1

I want a client to send me a signature which I can "unsign" I found a cool package written in Python called itsdangerous which does everything I need...

>>> from itsdangerous import Signer
>>> s = Signer('secret-key')
>>> s.sign('Things you and me should only know')
'my string.wh6tMHxLgJqB6oY1uT73iMlyrOA'
>>> s.unsign('my string.wh6tMHxLgJqB6oY1uT73iMlyrOA')
'my string'

It works perfectly, however my client is not using Python so how do they sign the string i.e. what does itsdangerous actually do to hash the sting that my client needs to recreate.

Prometheus
  • 32,405
  • 54
  • 166
  • 302

1 Answers1

3

From their documentation

class itsdangerous.Signer(secret_key, salt=None, sep='.', key_derivation=None, digest_method=None, algorithm=None)

This class can sign bytes and unsign it and validate the signature provided.

Salt can be used to namespace the hash, so that a signed string is only valid for a given namespace. Leaving this at the default value or re-using a salt value across different parts of your application where the same signed value in one part can mean something different in another part is a security risk.

Then to actually hash (emphasis mine)

default_digest_method()
The digest method to use for the signer. This defaults to sha1 but can be changed for any other function in the hashlib module.

So assuming you only hash, and don't salt afterward, they can reproduce this result with a SHA-1 hash.

Community
  • 1
  • 1
Cory Kramer
  • 114,268
  • 16
  • 167
  • 218
  • I see, perfect SHA-1 hash I see this can be done in JS too http://www.movable-type.co.uk/scripts/sha1.html thanks – Prometheus Jun 19 '15 at 12:53