I'm using HMAC exactly as intended to verify the integrity of a message. However, the message is really an associative array (or a hash).
Since this will be done on various platforms (within and outside our control), we need a standard way to convert the array to a string.
I've seen pipes being used as separators in many places. This vulnerability in AWS is the kind of thing I wanna avoid.
Say, my message is {a:1,b:2}
, would converting it to a1b2
be fine?
Or should I go for something like 1|2
(Then the key order becomes important).
Another solution would have been JSON conversion, but JSON doesn't guarantee key order, so it may give different results in different libraries.
Various ideas we are discussing:
data = {:c=>3,:a=>1,:b=>2}
data.sort.join
"a1b2c3"
data.values.sort.join
"123"
data.sort.join('|')
"a|1|b|2|c|3"
I'm inclined towards the first or the third choice, but are there any ways I can judge my approach?