在绳子上签字有什么危险?

2024-09-30 12:19:20 发布

您现在位置:Python中文网/ 问答频道 /正文
9722 3

我想让一个客户给我发送一个签名,我可以“取消签名”我发现了一个用Python编写的很酷的包itsdangerous它可以做我需要的一切。。。在

>>> from itsdangerous import Signer
>>> s = Signer('secret-key')
>>> s.sign('Things you and me should only know')
'my string.wh6tMHxLgJqB6oY1uT73iMlyrOA'
>>> s.unsign('my string.wh6tMHxLgJqB6oY1uT73iMlyrOA')
'my string'

它工作得很好,但是我的客户机没有使用Python,所以他们如何对字符串进行签名,也就是说,它的危险之处在于如何散列客户机需要重新创建的陷阱。在


Tags: andkeyfromimportyousecret客户机string
1条回答
网友
1楼 · 发布于 2024-09-30 12:19:20

来自their documentation

class itsdangerous.Signer(secret_key, salt=None, sep='.', key_derivation=None, digest_method=None, algorithm=None)

This class can sign bytes and unsign it and validate the signature provided.

Salt can be used to namespace the hash, so that a signed string is only valid for a given namespace. Leaving this at the default value or re-using a salt value across different parts of your application where the same signed value in one part can mean something different in another part is a security risk.

然后进行哈希运算(emphasis mine)

default_digest_method()
The digest method to use for the signer. This defaults to sha1 but can be changed for any other function in the hashlib module.

因此,假设您只进行散列,而不在之后加盐,他们可以用SHA-1散列来重现这个结果。在

相关问题 更多 >

    编程相关推荐

    热门问题