Say I'm designing a library to sign/verify messages with SHA-256 HMAC. If the end user uses a weak开发者_C百科 shared key and sends a lot of short messages, I assume there would be risk of an attacker discovering the key.
My intuition says I should append a unique (per message) salt to the key to make reverse-engineering the key harder.
How much would key salting help, and would I gain anything by also salting the messages?
Normally people salt the key. It does increase security, both because it makes reverse-engineering the key harder, and because the same message does not always have the same MAC, so an attacker can't simply re-send a message that was sent earlier with the same MAC. I don't see what salting the message as well would get you.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论