakage as described here:
http://www.isecpartners.com/blog/2011/2/18/double-hmac-verification.html
Adding algorithm setters as is done for the symmetric functions would
allow agility to move to, e.g. SHA3 in the future when it is defined.
-Brad Hill
Received on Sunday, 5 June 2011 22:34:09 UTC