CODEWITHSUNDEEP
javaencryptionbase64hmac
hex
hex

Reputation: 31

HMAC Decryption

I coded HMAC decryption. I try many time to decrypt the output.

This is my code 

package javaapplication_HMAC;

import java.io.UnsupportedEncodingException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import com.sun.org.apache.xml.internal.security.utils.Base64;
import java.util.Formatter;

public class Encryption {

    public void Encryption_Base64(String x,String y){
     String message = x;
        String key = y;
        String algorithm = "HmacSHA1";  
        try {
            Mac sha256_hmac = Mac.getInstance(algorithm);
            SecretKeySpec secret_key = new SecretKeySpec(key.getBytes("UTF-8"), algorithm);
             sha256_hmac.init(secret_key);
            String hash = Base64.encode(sha256_hmac.doFinal(message.getBytes("UTF-8")));
            System.out.println(hash);
        } catch (NoSuchAlgorithmException | UnsupportedEncodingException | InvalidKeyException e) {
            e.printStackTrace();
        }    
    }

    public static void main(String args[]) {
        Encryption encryption_base64 = new Encryption();
        encryption_base64.Encryption_Base64("test", "123456");
    }

}

The output is : QFemksWe6HuyDAJIepZd+ldchzc=

Is it possible to decrypt it?

Upvotes: 1

Views: 10674

Answers (2)

Simon Towler
Simon Towler

Reputation: 43

The HMAC is not supposed to be 'decrypted', it is supposed to be checked.

To check it, you use the same secret key the original HMAC was derived with, to get your own HMAC of the message. If you check your HMAC matches the HMAC that was sent to you with the message, then you know the sender used the same secret key you did, so you have an assurance they are probably the party they claim to be, and you have an assurance the message has not been altered since it was sent.

The crypto involved in HMAC is not used to encrypt the message. Instead it is used to make it computationally infeasible with today's computers to fake the HMAC without knowing the secret key (and infeasible with classical computers to find an arbitrary plain text and key combination that would result in the same given HMAC, a type of collision attack theoretically possible in cryptanalysis).

Upvotes: 0

Paŭlo Ebermann
Paŭlo Ebermann

Reputation: 74750

TL;DR: No.

A MAC function is also called a "keyed hash function". It is not an "encryption" in any meaning of the word. It transforms a key and a plain text into an authentication tag. The same key + plain text result in the same tag, this property is used to check that the plain text was not modified.

HMAC is a MAC built on a hash function, in your case SHA-256. As long as the hash function is not broken, you can't get the plain text back, even if you know the key.

If there is only a small set of possible plain texts, you can of course do a brute-force attack, just trying each plain text with the key to see if the tag is matching. (If the key is also unknown but from a small set, you can also try to try all possible keys.)

Upvotes: 7

Related Questions