| ▲ | phire 2 days ago | ||||||||||||||||
I'm not sure it's a good idea. But it's trivial to make a secret checksum. Just take the key, concatenate it with a secret 256-bit key that only the servers know and hash it with sha256. External users might know the length of the checksum and that it was generated with sha256. But if they don't know the 256-bit key, then it's impossible for them to generate it short of running a brute force attack against your servers. But it does make the checksum pretty useless for other usecases, as nobody can verify the checksum without the secret. | |||||||||||||||||
| ▲ | ben-schaaf a day ago | parent [-] | ||||||||||||||||
Ah that makes sense. I wouldn't call that a checksum though; that's a signature :) | |||||||||||||||||
| |||||||||||||||||