redspider/gist:4704134

Last active December 12, 2015 03:08

Star (0) You must be signed in to star a gist
Fork (0) You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/redspider/4704134.js"></script>
Save redspider/4704134 to your computer and use it in GitHub Desktop.

Raw

We have a sequence of IDs, 1, 2, 3, 4... that are references to data. We wish to use these IDs in a URL, however we do not want them to be iterable - that is, given 3, it should not be possible to derive the URL for 2 or 4.

Our proposed solution is to generate the URL as follows:

/<hmac>-<id>/

Where hmac consists of a SHA256 HMAC of the ID using a secret key. We then verify the hmac when the URL is used.

Two questions:

Is this a mis-use of the HMAC construction?
Is a SHA256 HMAC sufficient to prevent iteration, even though offline attack against the signature is possible to attempt to obtain the key (which is long and random).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment