Samples

SamplesXml

Code

Config

API Docs

Download

Neolectric

Message Authentication Code

This algorigthm creates a short message digest from a larger block of text by hashing it with a secret key. This is a shared secret key algorightm that does not require digital certificates. Because the key is shared it is useful in some situations but not others.

Create digests with md5 and sha using keys that are stored in files outside the webserver document root

<dxp:Rp store="testmsg">This message comes from me. I will use my secret key to create a unique
digest to prove it</dxp:Rp>
<dxp:Hmac algo="md5" msg="${testmsg}" keyfile="prop/md5.key" store="md5digest" />
<dxp:Hmac algo="sha" msg="${testmsg}" keyfile="prop/sha.key" store="shadigest" />
<!-- keyfile is translated to /home/neo/prop/md5.key or sha.key; oustide /home/neo/htdocs -->

md5 digest: cc838b0f423d767531be9201975ee3d0

sha digest: 96f8f5a8df87f7438f765dcb8ce92270a9f40616

A recipient who shares your secret key can apply the same algorithm and compare their digest with the one you sent. If they match, they can be reasonably certain the original message came from you or someone else who had the secret key.

<dxp:Hmac algo="md5" msg="${testmsg}" keyfile="prop/md5.key" store="md5digest" />

md5 digest: cc838b0f423d767531be9201975ee3d0

The same priciple can be applied to a generated session ID

The current implementation of dxp:Uid tag combines a random number + servername + timestamp to produce a unique ID. It's pretty hard to guess which random number will be returned at a particular millisecond by the server. You can increase security by creating a digest with your secret key.

<dxp:Uid store="uid"/>
<dxp:Hmac algo="md5" msg="${uid}" keyfile="prop/md5.key" store="uid.digest"/>

Uid: 138dd904.5e35f21d.f6872438ef
Digest: 08668efb0449c7ce9bdb2dff00e4f518

Someone who shares the same secret key can produce the same digest of this Uid. This does not imply that a different combination of Uid and key could not produce the same digest, only that the digest is unique for this Uid and key.

Footnote

Here are some things you might use this for.

  • Browser cookie values where the digest was created with a random key for each session
  • Send a digest of values from your server to an online service like a credit card processor that stores your secret key
  • Verify data sent by users of your online service by hasing it with their secret key

See the source code notes for com.neolectric.dxp.Hmac on keeping the keyfile safe.