Challenge 24 ☆☆

Welcome to challenge 24. You need to guess the secret that is hidden in Java, Docker, Kubernetes, Vault, AWS or GCP.

Cryptographic challenge part 2

Implementing cryptography can be very daunting. So there are various mistakes you can find on Twitter. What if our developers made the same mistake?

In this challenge, you need to find the HMAC key. Note that we created an HMAC following the spec from NIST step by step! Can you provide us the HMAC-key used to create the HMAC?

Text used: Sample message for keylen=blocklen

HMAC produced in Hex: 5FD596EE 78D5553C 8FF4E72D 266DFD19 2366DA29

What is the HMAC key used here?

Answer to solution :

Why copying Specs is a bad idea

When you try to implement cryptographic controls, it can be very daunting: there are a lot of details you need to pay attention to. By now you know that it is not recommended to copy every primitive of an example for your own implementation. In this example we copied the HMAC key from a NIST spec, which anybody could have tried to use in order to brute-force the HMAC key used.

Please note that copying keys from specs/examples does not only hold for HMACs, it holds for any cryptographic operation (signing, encryption, decryption, etc.).

Still need to generate a key? Make sure you use a Secure Random generator and the right library for your runtime to generate the key instead.

To make it even safer, use a key generation and/or derivation setup in which every new message has a different key. That way, you have "Perfect Forward secrecy". This will ensure that older messages cannot be decrypted when one key is compromised.