Somewhat insecure API signature scheme #55

cespare opened this Issue Jan 9, 2013 · 0 comments


None yet

1 participant

cespare commented Jan 9, 2013

I see two issues that both expose you to some kind of length extension attacks. @mdietz can tell you more :)

  • No delimiter between the components that comprise the canonical string
  • SHA256 instead of HMAC-SHA256

Lots of people get this wrong, but we should fix at some point.

I think a good example is AWS signature generation:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment