Hi David ,

I just implemented HMAC-MD5, HMAC-SHA1, HMAC-SHA256 and HMAC-SHA512 in my HIME library (V2.04 , to be released within a few months time).
I suppose you used the same test vectors as I did (the ones from NIST for SHAxxx and RFC2202 ?) so the results should be okay .

If you like, I could give it a test run to compare results for some awkward length (very long / very short) keys for example .
Or if you send me some data/key combinations I can send you the HMAC results of my application.

(support at devotechs dot com)

Kind regards

Hi Eddy

Yes, I have used the same test vectors but also used those at Nessie for a bigger workout.

HashFile.zip is winging its way to you.

Thanks.

Got it, David. Thanks !

Kind regards

Uses for this application?

Or is this one of those cases where if I don't 'get it' from the above description, I don't need it?

In reading from the screen mode we can check the integrity of a file against its hash value. filehippo.com publishes a MD5 checksum with its downloads. OpenOffice.org 2.3.1 RC1 is currently available with a MD5 checksum of 652ABB724BC0A1033E95530A8E21FB00. The download is 107.14MB. Linux distributions are large, perhaps 700MB, and they tend to come with hash values.

After downloading it is a simple matter to navigate to the file, calculate its MD5 hash value and compare that with the above checksum. If they match then we can be confident that the download was successful. MD5 has 2^128 possible values so the chance of a collision, that is a false positive, is small.

Some years ago I bought a defragmenter which misbehaved. The author suggested I repeat the download as he had not seen the problems I was having. The second download was fine. Since then the author has published a checksum with his downloads.

In writing to the screen mode we can generate our own checksums and publish them on our websites or include with email attachments. We could have archive files which are not local but their checksums could be. I may have a file which I suspect may be corrupt. If you have the same file we can compare their respective hash values without the files moving.

Hash values can be determined for any type of file, exe, jpg, pdf and whatever.

With HashFile the hash values can be saved to file very easily and subsequently read.

With HMAC we can include a secret key, either in the form of a password/phrase or hex string, which is effectively absorbed within the hash. That plus the resulting hash will allow a recipient, who has been given the secret key, to authenticate a file as well as check its integrity. The recipient, of course, needs a utility like HashFile. Well, thats easily solved - you just give them a copy.

With HashFile we have SHA1, SHA256 and Whirlpool in addition to MD5. I favour SHA256 which is effectively a squaring of MD5's strength.

On my machine I can calculate a SHA256 hash value of a 100MB file in 1.7 seconds so we are not talking about a time consuming exercise.

Whether you would have a use for HashFile or its like, Michael, I have no idea. I can see some people using it now and again, as I do, and others may use it quite a lot.

Some websites show a message digest or hash value (often MD5) next to a downloadable file.
After you have downloaded the file, you can calculate the hash value of the file yourself with Davids program and compare it with the value shown on the website.
If these 2 values match, you know that the file on your harddisk was not tampered with or did not have any transmission errors.

That's just one use.

(Looks like David was posting at the same time ..)

Kind regards

HashFile hasn't found its way into PB downloads yet, they are obviously busy right now.

In the meantime I have decided to drop a link here.

I have implemented some code by José Roca allowing the html Read Me file to be displayed by selecting an entry in the System Menu.

Greg's RandBytes has been replaced by the Windows API equivalent. Greg's SHA256 and Whirlpool code is still there. The SHA256 code is very fast and on the heels of the MS MD5.

I doubt that I will do any more work on this project unless someone spots a bug.

I am now looking at D-HMAC [Dynamic HMAC] and a paper published in 2006. I am not aware of any code for it yet and have got the OK from one of the authors to write here about it. It will find its way into the Source Code Forum when I get time, unless someone beats me to it.

For those of you who kindly looked at V 1.0 for me you may want to download this latest version, V 1.08, which has some security features with regard the HMAC shared key. I got slated by some friends for not having a minimize button - I may have taken minimalism too far.

HashFile

finger trouble

checking that file you just sent via command line FTP arrived in one piece?