Simon Willison’s Weblog

Django snippets: Sign a string using SHA1, then shrink it using url-safe base65. I needed a way to create tamper-proof URLs and cookies by signing them, but didn’t want the overhead of a full 40 character SHA1 hash. After some experimentation, it turns out you can knock a 40 char hash down to 27 characters by encoding it using a custom base65 encoding which only uses URL-safe characters.

Posted 27th August 2008 at 10:18 pm

Tagged base65, cookies, cryptography, django, djangosnippets, hashes, python, security, sha1, signedcookies, urls

6 comments

That could be useful. Thanks!

Julian - 28th August 2008 00:17 - #
Oh, and you are sure you don't mean base64?

Julian - 28th August 2008 00:20 - #
MMmm... not sure it's really worth the effort even in a cookie. For example two cookies set by .djangosnippets.org
```
158198127.1219883726.2.2.utmccn=(referral)|utmcsr= planet.intertwingly.net|utmcct=/|utmcmd=referral 
```
and
```
158198127.1504419398.1219246742.1219246742.1219883 726.2 
```
Both of those could clearly be compressed... but really, why bother?
Gavin - 28th August 2008 01:46 - #
Julian: nope, it's base65, and it's something I made up (though I'm sure it's been made up by lots of other people before). It uses all 65 characters that don't need to be encoded to pass in a URL - that's a-z, A-Z, 0-9 and the underscore, hyphen and full-stop.

Simon Willison - 28th August 2008 09:12 - #
If you just need some low-security obfuscation to prevent guessability, you could even XOR some of the bytes of your checksum together to shorten it first.

Obviously not recommended for real security needs, though.

dmc - 28th August 2008 09:49 - #
Perhaps you are interested in a reverse SHA-1 search? http://www.sha1-lookup.com

Jens Hafelmeier - 30th August 2008 11:13 - #