diafygi/webcrypto-examples

HMAC output size

encryb opened this issue · 2 comments

encryb commented

One small fix:

By default the HMAC's length parameter is the size of hash function's block, not the size of hash output. So for SHA-1 and SHA-256 that would be 512 bits, for SHA-384 and SHA-512 1024 bits.

This is unlike most other libraries, where the output size is equal to the hash output size.

See http://www.w3.org/TR/WebCryptoAPI/#hmac-keygen-params

Thanks!

diafygi commented

Hmmm, I'm a bit confused. The HmacKeyGenParams section says, "The length (in bits) of the key to generate." However, the HMAC Operations > Generate Key > length section says, "Let length be the block size in bits of the hash function identified by the hash member of normalizedAlgorithm." These descriptions seem to conflict. Can you provide more clarity?

Also, the output from the following test seems to indicate that the length parameter is the length of the final key:

function test(b, h){
    window.crypto.subtle.generateKey(
        {
            name: "HMAC",
            hash: {name: h},
            length: b,
        },
        true,
        ["sign", "verify"]
    )
    .then(function(key){
        window.crypto.subtle.exportKey("raw", key).then(function(keydata){
            console.log(b, h, keydata.byteLength);
        });
    });
}

var bitTest = [8, 16, 32, 64, 128, 256, 1024, 2048];
var hashTest = ["SHA-1", "SHA-256", "SHA-384", "SHA-512"];
for(var i = 0; i < bitTest.length; i++){
    for(var j = 0; j < hashTest.length; j++){
        test(bitTest[i], hashTest[j]);
    }
}

8 "SHA-1" 1
8 "SHA-256" 1
8 "SHA-384" 1
8 "SHA-512" 1
16 "SHA-1" 2
16 "SHA-256" 2
16 "SHA-384" 2
16 "SHA-512" 2
32 "SHA-1" 4
32 "SHA-256" 4
32 "SHA-384" 4
32 "SHA-512" 4
64 "SHA-1" 8
64 "SHA-256" 8
64 "SHA-384" 8
64 "SHA-512" 8
128 "SHA-1" 16
128 "SHA-256" 16
128 "SHA-384" 16
128 "SHA-512" 16
256 "SHA-1" 32
256 "SHA-256" 32
256 "SHA-384" 32
256 "SHA-512" 32
1024 "SHA-1" 128
1024 "SHA-256" 128
1024 "SHA-384" 128
1024 "SHA-512" 128
2048 "SHA-1" 256
2048 "SHA-256" 256
2048 "SHA-384" 256
2048 "SHA-512" 256
encryb commented

Sorry for the confusion.

I was referring to the case when length is not specified.
Currently it states:
" //length: 256, //optional, if you want your key length to differ from the hash length"

Should be something like
" //length: 256, //optional, if you want your key length to differ from the hash function's block length"

if you look at https://www.ietf.org/rfc/rfc2104.txt for HMAC

The authentication key K can be of any length up to B, the
block length of the hash function. ... In any case the
minimal recommended length for K is L bytes (as the hash output
length).

Most libraries I used, when length is not specified, return result whose length is hash function's output length(L). WebCrypto returns result whose length is hash function's block size(B).