You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have a project that our API should verify a parameter which is about the trade.
We use a method like the demo.
Demo
Request:
Host:192.168.0.1
parameters: sign - To verify the parameter
tradeinfo
sign = sha1(secretKey + tradeinfo + secretKey);
The text was updated successfully, but these errors were encountered:
I just noticed your issue was closed without any responses. Sorry to see that there weren't any responses at an earlier time (I'd assumed that someone would've piped in).
I guess the issue is either resolved or not important now, seeing as the issue has been closed, but I'll try to answer anyhow.
It's difficult to say exactly whether using SHA1 for your API will be safe or unsafe, without knowing the exact context of its use, how it's being used and so on. Generally though, compared to other, newer hashing algorithms, SHA1 isn't considered safe anymore, due to that it has recently left the club of hashing algorithms without known collisions and entered the club of hashing algorithms with known collisions (so, officially unsafe, in that regard). It's possible that your own implementation won't run into any specific security problems, but seeing as it's now officially unsafe, I can't say with any certainty that any unknown implementation of it would be safe.
Also see:
At death’s door for years, widely used SHA1 function is now dead (Actually not technically "dead", seeing as it is actually actively being used extensively throughout the internet to this day and currently, including by Git, for signing commits, but its status of being considered secure could be considered "dead", so, whatever).
Thank you anyway.I notice that nobody answered this issue so I closed it .
Yes,It has never been safe.I noticed that Google's team has cracked the SHA-1 Function some months ago.
I will also try to use the newer hasing and encrypt the trade info by AES.
And the API is using HTTPS to send information , too.
Our team is also discussing the security.And my project met a big problem now :(
However,thank you very much for answering me.Have a nice day.
I have a project that our API should verify a parameter which is about the trade.
We use a method like the demo.
Demo
Request:
Host:192.168.0.1
parameters: sign - To verify the parameter
tradeinfo
sign = sha1(secretKey + tradeinfo + secretKey);
The text was updated successfully, but these errors were encountered: