According to Wikipedia and verified with online HMAC routines, HMAC_SHA1("key", "The quick brown fox jumps over the lazy dog") should produce an HMAC of:
DE 7C 9B 85 B8 B7 8A A6 BC 8A 7A 36 F7 0A 90 70 1C 9D B4 D9
However, when I use the Example C Program: Creating an HMAC on MSDN:
http://msdn.microsoft.com/en-us/libr...=vs.85%29.aspx
I get:
41 4E 4C 89 33 30 47 9B 9E F1 85 DF 40 6A 66 33 49 D6 3A C7
The problem seems to be in the derivation of the Key itself (TestHMAC1). Microsoft requires that the key be hashed before deriving an actual key. The Key produced can be replicated and works if both ends are using the same process, but unfortunately it can't be used to communicate with remote servers using standard HMAC. As I have demonstrated in TestHMAC3, the correct HMAC can be produced using the MS Crypto API if you import the key rather than deriving it.
In the process of determing what was wrong with the MS routine, I wrote my own HMAC routine without the use of the Crypto API (TestHMAC2). In my humble opinion, this routine is far simpler than using the API, but you can judge for yourself. The only drawback is that you need the actual unencrypted key, and not just the handle to it. For keys created by the API, that means declaring the key as CRYPT_EXPORTABLE and exporting and decrypting it.
The program uses RSA/Schannel in a custom Container. If no Exchange key pair is available for the Container, it will create them. Schannel does not support a Signature key pair, so it will not create them.
J.A. Coutts
DE 7C 9B 85 B8 B7 8A A6 BC 8A 7A 36 F7 0A 90 70 1C 9D B4 D9
However, when I use the Example C Program: Creating an HMAC on MSDN:
http://msdn.microsoft.com/en-us/libr...=vs.85%29.aspx
I get:
41 4E 4C 89 33 30 47 9B 9E F1 85 DF 40 6A 66 33 49 D6 3A C7
The problem seems to be in the derivation of the Key itself (TestHMAC1). Microsoft requires that the key be hashed before deriving an actual key. The Key produced can be replicated and works if both ends are using the same process, but unfortunately it can't be used to communicate with remote servers using standard HMAC. As I have demonstrated in TestHMAC3, the correct HMAC can be produced using the MS Crypto API if you import the key rather than deriving it.
In the process of determing what was wrong with the MS routine, I wrote my own HMAC routine without the use of the Crypto API (TestHMAC2). In my humble opinion, this routine is far simpler than using the API, but you can judge for yourself. The only drawback is that you need the actual unencrypted key, and not just the handle to it. For keys created by the API, that means declaring the key as CRYPT_EXPORTABLE and exporting and decrypting it.
The program uses RSA/Schannel in a custom Container. If no Exchange key pair is available for the Container, it will create them. Schannel does not support a Signature key pair, so it will not create them.
J.A. Coutts