0

I am currently following Amazon's documentation to sign S3 URL's for download. Using hmac-sha1 is good but I want something more secure since there are inherent flaws as of 2010. Also, it is good marketing too to use strong encryption. I KNOW that others are using 256-bit encryption when signing their URLs. I too would like to use sha256 or sha512, but it seems like Amazon's docs don't tell you how this is possible. They only reference hmac-sha1 (which I'm currently using w/ succcess).

Signature = URL-Encode( Base64( HMAC-SHA1( YourSecretAccessKeyID, UTF-8-Encoding-Of( StringToSign ) ) ) );

How would I go about using something more secure?

Thanks

The Internet
  • 7,959
  • 10
  • 54
  • 89

1 Answers1

2

There are inherent flaws to sha-1 but they don't carry over to hmac-sha-1, so there's no need to worry.

That being said, I actually did find the documentation you were looking for here.

Community
  • 1
  • 1
Alex Guerra
  • 2,556
  • 3
  • 18
  • 24
  • yea, sorry I was in a bad mood. – The Internet Feb 05 '14 at 22:58
  • Why is this documentation so much more complicated than the base64 - hmacsha1 url signing docs... `Signature = URL-Encode( Base16( HMAC-SHA256( YourSecretAccessKeyID, UTF-8-Encoding-Of( StringToSign ) ) ) );` Would be nice if that's all I had to do, do I really need to specify in the headers the kind of encryption? I'll assume Base64 w/ hmacsha1 is the default – The Internet Feb 06 '14 at 00:43