|
|
|
|
|
|
by lhazlewood
4818 days ago
|
|
|
HMAC authentication requires both the client and the server to have a shared secret (or more
likely a derived key based on a shared secret). The secret cannot be saved as a one-way hash
(as might be common for a password). So you couldn't use BCrypt or SCrypt to hash the shared
(or derived) secret since the server would never be able to acquire the value to calculate the
same digest. You can still encrypt the secret, e.g. using AES 256 bit encryption with secure random Initialization
Vectors and rolling keys. This too is not easily 'brute forceable', but is very fast to decrypt compared to a BCrypt comparison (key storage should also be in a separate location than the main data store). |
|
|