Skip to Content

HMAC (SHA1) key longer than 81 characters not possible?

Not sure whether I'm in the correct forum...

To sign a message for a specific application with HMAC-SHA1 hash I need a 83 character key.

My problem: the function module 'SET_HMAC_KEY' throws the exception "param_length_error". After I've testet with several key length, I found out, that the maximum valid length is 81. Is there any reason for this?

With 3rd party libraries (ie. Python and Javascript) longer keys are working.

Code:

 
CALL FUNCTION 'SET_HMAC_KEY'
  EXPORTING
    generate_random_key         = ' '
    alg                         = 'SHA1'
    keycstr                     = 'cB1phTHISISATESTVuZMDmWCz1CEMy82iBC3HgFLpE&7857T...YFqV93gRJQ'
    client_independent          = ' '
  EXCEPTIONS
    unknown_alg                 = 1
    param_length_error          = 2
    internal_error              = 3
    param_missing               = 4
    malloc_error                = 5
    abap_caller_error           = 6
    base64_error                = 7
    calc_hmac_error             = 8
    rsec_record_access_denied   = 9
    rsec_secstore_access_denied = 10
    rsec_error                  = 11
    rng_error                   = 12
    record_number_error         = 13
    OTHERS                      = 14.

Best regards, Uwe

Edited by: Julius Bussche on Aug 5, 2010 10:19 PM

I truncated the key further because in a coding tag it toasts the formatting when too long.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Best Answer
    Aug 05, 2010 at 11:30 PM

    Hi,

    that number 81 seems completly random to me. 81 characters (bytes) is 648 bits. Here is a quote from [RFC 2104 - HMAC: Keyed-Hashing for Message Authentication|http://www.faqs.org/rfcs/rfc2104.html].

    The key for HMAC can be of any length (keys longer than B bytes are

    first hashed using H). However, less than L bytes is strongly

    discouraged as it would decrease the security strength of the

    function. Keys longer than L bytes are acceptable but the extra

    length would not significantly increase the function strength. (A

    longer key may be advisable if the randomness of the key is

    considered weak.)

    So there is no limit for key size but any key longer than block size (B bytes) of hash function will be compressed to B bytes. The key should be longer than output size of has function (L bytes) which for SHA-1 is 160 bits = 20 bytes. The internal state of SHA-1 is 512bits == 64 bytes.

    So I would suggest that to use SHA-1 functin to reduce any key longer than 64 bytes to 64 bytes and then to pass a new key to SET_HMAC_KEY.

    Cheers

    Add comment
    10|10000 characters needed characters exceeded

  • Aug 05, 2010 at 07:16 PM

    I'm not sure if this helps, but if you look at http://en.wikipedia.org/wiki/HMAC you will see following text:

    The size of the output of HMAC is the same as that of the underlying hash function (128 or 160 bits in the case of MD5 or SHA-1, respectively),

    Of course, this doesn't mean that any library included with SAP product, or added as a third-party crypto library will support the full 160-bits (20 bytes)

    Also, I think you will find that the encryption alg used with HMAC-SHA1 will determine the key length, not the hash alg.

    Thanks,

    Tim

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Aug 05, 2010 at 06:16 PM

    I dont know if all would agree on this:

    This seems to be a development question.

    Add comment
    10|10000 characters needed characters exceeded