On Mon, 21 Feb 2011 02:27:36 -0800 (PST), Stuart Longland wrote: [snip] > Before I worried about that though, I needed to have some kind of > understanding as to how the hmac module was used. "Arbitrary string", > sounds to me like I give it something akin to a passphrase, and that > is hashed(?) to provide the symmetric key for the HMAC. Wikipedia > seems to suggest it depends on the length of the key given, so if I > give it a string that's exactly 160-bits (for HMAC-SHA1) it'll use it > unmodified. Would that be a correct assertion?
Yes. I predict that you will be glad you look at RFC 2104, http://www.ietf.org/rfc/rfc2104.txt where you will find HMAC summarized as H(K XOR opad, H(K XOR ipad, text)) Here, opad is a block filled with the byte 0x5C, and ipad is a block filled with the byte 0x36. If the key is no longer than one block (and a block is 64 bytes for SHA and MD5), then K is just the key itself; otherwise, K is a hash of the key. -- To email me, substitute nowhere->spamcop, invalid->net. -- http://mail.python.org/mailman/listinfo/python-list
