Skip to content

Commit

Permalink
doc: use secure key length for HMAC generateKey
Browse files Browse the repository at this point in the history
The examples for generateKey() and generateKeySync() generate 64-bit
HMAC keys. That is inadequate for virtually any HMAC instance. As per
common NIST recommendations, the minimum should be roughly 112 bits, or
more commonly 128 bits.

Due to the design of HMAC itself, it is not unreasonable to choose the
underlying hash function's block size as the key length. For many
popular hash functions (SHA-256, SHA-224, SHA-1, MD5, ...) this happens
to be 64 bytes (bytes, not bits!). This is consistent with the HMAC
implementation in .NET, for example, even though it provides virtually
no benefit over a 256-bit key.

PR-URL: #48052
Reviewed-By: Filip Skokan <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
  • Loading branch information
tniessen authored and targos committed May 30, 2023
1 parent d95a5bb commit 13f163e
Showing 1 changed file with 4 additions and 4 deletions.
8 changes: 4 additions & 4 deletions doc/api/crypto.md
Original file line number Diff line number Diff line change
Expand Up @@ -3648,7 +3648,7 @@ const {
generateKey,
} = await import('node:crypto');

generateKey('hmac', { length: 64 }, (err, key) => {
generateKey('hmac', { length: 512 }, (err, key) => {
if (err) throw err;
console.log(key.export().toString('hex')); // 46e..........620
});
Expand All @@ -3659,7 +3659,7 @@ const {
generateKey,
} = require('node:crypto');

generateKey('hmac', { length: 64 }, (err, key) => {
generateKey('hmac', { length: 512 }, (err, key) => {
if (err) throw err;
console.log(key.export().toString('hex')); // 46e..........620
});
Expand Down Expand Up @@ -3922,7 +3922,7 @@ const {
generateKeySync,
} = await import('node:crypto');

const key = generateKeySync('hmac', { length: 64 });
const key = generateKeySync('hmac', { length: 512 });
console.log(key.export().toString('hex')); // e89..........41e
```

Expand All @@ -3931,7 +3931,7 @@ const {
generateKeySync,
} = require('node:crypto');

const key = generateKeySync('hmac', { length: 64 });
const key = generateKeySync('hmac', { length: 512 });
console.log(key.export().toString('hex')); // e89..........41e
```

Expand Down

0 comments on commit 13f163e

Please sign in to comment.