HMAC SHA1 using Java

18 January 2008 17:59 (EST)

Working with OpenID CFC project I found another way to create HMAC:SHA1 string using Java:

So I am going to include this code to next release of the project.

Discussion (17 comments)

	Reena:	18 January 2008 20:47 (EST)
	what is HMAC:SHA1.
	reply

www.yakhnov.ru:

19 January 2008 02:18 (EST)

SHA stands for Secure Hash Algorithm. The SHA hash functions are five cryptographic hash functions designed by the National Security Agency (NSA) and published by the NIST as a U.S. Federal Information Processing Standard.

In cryptography, a keyed-Hash Message Authentication Code, or HMAC, is a type of message authentication code (MAC) calculated using a specific algorithm involving a cryptographic hash function in combination with a secret key.

	Gabriel:	5 March 2008 07:46 (EST)
	This is fantastic!!!! Using it for Google Checkout calculation. Thank you!!!!
	reply

rednael:

20 November 2008 01:15 (EST)

Good post,

Please also read the following article:
http://blog.rednael.com/2008/09/30/SecuringYourPasswordTransfersWithKeyedHashingHMACCramMD5.aspx

It's a walkthrough example of implementing HMAC-MD5 / Cram-MD5 on a website. The same technique can be used for various client-server situations.
The article explains the benefits of using such a password system and shows you how to implement it using the .Net library at server side (examples in C#), and using Paj’s MD5 Javascript functions at client-side.

	Jason:	12 May 2009 07:48 (EST)
	Thanks for this post! Do you know where I might find the equivalent code to decrypt the string? I have been trying to figure it out for a while, but cannot get it to work.
	reply

Tom Van Schoor:

3 November 2010 17:58 (EST)

@Jason

The whole point of hashing is that you can't decrypt it. If you want to encrypt - decrypt something you should have a look at PGP (pretty good privacy) that works with public and private keys.

Hashing exists to provide a signature. This means that you ask your client to send you plain data with on top of that a hashed version of that data using a key that you both know. When your server receives the data you should hash it in exactly the same way and compare your result with the hash provided by your client. If they are equal then you have a pretty sure idea that the data originated from the expected client.

Does this make sence to you?

	Janaya:	22 August 2011 06:52 (EST)
	I am forever indebted to you for this infomtraion.
	reply

Joseph Wilson:

18 December 2009 04:01 (EST)

Okay, if I have a string ABCDEFG and a key of ABCDEFGHIJ then how do I invoke this method?

I guess what I really need to know is how the string and key are passed to the .cfc file.

Thanks

	Kirill:	10 March 2010 21:54 (EST)
	Thanks!! That has solved my problems. I tried ColdFusion's Encode function on Enterprise Edition srever, but it would not convert it to HMAC:SHA1 anyway. By the way I used BinaryEncode() with Base64 param to make it string!
	reply

Maarten:

17 June 2010 17:25 (EST)

Great! But I do not have the java classes stated in this article. How and where can I download and install them?

Thanks

	Dmitry Yakhnov:	17 June 2010 22:42 (EST)
	All these Java classes are native to CF starting from version 7 (or even MX).
	reply

Daniel Jimenez:

4 May 2011 09:16 (EST)

Hi, I am using javax.crypto.Mac, and javax.cypto.SecretKeySpec like this:

private static byte[] hmac_sha1(String crypto, byte[] keyBytes, byte[] text) throws GeneralSecurityException {
Mac hmac;
hmac = Mac.getInstance(crypto);
SecretKeySpec macKey = new SecretKeySpec(keyBytes, "RAW");
hmac.init(macKey);
return hmac.doFinal(text);
}

I use a Thread that call this method 200.000 times generating codes. The problem is that in a x86 works just fine, but in a sparc it's too slow. Anyone can help me?

thanks in advance.

	Henry:	2 November 2011 12:16 (EST)
	How come Encrypt(signMessage,signKey,"HMAC-SHA1") doesn't work??
	reply

	Dmitry Yakhnov:	2 November 2011 12:27 (EST)
	You need to have Enterprise Edition of ColdFusion in order to use HMAC-SHA1 algorithm.
	reply

	Henry Ho:	2 November 2011 12:29 (EST)
	So it will work under Enterprise Edition of ColdFusion? Developer Edition doesn't have RSA BSafe Crypto-J ?
	reply

Henry Ho:

2 November 2011 12:58 (EST)

Just realized that they are two different things. LOL...

Would the original author please post to cflib.org and cookbooks.adobe.com?? Thank you!

Tim Garver:

15 February 2012 10:29 (EST)

I have seen a few people ask for just the HASH part of this.
Is this possible?

I am working on a project hosted on a shared standard CF9 box.
I need to use SHA-1 (160) to hash a string for comparison.

There is no key, just the form fields separated with a piper "|" and my secret on the end.
Problem is the CF standard hash produces a 40 char string instead of the 160 char string they used so mine will not match.

Iam really not sure what my problem is, because I tried to test it with their PHP example code and it does not work either. so I am stuck i guess.

Thanks in advance.
Tim

	danSF:	27 July 03:35 (EST)
	this is FABULOUS! you saved my a## :-D
	reply