Login token with sha256
https://stackoverflow.com/questions/8340557
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I need to create a login token that I can pass from site 1 to site 2 in a querystring. I don't need to transfer a username or id, I just need to know on site 2 that the user has a valid login on site 1.
I currently create the token like this
timestamp|sha256(timestamp+secret)
On site 2 i create a sha256 of the given timestamp+secret, and match it with the given hash. I also check the timestamp, and doesn't validate if it's older than 5 min.
Is this a reasonably safe way of doing it?
Would it be easy to crack open the sha256 and get the secret?
Solution
You can use an HMAC to provide an authenticated message between two parties that already have a shared secret key. What you have described is very similar to an HMAC, because its a type of Message Authentication Code. Although I would actually use an HMAC function to do this.
To crack an hmac you have to brute force secret using the the Authentication Code (the hashed part of the message). The attacker knows the timestamp, so they can keep guessing the secret. Just make the secret really large and very random, like some output from /dev/random is a good choice.
OTHER TIPS
As @Rook says, you should use HMAC to authenticate your tokens.
Additionally, You need to ensure that your tokens can't be stolen. E.g., if you send that token in cleartext—either from site 1 to the user, or from the user to site 2, anyone listening in (think Firesheep) could also "prove" they have an account. The best you can do to prevent that is to use SSL/TLS.
