I couldn't respond David – you posted in the Source Code forum. HMAC: The CNG way
Thank you.
I don't use HMAC any more. The problem is getting the secret key to the recipient.
I still use SHA256, but now sign the hash with my ECDSA256 private key. The recipient uses my ECDSA256 public key to verify the signature. If that fails, then either the wrong public key was used or the hash had been tampered with. So far, this is the same as a HMAC but with ECDSA a success confirms that my private key had been used and no one else should have access to it. It is what I use in my Encrypternet application. Both SHA256 and ECDSA256 have a security strength of 128 bits. Needless to say, ECDSA256 is one of the CNG APIs.
Thank you.
I don't use HMAC any more. The problem is getting the secret key to the recipient.
I still use SHA256, but now sign the hash with my ECDSA256 private key. The recipient uses my ECDSA256 public key to verify the signature. If that fails, then either the wrong public key was used or the hash had been tampered with. So far, this is the same as a HMAC but with ECDSA a success confirms that my private key had been used and no one else should have access to it. It is what I use in my Encrypternet application. Both SHA256 and ECDSA256 have a security strength of 128 bits. Needless to say, ECDSA256 is one of the CNG APIs.
Comment