SHA1 散列说明

Question

我有以下 python 代码：

from hashlib import sha1
secretString=b"this is the secret string"
publicData=b"x10291434"
hash=sha1(publicData+secretString).hexdigest()

现在，如果我发送 publicData 和 hash 供 public 消费。这样安全吗？我想检查当用户返回 publicData 时它是否与我最初用 secretKey.

发送的 hash 匹配

我只是想检查一下我的操作是否正确

Answer 1

嗯，SHA-1 不被认为是一种安全的散列算法，所以不，它不安全。

SHA-1 is no longer considered secure against well-funded opponents. In 2005, cryptanalysts found attacks on SHA-1 suggesting that the algorithm might not be secure enough for ongoing use,[4] and since 2010 many organizations have recommended its replacement by SHA-2 or SHA-3.[5][6][7] Microsoft,[8] Google,[9] Apple[10] and Mozilla[11][12][13] have all announced that their respective browsers will stop accepting SHA-1 SSL certificates by 2017.

来源：https://en.wikipedia.org/wiki/SHA-1

更多阅读：https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html

Answer 2

看起来你正在尝试HMAC

您应该尝试使用 itsdangerous

>>> from itsdangerous import Signer
>>> s = Signer('secret-key')
>>> s.sign('my string')
'my string.wh6tMHxLgJqB6oY1uT73iMlyrOA'
>>> s.unsign('my string.wh6tMHxLgJqB6oY1uT73iMlyrOA')
'my string'