I forgot my AmazonAWS secret key, but I have a couple HMAC signed requests. How can I

74 views Asked by At

The signing function is as follows,

$sig = base64_encode(hash_hmac('sha256', "{$method}\n{$server}\n{$uri}\n{$query_string}", MY_PRIVATE_KEY, true));
$signature = str_replace("%7E", "~", rawurlencode($sig));

How can I deduce MY_PRIVATE_KEY, when I have all these parts
{$method}\n{$server}\n{$uri}\n{$query_string} and $signature, if possible at all?

1

There are 1 answers

2
300D7309EF17 On BEST ANSWER

You can't.*

* except with massive pools of servers to run a cracking operation. As this quora answer states when talking about SHA256, "If this is the case, your MacBook Pro will have dissipated into nothingness as part of the heat death of the universe before it finishes cracking that password".