Somewhat insecure API signature scheme #55

Open
cespare opened this Issue Jan 9, 2013 · 0 comments

Projects

None yet

1 participant

Collaborator
cespare commented Jan 9, 2013

I see two issues that both expose you to some kind of length extension attacks. @mdietz can tell you more :)

  • No delimiter between the components that comprise the canonical string
  • SHA256 instead of HMAC-SHA256

Lots of people get this wrong, but we should fix at some point.

I think a good example is AWS signature generation:

http://docs.amazonwebservices.com/amazonglacier/latest/dev/amazon-glacier-signing-requests.html#example-signature-calculation

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment