views:

23

answers:

1

Hello again.

Is there any known hashing algorithm, which for similar input returns similar output? I need it for creating 'tickets' without checking them against DB. My idea is that I create token carrying (userID and timestamp) (not reversable), and pass this token along with userID, and be able to check, if the token has given UserID, and, for example, was created 10 minutes ago -

for example, change on first 4 bytes gives significantly different tokens, but with change on last 4 bytes the hashing function returns similar tokens.

+2  A: 

Hm. I'd probably try HMACs: generate a secret key only known to your application. Whenever you need to hand out a new "ticket",

  • concatenate user ID and timestamp (say, using serialized representations)
  • create a HMAC digest of the above , using the "secret key" as the signing key

Then hand out the triple (user ID, timestamp, digest) to other parties. In order to veriy such a ticket, just do the same:

  • extract the user ID and timestamp from the triple.
  • generate the HMAC just like above from this information

The generated digests have to match, otherwise someone did try to present you a tampered ticket. This is secure, since only your application knows the secret key, and thus, can generate a suitable HMAC digest. Since the timestamp information comes back plain to you, you can make all required tests with respect to some timing window or whatever.

Dirk