CODEWITHSUNDEEP
objective-ciosencryptionhashmd5
CodingBeagle
CodingBeagle

Reputation: 1938

MD5 Hashing in objective-c (iOS), based on a shared key

I'm currently developing an app which needs to send authentication data with it to a provided API. Basically it needs to generate a hash based on the data you want to send, based on a shared key.

The problem is that while I have been able to track down functions that will do MD5 hashing, they are not based on a key, which is absolutely crucial.

Is there any way this can be done in objective-c for the iOS platform?

The API is usually used with PHP, which provides something like this handy function:

$key = hash_hmac('md5', $postdata , $sharedkey);

Is there any chance of implementing an equal in objective-c?

Upvotes: 1

Views: 6684

Answers (2)

Nick Lockwood
Nick Lockwood

Reputation: 40995

The MD5 algorithm only uses one string as input. The convention is that you append your key (aka "salt" value) to the string you are hashing. My guess is that the PHP MD5 function has a second parameter for the key to make life easier, but you should get the same result if you just do this:

NSString *value = [data stringByAppendingString:key];
NSString *hashed = MD5HASH(value); //pseudocode

UPDATE:

Okay, I checked Wikipedia and it looks like you need to do a bit of extra work to implement HMAC-style hashing. So you have two options.

  1. Implement the HMAC algorithm on top of the MD5 hash you're already using (it doesn't look too hard - I've pasted the pseudocode below).

  2. Don't bother with HMAC - just generate the hash at both ends using a regular MD5 by concatenating the message and the key - that should be pretty secure, it's what most people do.

HMAC algorithm

function hmac (key, message)
    if (length(key) > blocksize) then
        key = hash(key) // keys longer than blocksize are shortened
    end if
    if (length(key) < blocksize) then
        key = key ∥ [0x00 * (blocksize - length(key))] // keys shorter than blocksize are zero-padded ('∥' is concatenation) 
    end if

    o_key_pad = [0x5c * blocksize] ⊕ key // Where blocksize is that of the underlying hash function
    i_key_pad = [0x36 * blocksize] ⊕ key // Where ⊕ is exclusive or (XOR)

    return hash(o_key_pad ∥ hash(i_key_pad ∥ message)) // Where '∥' is concatenation
end function

Upvotes: 4

jsd
jsd

Reputation: 7703

Typically you just append the key to the bytes that you are hashing.

So if the shared secret is "12345" and you are passing username=jsd and password=test you would construct your string like "username=jsd&password=test&secret=12345". Then the receiving end would construct its own version from the username & password + the secret, run the same md5, and receive the same value.

Upvotes: 1

Related Questions