HMAC and SHA256 - how to validate using nonce

Question

Im trying to integrate with a Web API. Looking at how they use SHA256 and HMAC to generate their signature. However they also use whats known as an "nonce", which I had to look up. This api generates the "signature" using a secret that both of us know, combined with the url of the request.

So, do I use the same nonce they are using to generate a signature on my end to do the validation with?

Im looking at a sample of how they are generating their signature like this on the client end.

        var message = "https://my.server.com/new-callback?reqID=test&nonce=8cf95201-4d3c-4397-9117-d7ee6ad89d93";
        var secret = "g394g732vhsdfiv34";
        var hash = CryptoJS.HmacSHA256(message, secret);
        var signature = hash.toString(CryptoJS.enc.Base64); 

result of signature...

// ihyCCfTHog7TDQYT4tQM5ISYSjEIaChSeJmIo3UMa+U=

However, I dont get the same result using this tool
http://www.freeformatter.com/hmac-generator.html

So to validate this on my end (within the api), I need to use the same inputs to compute the signature and then simply compare the resulting strings, correct?

What purpose does this "nonce" component serve? From what Ive read, it more or less serves the same purpose as a GUID.

What am I missing?

Answer 1

The output I get from http://www.freeformatter.com/hmac-generator.html is hex encoded and the value you provided (ihyCCfTHog7TDQYT4tQM5ISYSjEIaChSeJmIo3UMa+U=) is base64 encoded.

If you decode the base64 encoded message, convert it to hex and compare it to the result from freeformatter (which is 8a1c8209f4c7a20ed30d0613e2d40ce484984a3108682852789988a3750c6be5) - they both match. You might be interested in https://stackoverflow.com/a/12987042/3906760 for conversion functions.

And yes: You compute the HMAC on both sides and compare the result. If it matches (no no one else knows the secret) you're safe.

The nonce is a random value in order to prevent replay-attacks (cf. https://en.wikipedia.org/wiki/Cryptographic_nonce).