Secure Token URL - How secure is it? Proxy authentication as alternative?

Question

I know it as secure-token URL, maby there is another name out there. But I think you all know it.

Its a teqniuque mostly applied if you want to restrict content delivery

Answer 1

You have many ways to secure a token :

• Block IP after X failed token decoding
• Add a timestamp in your token (hashed or crypted) to revoke the token after X days or X hours
• My favorite : use a fast database system such as Memcached or better : Redis to stokre your tokens
• Like Facebook : generate a token with timestamp, IP etc... and crypt it !

Answer 2

You could basically reformulate your question to: How long a secret token is needed to be safe.

To answer this consider the number of possible characters (alphanumeric + uppercase is is already 62 options per character). Secondly ensure that the secret token is random, and not in a dictionary or something. Then for instance if you would take a secret token of 10 characters long, it would take 62^10 (= 839.299.365.868.340.224 )attempts to bruteforce (worstcase; average case would be half of that of course). I wouldn't really be scared of that, but if you are, you could always ensure that the secret token is at least 100 chars long, in which case it takes 62^100 attempts to bruteforce (which is a number of three lines in my terminal).

In conclusion: just take a token big enough, and it should suffice.

Of course proxy authentication does offer your clients extra control, since they can way more directly control who can look and not, and this would for instance defeat emailsniffing as well. But I don't think the bruteforcing needs to be a concern given a long enough token.

Answer 3

It's called MAC as far as I understand.

I don't understand what's wrong with hashes. Simple calculations show that a SHA-1 hash, 160 bits, gives us very good protection. E.g. if you have a super-duper cloud which does 1 billion billions attempts per second, you need ~3000 billions billions years to brute force it.