Simon Willison's Weblog: sha1http://simonwillison.net/2010-01-24T13:30:58+00:00Simon WillisonDon't Hash Secrets2010-01-24T13:30:58+00:002010-01-24T13:30:58+00:00https://simonwillison.net/2010/Jan/24/benlog/#atom-tag
<p><strong><a href="http://benlog.com/articles/2008/06/19/dont-hash-secrets/">Don't Hash Secrets</a></strong></p>
A well written explanation from 2008 of why you must use hmac instead of raw SHA-1 when hashing against a secret.
<p>Tags: <a href="https://simonwillison.net/tags/cryptography">cryptography</a>, <a href="https://simonwillison.net/tags/hmac">hmac</a>, <a href="https://simonwillison.net/tags/security">security</a>, <a href="https://simonwillison.net/tags/sha1">sha1</a>, <a href="https://simonwillison.net/tags/signing">signing</a></p>
Design and code review requested for Django string signing / signed cookies2010-01-04T13:24:50+00:002010-01-04T13:24:50+00:00https://simonwillison.net/2010/Jan/4/codereview/#atom-tag
<p><strong><a href="http://groups.google.com/group/django-developers/browse_thread/thread/297e8b22006f7f3a">Design and code review requested for Django string signing / signed cookies</a></strong></p>
Do you know your way around web app security and cryptography (in particular signing things using hmac and sha1)? We’d appreciate your help reviewing the usage of these concepts in Django’s proposed string signing and signed cookie implementations.
<p>Tags: <a href="https://simonwillison.net/tags/code-review">code-review</a>, <a href="https://simonwillison.net/tags/cryptography">cryptography</a>, <a href="https://simonwillison.net/tags/django">django</a>, <a href="https://simonwillison.net/tags/hashing">hashing</a>, <a href="https://simonwillison.net/tags/hmac">hmac</a>, <a href="https://simonwillison.net/tags/python">python</a>, <a href="https://simonwillison.net/tags/security">security</a>, <a href="https://simonwillison.net/tags/sha1">sha1</a></p>
Django snippets: Sign a string using SHA1, then shrink it using url-safe base652008-08-27T22:18:49+00:002008-08-27T22:18:49+00:00https://simonwillison.net/2008/Aug/27/snippets/#atom-tag
<p><strong><a href="http://www.djangosnippets.org/snippets/1004/">Django snippets: Sign a string using SHA1, then shrink it using url-safe base65</a></strong></p>
I needed a way to create tamper-proof URLs and cookies by signing them, but didn’t want the overhead of a full 40 character SHA1 hash. After some experimentation, it turns out you can knock a 40 char hash down to 27 characters by encoding it using a custom base65 encoding which only uses URL-safe characters.
<p>Tags: <a href="https://simonwillison.net/tags/base65">base65</a>, <a href="https://simonwillison.net/tags/cookies">cookies</a>, <a href="https://simonwillison.net/tags/cryptography">cryptography</a>, <a href="https://simonwillison.net/tags/django">django</a>, <a href="https://simonwillison.net/tags/django-snippets">django-snippets</a>, <a href="https://simonwillison.net/tags/hashes">hashes</a>, <a href="https://simonwillison.net/tags/python">python</a>, <a href="https://simonwillison.net/tags/security">security</a>, <a href="https://simonwillison.net/tags/sha1">sha1</a>, <a href="https://simonwillison.net/tags/signedcookies">signedcookies</a>, <a href="https://simonwillison.net/tags/urls">urls</a></p>
hash2008-03-30T18:34:22+00:002008-03-30T18:34:22+00:00https://simonwillison.net/2008/Mar/30/hash/#atom-tag
<p><strong><a href="http://blog.360.yahoo.com/blog-TBPekxc1dLNy5DOloPfzVvFIVOWMB0li?p=789">hash</a></strong></p>
Douglas Crockford: “Any HTML tag that accepts a src= or href= attribute should also be allowed to take a hash= attribute”—to protect against file tampering and (more importantly) provide a truly robust caching mechanism.
<p>Tags: <a href="https://simonwillison.net/tags/caching">caching</a>, <a href="https://simonwillison.net/tags/douglas-crockford">douglas-crockford</a>, <a href="https://simonwillison.net/tags/hash">hash</a>, <a href="https://simonwillison.net/tags/html">html</a>, <a href="https://simonwillison.net/tags/sha1">sha1</a></p>