Generating the same SecretKey

Thread view:

airkart@hotmail.com - 18 Apr 2005 08:18 GMT

Hello,

I'm tying to use Java's HMAC, and I'm having mixed success. On the one
hand, I know how to compute the HMAC of for some message; on the other,
I can't figure out how to share the key with others to have someone
authenticate my message. The example I see everywhere is similar to the
following:

...
KeyGenerator keyGen = KeyGenerator.getInstance("HmacSHA1");
SecretKey key = keyGen.generateKey();
Mac mac = Mac.getInstance(key.getAlgorithm() );
mac.init(key);
...

Unfortunately, generateKey() always produces a new key, which makes it
a bit hard to authenticate. After looking through the web and through
this newsgroup, I can't seem to find someone with the same problem as
I. Is there some way to generate the same SecretKey each time, maybe
using an array of bytes or something, so that someone can authenticate
what I send?

Thanks in advance,

Conrad Eaglehill

Reply to this Message

Michael Amling - 18 Apr 2005 14:52 GMT

> Hello,
>
[quoted text clipped - 17 lines]
> using an array of bytes or something, so that someone can authenticate
> what I send?

This bit of key management is often handled using public key
cryptography. The parties each make up a public/private key pair, and
exchange the public keys. This need only happen once. Now each can send
a (short) message to the other, encrypted using the recipient's public
key, that the recipient can decrypt using her own private key.
Either one of the parties can generate a random secret HMAC key and
send the HMAC key as a message encrypted with the other party's public
key. This is typical for RSA and is the way SSL does it.
Or, for some public key systems (ECC and DH), they send each other
special messages from which each can separately derive a shared secret
that they use as the HMAC key.

--Mike Amling

Reply to this Message

airkart@hotmail.com - 19 Apr 2005 16:03 GMT

> This bit of key management is often handled using public key
> cryptography. The parties each make up a public/private key pair, and
[quoted text clipped - 5 lines]
> key. This is typical for RSA and is the way SSL does it.
> --Mike Amling

I wouldn't mind trying that (though it sounds more complicated than I
thought HMAC was, since you include five keys--2 public, 2 private, and
1 secret), but your response doesn't show an implementation of it.

I found an alternate way of doing what I was trying to put forth:

...
byte[] hmacBuffer = byteArray; // byteArray is randomly generated once,
and shared with the recipient in advance
byte[] message = "This is the message".toByteArray();
SecretKey key = new SecretKeySpec(hmacBuffer, "HMACSHA1");
Mac mac = Mac.getInstance(key.getAlgorithm() );

mac.init(key);
mac.update(hmacBuffer);
digest = mac.doFinal("The message");
...

This *seems* to work as I'd like it. I still can't share the Secret
Key, but I *can* share hmacBuffer, and the recipient can use hmacBuffer
to get a duplicate key.

Does this make sense? Is this a proper way to go, or am I missing
something?

Thanks in advance,

Conrad Eaglehill

Reply to this Message

Chris - 20 Apr 2005 06:03 GMT

[snip]

> I found an alternate way of doing what I was trying to put forth:
>
[quoted text clipped - 20 lines]
>
> Conrad Eaglehill

Hi,
That's a perfectly good way of doing it... just that it's often not
practical for two people to share an hmacBuffer without anyone else
knowing it. That's the problem that public key cryptography solves:
you don't have to keep the public keys secret. If your situation
allows your two communicants (?) to share a secret piece of data
without anyone else knowing it, then by all means go for it. This
method is perfect.

Chris

Reply to this Message

Generating the same SecretKey

Free Magazines