Skip to content

Commit

Permalink
doc: use secure key length for HMAC generateKey
Browse files Browse the repository at this point in the history
The examples for generateKey() and generateKeySync() generate 64-bit
HMAC keys. That is inadequate for virtually any HMAC instance. As per
common NIST recommendations, the minimum should be roughly 112 bits, or
more commonly 128 bits.

Due to the design of HMAC itself, it is not unreasonable to choose the
underlying hash function's block size as the key length. For many
popular hash functions (SHA-256, SHA-224, SHA-1, MD5, ...) this happens
to be 64 bytes (bytes, not bits!). This is consistent with the HMAC
implementation in .NET, for example, even though it provides virtually
no benefit over a 256-bit key.

PR-URL: #48052
Reviewed-By: Filip Skokan <panva.ip@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
  • Loading branch information
tniessen authored May 19, 2023
1 parent 9772065 commit 85ac915
Showing 1 changed file with 4 additions and 4 deletions.
8 changes: 4 additions & 4 deletions doc/api/crypto.md
Original file line number Diff line number Diff line change
Expand Up @@ -3648,7 +3648,7 @@ const {
generateKey,
} = await import('node:crypto');

generateKey('hmac', { length: 64 }, (err, key) => {
generateKey('hmac', { length: 512 }, (err, key) => {
if (err) throw err;
console.log(key.export().toString('hex')); // 46e..........620
});
Expand All @@ -3659,7 +3659,7 @@ const {
generateKey,
} = require('node:crypto');

generateKey('hmac', { length: 64 }, (err, key) => {
generateKey('hmac', { length: 512 }, (err, key) => {
if (err) throw err;
console.log(key.export().toString('hex')); // 46e..........620
});
Expand Down Expand Up @@ -3922,7 +3922,7 @@ const {
generateKeySync,
} = await import('node:crypto');

const key = generateKeySync('hmac', { length: 64 });
const key = generateKeySync('hmac', { length: 512 });
console.log(key.export().toString('hex')); // e89..........41e
```

Expand All @@ -3931,7 +3931,7 @@ const {
generateKeySync,
} = require('node:crypto');

const key = generateKeySync('hmac', { length: 64 });
const key = generateKeySync('hmac', { length: 512 });
console.log(key.export().toString('hex')); // e89..........41e
```

Expand Down

0 comments on commit 85ac915

Please sign in to comment.