python 脚本可以解密在 C++ 中创建的 HASH吗?程序?
我举办了一场比赛,人们可以使用他们在 Android 应用程序中发现的密码参加比赛。我选择确保只有购买了该应用程序的人才能参加比赛的方法是使用带有 HMAC SHA256 的共享秘密编码(加密?)。
因此,我的秘密将在 Android 应用程序中以 C 进行加密(使用Crypto++,您对更好的 SHA 库有什么建议吗?我发现 Crypto++ 真的很难使用)。
这只是一个例子:
Unencrypted shared secret = "my shared secret"
Unencrypted secret code = "abcdef"
Encrypted shared secret = "dsgdfgdfgdfgfdgf"
Encrypted shared secret = "ddffgdgdf"
因此,当用户发现密码时,他们将被带到网页(python 脚本)& HMAC 加密共享密钥将作为 CGI 参数传递:
http://mysite/competition.py?encodedSecret= 3dfdfdg343jkfjk390kl
然后我的python脚本将查看CGI参数&解密它以获取共享秘密(以验证竞赛条目是否来自拥有该应用程序的用户)&密码(查看用户是否赢得了任何东西)。
我的问题是: python 脚本(使用 hashlib 模块)是否可以解密使用 Crypto++ 在 C 中加密的内容?
I have a competition that people can enter with a secret code they discover in an Android app. The method I have chosen to ensure only people who have purchased the app can enter the competition is to use shared secret encoded(encrypted?) with HMAC SHA256.
So my secret will be encrypted in C in the Android app (using Crypto++, do you have any suggestions of a beter SHA library? I am finding Crypto++ really hard to use).
This is just an example:
Unencrypted shared secret = "my shared secret"
Unencrypted secret code = "abcdef"
Encrypted shared secret = "dsgdfgdfgdfgfdgf"
Encrypted shared secret = "ddffgdgdf"
So when the user discovers the secret code they will be taken to a webpage(python script) & the HMAC encrypted shared secret will be passed as a CGI parameter:
http://mysite/competition.py?encodedSecret=3dfdfdg343jkfjk390kl
Then my python script will look at the CGI parameter & decrypt it to get the shared secret(to verify that the competition entry is from a user who has the app) & the secret code(to see if the user has won anything).
My Question is: Is it possible for a python script(using hashlib module) to decrypt something that was encrypted in C using Crypto++?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
当以这种方式使用哈希时,通常您会将秘密代码(以明文形式)以及秘密代码和共享秘密的哈希传递到您的网站。然后,网站可以执行相同的哈希(因为它知道共享秘密),并验证结果是否相同。
“破解”服务器上的哈希值需要大量额外的工作,而且我不知道它如何增加任何安全性。
如果您不能以明文形式传输代码,那么使用您的共享密钥作为对称加密算法中的密钥会更有效(例如 AES)。
When using a hash that way, normally you would pass the secret code (in plaintext) and the hash of both the secret code and the shared secret to your web site. The web site can then perform the same hash (as it knows the shared secret), and verify that the result is the same.
'Cracking' the hash on your server is a lot of extra work, and I don't see how it adds any security.
If you must not transmit the code in plaintext, it would be much more efficient to use your shared secret as the key in a symmetric encryption algorithm (e.g. AES).