I have the following python code:
from hashlib import sha1
secretString=b"this is the secret string"
publicData=b"x10291434"
hash=sha1(publicData+secretString).hexdigest()
Now if i send out the publicData
and hash
for public consumption. Is this safe? I want to check that when the user provides the publicData
back it matches the hash
i originally sent with my secretKey
.
I just wanted to check that I'm doing this correctly
It looks like you are trying to do HMAC
You should try using something like itsdangerous
>>> from itsdangerous import Signer
>>> s = Signer('secret-key')
>>> s.sign('my string')
'my string.wh6tMHxLgJqB6oY1uT73iMlyrOA'
>>> s.unsign('my string.wh6tMHxLgJqB6oY1uT73iMlyrOA')
'my string'
Well, SHA-1 isn't considered a safe hashing algorithm, so no, it isn't safe.
SHA-1 is no longer considered secure against well-funded opponents. In 2005, cryptanalysts found attacks on SHA-1 suggesting that the algorithm might not be secure enough for ongoing use,[4] and since 2010 many organizations have recommended its replacement by SHA-2 or SHA-3.[5][6][7] Microsoft,[8] Google,[9] Apple[10] and Mozilla[11][12][13] have all announced that their respective browsers will stop accepting SHA-1 SSL certificates by 2017.
source: https://en.wikipedia.org/wiki/SHA-1
more reading: https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.