I'm looking to implement HMACSHA256 request signing in an API I'm building. From what I understood from https://www.rfc-editor.org/rfc/rfc4868, it's best that the secret key be the same number of bits as the hashing algorithm (i.e. SHA256 secret keys should be 256 bits/32 bytes).
Can I use one of the many different random number generators out there for C# or is there a specific way that these keys need to be generated.
Lastly, Amazon Web Services uses HMACSHA256, but they secret keys they provide (at least to me) is 320 bits/40 bytes (when the key is converted to bytes using UTF-8, see https://github.com/aws/aws-sdk-net/blob/master/AWSSDK/Amazon.Runtime/Internal/Auth/AWS4Signer.cs#L205-L232). Is there a reason to use more than needed by the hashing algorithm since it's truncated?
One way to generate a (presumably secure) key is:
var hmac = new HMACSHA256();
var key = Convert.ToBase64String(hmac.Key);
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With