Menu
For a payment provider, I need to calculate a hash-based message authentication code, using HMAC-SHA256. That is causing me quite a bit of trouble.
The payment provider gives two examples of orrectly calculated authentication code in pseudo-code. All keys are in hex.
key = 57617b5d2349434b34734345635073433835777e2d244c31715535255a366773755a4d70532a5879793238235f707c4f7865753f3f446e633a21575643303f66 message = "amount=100¤cy=EUR" MAC = HMAC-SHA256( hexDecode(key), message ) result = b436e3e86cb3800b3864aeecc8d06c126f005e7645803461717a8e4b2de3a905 message = "amount=100¤cy=EUR" Ki = 61574d6b157f757d02457573556645750e0341481b127a07476303136c005145436c7b46651c6e4f4f040e1569464a794e534309097258550c17616075060950 Ko = 0b3d27017f151f17682f1f193f0c2f1f64692b227178106d2d096979066a3b2f2906112c0f760425256e647f032c2013243929636318323f667d0b0a1f6c633a MAC = SHA256( hexDecode(Ko) + SHA256( hexDecode(Ki) + message ) ) result = b436e3e86cb3800b3864aeecc8d06c126f005e7645803461717a8e4b2de3a905 I tried to write the code to do this, after doing some research, but I keep coming up with different results.
private static void Main(string[] args) { var key = "57617b5d2349434b34734345635073433835777e2d244c31715535255a366773755a4d70532a5879793238235f707c4f7865753f3f446e633a21575643303f66"; var ki = "61574d6b157f757d02457573556645750e0341481b127a07476303136c005145436c7b46651c6e4f4f040e1569464a794e534309097258550c17616075060950"; var ko = "0b3d27017f151f17682f1f193f0c2f1f64692b227178106d2d096979066a3b2f2906112c0f760425256e647f032c2013243929636318323f667d0b0a1f6c633a"; var mm = "amount=100¤cy=EUR"; var result1 = CalcHMACSHA256Hash(HexDecode(key), mm); var result2 = CalcSha256Hash(string.Format("{0}{1}", HexDecode(ko), CalcSha256Hash(HexDecode(ki) + mm))); Console.WriteLine("Expected: b436e3e86cb3800b3864aeecc8d06c126f005e7645803461717a8e4b2de3a905"); Console.WriteLine("Actual 1: " + result1); Console.WriteLine("Actual 2: " + result2); Console.WriteLine("------------------------------"); Console.ReadKey(); } private static string HexDecode(string hex) { var sb = new StringBuilder(); for (int i = 0; i <= hex.Length - 2; i += 2) { sb.Append(Convert.ToString(Convert.ToChar(Int32.Parse(hex.Substring(i, 2), System.Globalization.NumberStyles.HexNumber)))); } return sb.ToString(); } private static string CalcHMACSHA256Hash(string plaintext, string salt) { string result = ""; var enc = Encoding.Default; byte[] baText2BeHashed = enc.GetBytes(plaintext), baSalt = enc.GetBytes(salt); System.Security.Cryptography.HMACSHA256 hasher = new HMACSHA256(baSalt); byte[] baHashedText = hasher.ComputeHash(baText2BeHashed); result = string.Join("", baHashedText.ToList().Select(b => b.ToString("x2")).ToArray()); return result; } public static string CalcSha256Hash(string input) { SHA256 sha256 = new SHA256Managed(); byte[] sha256Bytes = Encoding.Default.GetBytes(input); byte[] cryString = sha256.ComputeHash(sha256Bytes); string sha256Str = string.Empty; for (int i = 0; i < cryString.Length; i++) { sha256Str += cryString[i].ToString("x2"); } return sha256Str; } And this is the result I get:
Expected: b436e3e86cb3800b3864aeecc8d06c126f005e7645803461717a8e4b2de3a905 Actual 1: 421ce16f2036bb9f2a3770c16f01e9220f0232d45580584ca41768fd16c15fe6 Actual 2: 290f14398bf8c0959dfc963e2fd9c377534c6fec1983025d2ab192382f132b92 So with none of the two methods, I can get the result the provider example wants.
What am I missing here? Is it encoding? Is my hexDecode screwed up?
Test tool from payment provider: http://tech.dibs.dk/dibs_api/other_features/hmac_tool/
PHP sample code: http://tech.dibspayment.com/dibs_api/other_features/mac_calculation/
619
Edit: You likely are looking for a quick and simple way to do HMAC-SHA256 and not get into the finer details. The original question asks of those finer details which are explained further below.
byte[] message inputusing System.Security.Cryptography; ... private static byte[] HashHMAC(byte[] key, byte[] message) { var hash = new HMACSHA256(key); return hash.ComputeHash(message); } In .NET 5 and above, use System.Convert.FromHexString like so, (thanks @proximab). If you're on pre-.NET 5, scroll to "Helper functions" which has alternative solutions.
using System; using System.Security.Cryptography; ... private static byte[] HashHMACHex(string keyHex, string messageHex) { var key = Convert.FromHexString(hexKey); var message = Convert.FromHexString(messageHex); var hash = new HMACSHA256(key); return hash.ComputeHash(message); } Continue reading. You likely want to use "Method 2" below as a reference point and adjust it to however your service wants you to implement HMAC for message anti-tampering.
Here we will compute an HMAC-SHA256 manually (this answers "Method 2" from the original question).
Assume outerKey, innerKey, and message are already byte arrays, we perform the following:
Notation: Assume
A + Bconcatenates byte array A and B. You may alternatively seeA || Bnotation used in more academic settings.
HMAC = SHA256( outerKey + SHA256( innerKey + message ) ) . . `------------------´ . . \ \ `innerData` / / \ `------------------------´ / \ `innerHash` / `----------------------------------´ `data` So the code can be broken down into these steps (using the above as a guide):
byte[] innerData the length of innerKey.Length + message.Length (again assuming byte arrays)innerKey and the message into the byte[] innerData innerData and store it in byte[] innerHash byte[] data the length of outerKey.Length + innerHash.Length outerKey and innerHash (from step #3)data and store it in byte[] result and return it.To do the byte copying I'm using the Buffer.BlockCopy() function since it apparently faster than some other ways (source).
n.b. There is likely (read: most certainly) a better way to do this using the the new
ReadOnlySpan<T>API.
We can translate those steps into the following:
using System; using System.Security.Cryptography; ... private static byte[] HashSHA(byte[] innerKey, byte[] outerKey, byte[] message) { var hash = new SHA256Managed(); // Compute the hash for the inner data first byte[] innerData = new byte[innerKey.Length + message.Length]; Buffer.BlockCopy(innerKey, 0, innerData, 0, innerKey.Length); Buffer.BlockCopy(message, 0, innerData, innerKey.Length, message.Length); byte[] innerHash = hash.ComputeHash(innerData); // Compute the entire hash byte[] data = new byte[outerKey.Length + innerHash.Length]; Buffer.BlockCopy(outerKey, 0, data, 0, outerKey.Length); Buffer.BlockCopy(innerHash, 0, data, outerKey.Length, innerHash.Length); byte[] result = hash.ComputeHash(data); return result; } string -> byte[] You have plain ASCII or UTF8 text, but need it to be a byte[].
Use ASCIIEncoding or UTF8Encoding or whichever exotic encoding you're using.
private static byte[] StringEncode(string text) { var encoding = new System.Text.ASCIIEncoding(); return encoding.GetBytes(text); } byte[] -> hex string You have a byte[], but you need it to be a hex string.
private static string HashEncode(byte[] hash) { return BitConverter.ToString(hash).Replace("-", "").ToLower(); } string -> byte[] You have a hex string, but you need it to be a byte[]`.
.NET 5 and above
private static byte[] HexDecode(string hex) => System.Convert.FromHexString(hex); Before .NET 5 (thanks @bobince)
private static byte[] HexDecode(string hex) { var bytes = new byte[hex.Length / 2]; for (int i = 0; i < bytes.Length; i++) { bytes[i] = byte.Parse(hex.Substring(i * 2, 2), NumberStyles.HexNumber); } return bytes; } n.b. If you need a performance tuned version on .NET Framework 4.x, you can alternatively backport the .NET 5+ version (by replacing
ReadOnlySpan<byte>withbyte[]). It uses proper lookup tables and conscious about hot-code paths. You can reference the .NET 5 (MIT licensed)System.Convertcode on Github.
For completeness, here are the final methods answering the question using both "Method 1" and "Method 2"
"Method 1" (using .NET libraries)
private static string HashHMACHex(string keyHex, string message) { byte[] hash = HashHMAC(HexDecode(keyHex), StringEncode(message)); return HashEncode(hash); } "Method 2" (manually computed)
private static string HashSHAHex(string innerKeyHex, string outerKeyHex, string message) { byte[] hash = HashSHA(HexDecode(innerKeyHex), HexDecode(outerKeyHex), StringEncode(message)); return HashEncode(hash); } We can perform a quick sanity check with a console app:
static void Main(string[] args) { string message = "amount=100¤cy=EUR"; string expectedHex = "b436e3e86cb3800b3864aeecc8d06c126f005e7645803461717a8e4b2de3a905"; Console.WriteLine("Expected: " + expectedHex); // Test out the HMAC hash method string key = "57617b5d2349434b34734345635073433835777e2d244c31715535255a366773755a4d70532a5879793238235f707c4f7865753f3f446e633a21575643303f66"; string hashHMACHex = HashHMACHex(key, message); Console.WriteLine("Method 1: " + hashHMACHex); // Test out the SHA hash method string innerKey = "61574d6b157f757d02457573556645750e0341481b127a07476303136c005145436c7b46651c6e4f4f040e1569464a794e534309097258550c17616075060950"; string outerKey = "0b3d27017f151f17682f1f193f0c2f1f64692b227178106d2d096979066a3b2f2906112c0f760425256e647f032c2013243929636318323f667d0b0a1f6c633a"; string hashSHAHex = HashSHAHex(innerKey, outerKey, message); Console.WriteLine("Method 2: " + hashSHAHex); } You should have all the hashes line up correctly:
Expected: b436e3e86cb3800b3864aeecc8d06c126f005e7645803461717a8e4b2de3a905 Method 1: b436e3e86cb3800b3864aeecc8d06c126f005e7645803461717a8e4b2de3a905 Method 2: b436e3e86cb3800b3864aeecc8d06c126f005e7645803461717a8e4b2de3a905 The original code for this answer can be accessed at: http://pastebin.com/xAAuZrJX
73
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
