VBA 中的 Base64 HMAC SHA1 字符串 [英] Base64 HMAC SHA1 String in VBA
问题描述
我正在尝试将 ASP/VBScript OAuth 库转换为 VBA.挑战之一是这行代码:
I'm trying to convert an ASP/VBScript OAuth library to VBA. One of the challenges is this line of code:
Get_Signature = b64_hmac_sha1(strSecret, strBaseSignature)
这个函数,b64_hmac_sha1 实际上是一个包含在 JavaScript 库中的函数.在我看来,从 VBA 调用 JavaScript 函数是相当不切实际的.
This function, b64_hmac_sha1 is actually a function contained in a JavaScript library. It appears to me that calling a JavaScript function from VBA is fairly impractical.
因为我对加密知之甚少,所以我什至不清楚这个 b64_hmac_sha1 函数的作用.HMAC SHA1 与 SHA1 不同吗?
Because I know so little about encryption, it's not even clear to me what this b64_hmac_sha1 function does. Is HMAC SHA1 different from SHA1?
我有点怀疑如果我只是了解这个函数实际上在做什么,我可能会在网上找到一些 VBA 代码来做我需要做的事情.如果我找不到现有函数,我可能会编写一个使用 .NET 加密库的函数(如果您知道如何调用,实际上可以从 VBA 调用 .NET 加密库).
I half suspect I might be able to find some VBA code online to do what I need to do if I just understood what this function is actually doing. If I do not find an existing function, I could possibly write one that would use the .NET Cryptography library (you can actually call the .NET cryptography libraries from VBA if you know how).
我不是在寻找将这个 JavaScript 转换为 VBA 的人.我只是想了解这个 b64_hmac_sha1 函数输出的是什么,所以如果可能的话,我可以尝试找到在 VBA 中实现相同输出的方法.
I'm not looking for someone to convert this JavaScript to VBA. I'm only trying to understand what it is that this b64_hmac_sha1 function is outputting so I can try to find ways to achieve the same output in VBA if possible.
此 JavaScript 库的副本在此网站上可见.您必须向下滚动经过 VBScript 到 JavaScript 部分.http://solstice.washington.edu/solstice/ASP_Signing_REST_Example
A copy of this JavaScript library is visible on this website. You'll have to scroll down past the VBScript to the JavaScript section. http://solstice.washington.edu/solstice/ASP_Signing_REST_Example
编辑 1:
好的,这是我最终编写和使用的函数:
OK, so here's the functions I ended up writing and using:
Public Function Base64_HMACSHA1(ByVal sTextToHash As String, ByVal sSharedSecretKey As String)
Dim asc As Object, enc As Object
Dim TextToHash() As Byte
Dim SharedSecretKey() As Byte
Set asc = CreateObject("System.Text.UTF8Encoding")
Set enc = CreateObject("System.Security.Cryptography.HMACSHA1")
TextToHash = asc.Getbytes_4(sTextToHash)
SharedSecretKey = asc.Getbytes_4(sSharedSecretKey)
enc.Key = SharedSecretKey
Dim bytes() As Byte
bytes = enc.ComputeHash_2((TextToHash))
Base64_HMACSHA1 = EncodeBase64(bytes)
Set asc = Nothing
Set enc = Nothing
End Function
Private Function EncodeBase64(ByRef arrData() As Byte) As String
Dim objXML As MSXML2.DOMDocument
Dim objNode As MSXML2.IXMLDOMElement
Set objXML = New MSXML2.DOMDocument
' byte array to base64
Set objNode = objXML.createElement("b64")
objNode.DataType = "bin.base64"
objNode.nodeTypedValue = arrData
EncodeBase64 = objNode.Text
Set objNode = Nothing
Set objXML = Nothing
End Function
使用此功能:
Debug.Print Base64_HMACSHA1("abc", "123")
VAsMU9SSWDe9krP3Gr56nXC2dsQ=
推荐答案
HMAC 是一种将哈希函数(如 SHA1)转换为 消息验证码 (MAC).
HMAC is a construct for turning a hash function, like SHA1, into a Message Authentication Code (MAC).
普通的散列函数没有任何与之关联的秘密数据.这意味着任何人都可以计算摘要,假设他们有原始输入.HMAC 使用秘密密钥,因此只有拥有密钥的人才能计算输出.
Normal hash functions don't have any secret data associated with it. This means that anyone can compute the digest, assuming they have the original input. HMAC uses a secret key, so that only those in possession of the key can compute outputs.
假设我有一个文件,file.txt.我想把这个发给你,我们需要确保没有人篡改它.抱歉,我没有聪明的方法来仅用文本来表示这一点.
Suppose I have a file, file.txt. I want to send this to you, and we need to make sure nobody tampers with it. Sorry, I have no clever way to represent this with just text.
me -> file.txt -> you
me -> SHA1(file.txt) -> you
然后您通过计算您自己的 SHA1 摘要来验证结果,并验证它与我发送给您的内容相匹配.
Then you verify the result by computing your own SHA1 digest, and verifying it matches what I sent you.
现在假设攻击者在中间.不幸的是,因为没有涉及任何秘密,攻击者可以修改文件,并计算他自己的文件/摘要对.当您计算您的版本时,它将与他发送给您的内容相匹配,而您不会更聪明.
Now suppose an attacker was in the middle. Unfortunately, because there is no secret involved, the attacker can modify the file, and compute his own file/digest pair. When you compute your version, it'll match what he sent you, and you'll be none the wiser.
me -> file.txt -> attacker -> modified.txt -> you
me -> SHA1(file.txt) -> attacker -> SHA1(modified.txt) -> you
使用 HMAC,我们为计算添加了一个密钥.
With HMAC, we add a secret key to the computation.
me -> file.txt -> you
me -> SHA1_HMAC(file.txt, our_secret) -> you
当你计算你的版本时,你也应用了密钥,结果匹配.攻击者在不知道密钥的情况下无法替换摘要.
When you compute your version, you apply the secret key as well, and the result matches. The attacker, without knowledge of the key, can't replace the digest.
me -> file.txt -> attacker -> modified.txt -> you
me -> SHA1(file.txt) -> attacker -> SHA1_HMAC(modified.txt, // DOESN'T KNOW KEY) -> you
HMAC 是一种非常特殊的添加密钥的方式.不幸的是,仅将密钥连接到文件末尾或在散列之前将其预先挂起的简单方法容易受到不同的攻击(例如,长度扩展攻击).
HMAC is a very specific way of adding the secret key. Unfortunately, simple methods of just concatenating a key to the end of the file, or pre-pending it before hashing, are vulnerable to different attacks (length extension attacks, for example).
B64 是 Base64 编码输出,以使其美观.
The B64 is Base64 encoding the output, to make it pretty.
这段代码最终要做的是获取一些输入和一些秘密密钥,并计算一个 160 位的摘要,并对结果进行 base64 编码.
What this code is ultimately doing is taking some input, and some secret key, and computing a 160-bit digest, and base64 encoding the result.
在 .网络
这个看起来像VBA 的 Base64 实现
This looks like an implementation of Base64 for VBA
我希望这足够好,或者足够清楚.如果文字令人困惑,请告诉我.我尝试了几种表达方式,但似乎都没有那么清楚.
I hope this answers it well enough, or clear enough. If the text is confusing, please let me know. I tried a couple routes of how to express it, and none of them seemed that clear.
这篇关于VBA 中的 Base64 HMAC SHA1 字符串的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
