HmacSHA256 using a RSA key should fail

[lhuynh-cs]

The below code should fail instead of computing the seal :

		byte[] input = "The quick brown fox jumps over the lazy dog".getBytes("UTF-8");
		
		Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());

		KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA", "BC");
		kpg.initialize(2048);

		Mac mac = Mac.getInstance("HmacSHA256", "BC");

		KeyPair kp = kpg.generateKeyPair();
        mac.init(kp.getPrivate());

        byte[] seal = mac.doFinal(input);

Indeed, according to JCA Reference Guide:

HMAC can be used with any cryptographic hash function, e.g., SHA-256, in combination with a secret shared key

[xnox]

Why should it fail? any input is a valid HMAC key.

[lhuynh-cs]

Why should it fail? any input is a valid HMAC key.

Again, in JCA Reference Guide:

HMAC can be used with any cryptographic hash function, e.g., SHA-256, in combination with a secret shared key

And in PKCS #11 Cryptographic Token Interface Current Mechanisms Specification, section 2.20.3 General-length SHA-256-HMAC:

The keys it uses are generic secret keys

[mouse07410]

And in PKCS #11 Cryptographic Token Interface Current Mechanisms Specification, section 2.20.3 General-length SHA-256-HMAC:

The keys it uses are generic secret keys

Ignoramus (no big offense meant).

HMAC can take any byte string as a key, and any byte string as the data. When HMAC is used to extract-and-extend randomness from a non-uniformly-distributed input, usually some salt (or other non-random) stuff is fed as the "key" argument, and the data to extract randomness from - as "data".

So, you found that binary representation of an RSA private key is acceptable for HMAC.

Now, go and read Hugo Krawczyk's paper https://cseweb.ucsd.edu/~mihir/papers/kmd5.pdf, and https://www.ietf.org/rfc/rfc2104.txt, and https://link.springer.com/article/10.1007/s00145-014-9185-x

[lhuynh-cs]

HMAC can take any byte string as a key

BouncyCastle is therefore not JCA-compliant
JCA Reference Guide

A Mac object is always initialized with a (secret) key ...
...
You can initialize your Mac object with any (secret-)key object that implements the javax.crypto.SecretKey interface.

[xnox]

@lhuynh-cs

With some MAC algorithms, the (secret-)key algorithm associated with the (secret-)key object used to initialize the Mac object does not matter (this is the case with the HMAC-MD5 and HMAC-SHA1 implementations of the SunJCE provider). With others, however, the (secret-)key algorithm does matter, and an InvalidKeyException is thrown if a (secret-)key object with an inappropriate (secret-)key algorithm is used.

It clearly is provider specific what is and isn't acceptable as a MAC Key, and there are no JCA restrictions w.r.t. this.

It is weird to use RSA private key as an HMAC key - as it is actually equivalent of using SHA256(private-key) as the key. But it is secure. And it is JCA compliant. The observed behaviour may be different across different providers.

[lhuynh-cs]

It clearly is provider specific what is and isn't acceptable as a MAC Key, and there are no JCA restrictions w.r.t. this.

The restriction is that the key should be a javax.crypto.SecretKey, and an RSA private key is not