In my application, I am generating a big random number and publishing a SHA256 h

Question

In my application, I am generating a big random number and publishing a SHA256 hash of it. After the hash it published (but not the secret), anyone can submit any number, and the system will calculate and present them a SHA256 hash of the number derived by concatenating their number at the end of the secret number from my system (SHA256(A+B)). The result of that operation should not be guessable without the secret number.

I am wondering if there are any security concerns with this approach that I should be weary about, such as if the random number is of certain length, would that make the result guessable? Or is this approach cryptographically safe?

Explanation / Answer

The security concern is that the result of that operation will be guessable without the secret number, since the later part of that answer explains why it also applies to SHA-256.
(Also, SHA256(A+"") = SHA256(A).)

The random number should be long enough to make brute-force highly infeasible.
If it is and you publish HMAC(A,"") and present them with the values of HMAC(A,B),
then the result of those operations should not be guessable for non-empty strings B.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.