HMAC invalid key length

Other open source tools published on ScottKlement.com
Post Reply
davidlynch
Posts: 6
Joined: Thu Apr 06, 2023 1:44 am

HMAC invalid key length

Post by davidlynch »

Good Morning.

I have a program that uses Qc3CalculateHMAC then Scott's base64_encode function to create authentication codes for calling third party APIs. This is based on Scott's example program (https://www.ibm.com/support/pages/qc3ca ... pi-example) and all works nicely, thank you.

My problem is that I have one new partner who only provide a 30 byte API key so I'm getting the CPF9DDD invalid key length error as per the documentation for Qc3CalculateHMAC.

I've requested that the partner increase their key length, however I'm not hopeful.

Would appreciate any tips on getting around this issue.

Thanks in advance
Scott Klement
Site Admin
Posts: 636
Joined: Sun Jul 04, 2021 5:12 am

Re: HMAC invalid key length

Post by Scott Klement »

I don't understand... which hash algorithm are they using?

The key length is part of the standard for the given hash algorithm. You can't just choose to use a shorter key... it won't work on any platform, anywhere.

How does this partner's software ever work? My best guess is the tool they are using pads their 30-byte key with some character (blanks, zeroes, whatever) to fill out the needed length. So you could potentially do the same thing if you could determine what's happening.

Or, alternately they are using an algorithm that uses a shorter key such as MD5 or SHA1 (In which case, it's not using all 30 bytes of their key.)
davidlynch
Posts: 6
Joined: Thu Apr 06, 2023 1:44 am

Re: HMAC invalid key length

Post by davidlynch »

Hi Scott, Thanks for the reply and apologies for my delayed response.

That's a good question (what algorithm our trading partner is using) but I've tried to reproduce their results using online SHA-256 generators and also my web coder has tried using his hash algorithm and both provide a successful match to our partner's example - so it seems to be only the Qc3CalculateHMAC generator that struggles with < 32 bytes. I have tried padding the length with blanks but couldn't get it to work.

My last resort is for my web coder to create an API for me that I'll call to get the hash before calling my partner's API.

Thanks again.
Scott Klement
Site Admin
Posts: 636
Joined: Sun Jul 04, 2021 5:12 am

Re: HMAC invalid key length

Post by Scott Klement »

I don't agree with you.

SHA-256 -- the number 256 in the name -- means "256 bits", which is the same as "32 bytes". You are telling me that it doesn't require 32 bytes -- that is FALSE. It does require 32 bytes -- it's in the very name of the algorithm... that's what the 256 means!!

If you've found encoders that accept shorter values, it means they are taking your short value and PADDING IT... in other words, they are adding additional bytes to what you've supplied to fill it out to 256. You just have to find out WHAT they are padding it with. Most likely, it's either x'00' characters or x'20' (Unicode blanks). If you can determine what it is padding the value with, you can make yours work exactly the same as the online ones.
Post Reply