SHA256 algorithm in Amazaon Web Services

The new amazon web services require us to encode the request using the SHA256 algorithm using the Amazon Access Key.
However for all the implementations of SHA256 on the web the encryption is done based on a text to be encrypted only and no parameter for the key is made.
I would expect a call like strOutput = SHA256("My Text","Key") rather than SHA256("My text").
Is there anybody who has experience in this field with this?
Thanks
Valerie
valerieschupbachAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

askbCommented:
SHA256 is a Cryptographic hash function:

A cryptographic hash function is a deterministic procedure that takes an arbitrary block of data and returns a fixed-size bit string, the (cryptographic) hash value, such that an accidental or intentional change to the data will change the hash value. The data to be encoded is often called the "message", and the hash value is sometimes called the message digest or simply digest.

The ideal cryptographic hash function has four main properties:
it is easy to compute the hash value for any given message,
it is infeasible to find a message that has a given hash,
it is infeasible to modify a message without changing its hash,
it is infeasible to find two different messages with the same hash.

Note that SHA256 is SHA-2 variant. The SHA hash functions and frinds are a set of cryptographic hash functions, and hence they dont require a key (for signing) in case you are using a HMAC.

http://en.wikipedia.org/wiki/SHA_hash_functions#SHA-256_.28a_SHA-2_variant.29_pseudocode


Here are some of the sample hashs:
SHA-256 hashes
SHA256("The quick brown fox jumps over the lazy dog")
 = d7a8fbb3 07d78094 69ca9abc b0082e4f 8d5651e4 6d3cdb76 2d02d0bf 37c9e592
// Avalanche effect when changing the last word to "cog":
SHA256("The quick brown fox jumps over the lazy cog")
 = e4c4d8f3 bf76b692 de791a17 3e053211 50f7a345 b46484fe 427f6acc 7ecc81be

The hash of the zero-length message is:
SHA256("")
 = e3b0c442 98fc1c14 9afbf4c8 996fb924 27ae41e4 649b934c a495991b 7852b855

also you could refer to the RFC for more test vectors, if you did like.



0
valerieschupbachAuthor Commented:
Ok, but can you supply a secret key for encoding?
The amazon web service documentation says "Calculate an RFC 2104-compliant HMAC with the SHA256 hash algorithm using the string above with our "dummy" Secret Access Key: 1234567890. For more information about this step, see documentation and code samples for your programming language. "
So they seem to imply that you encode the text using a separate key; as far as I can see the SHA256 algorithm does not allow you to supply one.
0
askbCommented:
Now the question is comprehensive. You would need to use the HMAC-SHA-256 in order to get a keyed hash.

HMAC - In cryptography, a keyed-Hash Message Authentication Code (HMAC), is a type of message authentication code (MAC) calculated using a specific algorithm involving a cryptographic hash function in combination with a secret key. As with any MAC, it may be used to simultaneously verify both the data integrity and the authenticity of a message. Any iterative cryptographic hash function, such as MD5 or SHA-1, may be used in the calculation of an HMAC;

ex:
HMAC-SHA-256("input file / blob" + "Secret Key")  --->  this results in a hash which can only be verified with the same key later on.


Refer to the code samples here:
http://msdn.microsoft.com/en-us/library/system.security.cryptography.hmacsha256.aspx
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.