concatenation vs multiple rounds of HMAC

Asked Dec 18 '19 at 16:58

Active Dec 18 '19 at 16:58

Viewed 144 times

I was studying the AWS request signature process and found that they derive the signing key from multiple sources (one and two related questions).

Specifically this:

kSecret = Your AWS Secret Access Key
kDate = HMAC("AWS4" + kSecret, Date)
kRegion = HMAC(kDate, Region)
kService = HMAC(kRegion, Service)
kSigning = HMAC(kService, "aws4_request")

I do understand why the use of the various fields.

But why not simply concatenating all fields and hashing once? Like HMAC(kSecret, date + region + etc.)

I feel that I'm missing some basic theory but I can't express what it is.

Thanks!

asked Dec 18 '19 at 16:58

Marcelo MD

2

If you concatenate variable length fields you need some means of distinguishing ("abc", "d") from ("ab", "cd"). Taking a blind guess, *maybe* they did it this way to make key derivation easier for programmers. Particularly PHP programmers, since dealing with binary strings, type conversion, string escaping, and encoding is all a little awkward. – Future Security Dec 18 '19 at 17:29

concatenation vs multiple rounds of HMAC

0 Answers0