[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: HMAC Key Derivation in UsernameToken Profile
All, An XML Digital Signature doesn't mix the shared secret with 'salt' information before an hmac-sha1 authentication code is generated. That is, the key is the same as the utf8 encoded password. Nowhere in the core spec or in the username token profile is it mentioned how the input to the HMAC-SHA1 alg. (aka RFC2104) is generated from the password. My assumption then is that there is NO extra salt information combined with the shared secret before it is used to generate the MAC. Can we make this clear? Some existing WS-Security implementations are taking liberties and adding extra salt information (such as nonce, time stamp, etc). Is there something that I missed here? It seems like leaving this unspecified will produce wildly un-interoperable messages. Can someone explain to me why this is the case? Did I completely miss something here? Thanks, Blake Dournaee Senior Security Architect Sarvega, Inc. http://www.sarvega.com/
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]