SHA256 algorithm in Amazaon Web Services

valerieschupbach used Ask the Experts™
The new amazon web services require us to encode the request using the SHA256 algorithm using the Amazon Access Key.
However for all the implementations of SHA256 on the web the encryption is done based on a text to be encrypted only and no parameter for the key is made.
I would expect a call like strOutput = SHA256("My Text","Key") rather than SHA256("My text").
Is there anybody who has experience in this field with this?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

SHA256 is a Cryptographic hash function:

A cryptographic hash function is a deterministic procedure that takes an arbitrary block of data and returns a fixed-size bit string, the (cryptographic) hash value, such that an accidental or intentional change to the data will change the hash value. The data to be encoded is often called the "message", and the hash value is sometimes called the message digest or simply digest.

The ideal cryptographic hash function has four main properties:
it is easy to compute the hash value for any given message,
it is infeasible to find a message that has a given hash,
it is infeasible to modify a message without changing its hash,
it is infeasible to find two different messages with the same hash.

Note that SHA256 is SHA-2 variant. The SHA hash functions and frinds are a set of cryptographic hash functions, and hence they dont require a key (for signing) in case you are using a HMAC.

Here are some of the sample hashs:
SHA-256 hashes
SHA256("The quick brown fox jumps over the lazy dog")
 = d7a8fbb3 07d78094 69ca9abc b0082e4f 8d5651e4 6d3cdb76 2d02d0bf 37c9e592
// Avalanche effect when changing the last word to "cog":
SHA256("The quick brown fox jumps over the lazy cog")
 = e4c4d8f3 bf76b692 de791a17 3e053211 50f7a345 b46484fe 427f6acc 7ecc81be

The hash of the zero-length message is:
 = e3b0c442 98fc1c14 9afbf4c8 996fb924 27ae41e4 649b934c a495991b 7852b855

also you could refer to the RFC for more test vectors, if you did like.


Ok, but can you supply a secret key for encoding?
The amazon web service documentation says "Calculate an RFC 2104-compliant HMAC with the SHA256 hash algorithm using the string above with our "dummy" Secret Access Key: 1234567890. For more information about this step, see documentation and code samples for your programming language. "
So they seem to imply that you encode the text using a separate key; as far as I can see the SHA256 algorithm does not allow you to supply one.
Now the question is comprehensive. You would need to use the HMAC-SHA-256 in order to get a keyed hash.

HMAC - In cryptography, a keyed-Hash Message Authentication Code (HMAC), is a type of message authentication code (MAC) calculated using a specific algorithm involving a cryptographic hash function in combination with a secret key. As with any MAC, it may be used to simultaneously verify both the data integrity and the authenticity of a message. Any iterative cryptographic hash function, such as MD5 or SHA-1, may be used in the calculation of an HMAC;

HMAC-SHA-256("input file / blob" + "Secret Key")  --->  this results in a hash which can only be verified with the same key later on.

Refer to the code samples here:

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial