First look at a piece of HmacSHA1 encryption and SHA1 encryption code
#! /usr/bin/env python
# -*- coding: utf-8 -*-
"""
Created on 1/31/18 10:03 AM
@author: Chen Liang
@function: HmacSHA1 vs SHA1
"""
import sys
reload(sys)
sys.setdefaultencoding('utf-8')
import hashlib
import hmac
def sha1(msg) :
"" sha1 encryption :param MSG: :return: 40 bits of digest message """
sha = hashlib.sha1()
sha.update(msg)
return sha.hexdigest()
def hmac_sha1(key, msg) :
"" hMAC SHA1 encryption :param key: key: param MSG: message to be encrypted :return: summary message with a length of 40 digits ""
m = hmac.new(key, msg, hashlib.sha1)
return m.hexdigest()
print hmac_sha1('FKEwTiz9Te0FWlqkS4g8hEdqAsPZfdR4'.'me')
print sha1('me')
Copy the codeThe output is
1db0e9132a8dff51e3a4d47497e29a500087da9a
b1c1d8736f20db3fb6c1c66bb1455ed43909f0d8
Copy the codeAs you can see from the results, both HmacSHA1 and SHA1 algorithms can generate a fixed size output of 20 bytes (160 bits) for any message length, so what is the difference between them?
The answer is simple.
There is an interesting explanation in the HMAC vs. RAW SHA-1 article, which translates roughly as follows
Write first, please do not care about the specific summary calculation results, focus on the interesting and concise explanation
Suppose you want to tell your crush. You want to write a beautiful 14-line poem, but in the end you decide to just say “I love you”.
Your message can be delivered unscathed to the girl you like, but if you don’t want anyone else to know, learn a little about password hashing and use the SHA-1 algorithm to generate a summary from the message.
“I love you” the corresponding SHA – 1 is: bb7b1901d99e8b26bb91d2debdb7d7f24b3158cf
When your favorite girl receives the message, she uses sha-1 to recalculate the digest and compare it to the one you sent. If it matches, the message is correct.
But there are certain unruly intend to intercept your information, and then use another message “don ‘t call me anymore” replace, then generate a new abstract: e267e18f05cb6ea3b10b761bbac21a0f92bb8d0d. It’s hard to believe that the summary doesn’t match the message your crush received.
It may seem serious, but you explain to the girl that it will never happen again. You and the girl agree to preceded the hash digest message with the text “our secret key.” The new complete message is “Our secret key. I love you”. The same message would then produce the following summary:
E0759e9b59bdd6d864d29ce3a502adb6257f7615, the value of the original calculation is wrong, the comments are put forward.
At this point, if the hecklers simply replace the summary information will not be effective. Because the result your girl got using key+ MSG does not match the summary information after the substitution. So as long as someone does not know your key there is no way to generate fake messages.
One problem, however, is the difference between SHA-1 and HMAC.
Sha-1 is calculated using an iterative algorithm, first breaking the message into 64-byte blocks one by one, and then combining these blocks together to produce 20-byte summary information. However, because your messages can be of any length, and because SHA continues to evaluate blocks after 64-byte blocks through its iterative nature, this is where the problem arises.
The crooks want to change your message again. They may just add more data to your message. Since your key has already been calculated in the previous block, the message added later will not be affected by your key.
If you simply add “But please don’t call me anymore” to a message, calculate the new digest and send it to a girl you like, she’ll think the whole message is what you mean. (The specific calculation method here needs to refer to the implementation of SHA1 algorithm)
So a capital GG engraved on your face (wanting to cry)!!
But don’t panic, we also have HMAC, which solves this problem by effectively sealing the message and hiding the key throughout the hash process without appending data to the end. See HMAC implementation for details.
According to Wikipedia, no known HMAC message extension attacks have been found.
Congratulations to you, the girl got, please start your sexual happiness journey (ah bah, silly force input method, is happiness)!!
To here actually HmacSHA1 encryption and SHA1 encryption difference is very obvious, I hope we can understand.
Reference:
- HMAC vs. raw SHA-1
- Geek Academy – HMAC
- Geek Academy – Hashlib