[CryptoAPI] SHA256 encryption using custom salt, need 64 byte response

[CryptoAPI] SHA256 encryption using custom salt, need 64 byte response

Forge Component
Published on 2015-11-29 by Ricardo Silva
11 votes
Published on 2015-11-29 by Ricardo Silva


I am trying to authenticate an API which requires something like this:


Signature is a HMAC-SHA256 encoded message containing: user ID and API key. The HMAC-SHA256 code must be generated using a secret key that was generated with your API key. This code must be converted to it's hexadecimal representation (64 uppercase characters).

I tried using crypto API, something like this:

SyntaxEditor Code Snippet

KEncrypt("userID + api_key",KDeriveKey(API_SECRET))

I get a 128 characters instead of expected 64. How do I do this?I could not find any hashing functions allowing custom salt.

Also, is there any way to SHAxxx hash using custom salt?

Example (Python):

message = userID + api_key
signature = hmac.new(API_SECRET, msg=message, digestmod=hashlib.sha256).hexdigest().upper()

KEncrypt will encrypt using AES CBC + HMAC, which is definitely not what you want.

In order to do an HMAC, you should use the KComputeMac function (Compute the MAC of a given data using HMACSHA256).

For your use-case should be something like (haven't tested):

KComputeMac(Input=message, Key=TextToBinaryData(API_SECRET)).Mac_Hex

Let me know how this works our. Depending on encodings this might not actually yield the desired result and it may be required to build custom code for this (which shouldn't be too hard).


Perfect {claps}!!!!
You rock as always @Ricardo Silva.

I may reply to this thread in case I need some more help on SHAxxx hashing.


ps. I was on a lower version of CryptoAPI. So anyone looking at this thread for help, please ensure you are on latest version.

Now, I want to do something like this

Php Code sample:

$req['nonce'] = '556575253';
$post_data = http_build_query($req, '', '&');
$secret = 'abcdef...';
$sign = hash_hmac('sha512', $post_data, $secret);

I believe I need something like a KComputeMac that could take "algorithm" as parameter and I could probably send "sha512" there (I have a need to compute SHA384 as well). 

Hello Goldy,

Most of the CryptoAPI methods are not meant to be generic low level crypto primitives. The idea is to provide a known to be secure high level recipe, since these things are hard to get right.

Of course I can consider adding low level primitives, but at this time I would rather not.

My suggestion to you is that if you're integrating with third party tools, you should build your own code to accommodate for their security settings.

You can, of course, base your code on what CryptoAPI is doing in the backend.

Or better yet, ask them to provide you with a library which does the crypto stuff you can build your extension upon.

@Ricardo, agreed. I developed an extension (light version for now).

If it helps anyone looking for it, use the attached XIF.

Usage: Sign (input params)
Input params:
key = key/salt in string format
toBeSignedString = data to sign
algorithm = algorithm to use, default "SHA512", or use "SHA384" 

SignedHex = Singed Hex.