Is use sha1 sign to verify a parameter in the request safe? #77
Comments
|
Hi SakuraLove, I just noticed your issue was closed without any responses. Sorry to see that there weren't any responses at an earlier time (I'd assumed that someone would've piped in). I guess the issue is either resolved or not important now, seeing as the issue has been closed, but I'll try to answer anyhow. It's difficult to say exactly whether using SHA1 for your API will be safe or unsafe, without knowing the exact context of its use, how it's being used and so on. Generally though, compared to other, newer hashing algorithms, SHA1 isn't considered safe anymore, due to that it has recently left the club of hashing algorithms without known collisions and entered the club of hashing algorithms with known collisions (so, officially unsafe, in that regard). It's possible that your own implementation won't run into any specific security problems, but seeing as it's now officially unsafe, I can't say with any certainty that any unknown implementation of it would be safe. Also see:
|
|
Thank you anyway.I notice that nobody answered this issue so I closed it . |
I have a project that our API should verify a parameter which is about the trade.
We use a method like the demo.
Demo
Request:
Host:192.168.0.1
parameters: sign - To verify the parameter
tradeinfo
sign = sha1(secretKey + tradeinfo + secretKey);
The text was updated successfully, but these errors were encountered: