I have a system that needs to send a key to the user. This key is used for validation after work and needs to be shown that we do not change it mid-work so we send to the user in the middle of work a hash using SHA256 and after the work is done we send the real key and the hashed key so he could check if the key was the same.
The original key is a string made of 32 hexadecimal numbers between 0x00 and 0xff so keys are like this:
key: 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
hashed_key: e0bc614e4fd035a488619799853b075143deea596c477b8dc077e309c0fe42e9
key: d4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35
hashed_key: d8bdf9a0cb27a193a1127de2924b6e5a9e4c2d3b3fe42e935e160c011f3df1fc
This will need a maximum of 2 * 10^77 hashes to crack using brute force and it is unlikely someone has enough HD space to create a database for all possible keys
The key we build is probably a hash of something else, for instance in the examples they are hashes to 1 and 2 respectively but they could be for any other string, we use some complex and random numbers (true random) to generate new secure hashes that are very unlikely to repeat.
What would happen if we keep on applying SHA256 over and over? at some point it would circle around?
And given we have a fixed length key to be hashed, would be easier to break? Is there any other method more efficient for this than brute force?
This system works with money (gambling) and we had some problems with "lucky streaks" so I'm trying to understand was it really luck? or someone cracked our system?
Aucun commentaire:
Enregistrer un commentaire