dtebrq0245 2019-01-19 17:16
浏览 213

UUID的Sha1十六进制-用作访问令牌

I am writing a Go OAuth application in which I am generating a UUID and using it as an accessToken, and returning it to the customer. I don't want to save naked accessToken in DB because it is valid for a long time.. So I am generating a hash using Sha1 and saving it like below

import "github.com/pborman/uuid"
accessToken := uuid.NewRandom()
mac := hmac.New(sha1.New, mysecretkey)
mac.Write([]byte(accessToken)
signed := mac.Sum(nil)
accessTokenDB hex.EncodeToString(signed)

By using uuid as accessToken gives me very low probability of collision. I want to know if accessTokenDB will also give same very low probability of collision or not. I am saving accessTokenDB to a column which has unique index.

  • 写回答

1条回答 默认 最新

  • doujia1939 2019-01-19 17:38
    关注

    For good encrypted messages or checksums, the probability of collision is almost impossible.

    Good cryptographic and checksum algorithms produce encrypted messages which are indistinguishable from randomness. Anything less means something of the original message survives. That means any given access token is equally likely to map to any possible encrypted message. Anything less would allow an attacker to guess the message.

    The cryptographic strength of the HMAC depends upon the cryptographic strength of the underlying hash function, the size of its hash output, and the size and quality of the key.

    While it's not exactly broken, the security of SHA-1 has been significantly eroded. You'd should use SHA-256 or better.

    评论

报告相同问题?

悬赏问题

  • ¥60 版本过低apk如何修改可以兼容新的安卓系统
  • ¥25 由IPR导致的DRIVER_POWER_STATE_FAILURE蓝屏
  • ¥50 有数据,怎么建立模型求影响全要素生产率的因素
  • ¥50 有数据,怎么用matlab求全要素生产率
  • ¥15 TI的insta-spin例程
  • ¥15 完成下列问题完成下列问题
  • ¥15 C#算法问题, 不知道怎么处理这个数据的转换
  • ¥15 YoloV5 第三方库的版本对照问题
  • ¥15 请完成下列相关问题!
  • ¥15 drone 推送镜像时候 purge: true 推送完毕后没有删除对应的镜像,手动拷贝到服务器执行结果正确在样才能让指令自动执行成功删除对应镜像,如何解决?