Generate a strong HMACSHA256 key in C#

Question

I'm looking to implement HMACSHA256 request signing in an API I'm building. From what I understood from https://www.rfc-editor.org/rfc/rfc4868, it's best that the secret key be the same number of bits as the hashing algorithm (i.e. SHA256 secret keys should be 256 bits/32 bytes).

Can I use one of the many different random number generators out there for C# or is there a specific way that these keys need to be generated.

Lastly, Amazon Web Services uses HMACSHA256, but they secret keys they provide (at least to me) is 320 bits/40 bytes (when the key is converted to bytes using UTF-8, see https://github.com/aws/aws-sdk-net/blob/master/AWSSDK/Amazon.Runtime/Internal/Auth/AWS4Signer.cs#L205-L232). Is there a reason to use more than needed by the hashing algorithm since it's truncated?

Omar · Answer 1 · 2016-05-24T18:08:21.897

29

One way to generate a (presumably secure) key is:

var hmac = new HMACSHA256();
var key = Convert.ToBase64String(hmac.Key);

edited May 24 '16 at 18:08

answered Jul 10 '13 at 16:28

Omar

39,496
45
145
213

1

Base64 is not the same as Hex, IE your variable name is misleading. – Peter May 24 '16 at 12:03
1

@Peter, thanks for pointing that out, I've modified the variable name. – Omar May 24 '16 at 18:08

score 10 · Accepted Answer · edited Feb 06 '21 at 22:48

If a key is longer than the HMAC supports, it'll usually be hashed to the proper size. This is mainly to support human-readable keys of arbitrary length. If you're generating a key programatically and don't need it to be human-readable, I'd recommend using RandomNumberGenerator. This is basically what it was made for.

using System.Security.Cryptography;

using RandomNumberGenerator rng = RandomNumberGenerator.Create();

byte[] data = new byte[32];
rng.GetBytes(data);

Generate a strong HMACSHA256 key in C#

2 Answers2