Hacker News new | past | comments | ask | show | jobs | submit login

Note that for short messages, hashes are unlikely to effectively conceal the content. English text has about 1 bit of information per character, and auto-sent messages are going to contain even less information. Not that google is likely to have a particular interest in that one-time code you receive via SMS, but it could almost surely brute-force the hash in a fraction of a second if it did.



I figured it was unlikely google would make such a mistake, so I looked at the docs. They use public key cryptography to generate a private shared secret that is hashed alongside the message. This prevents the brute force hash attack.

https://developers.google.com/business-communications/verifi...


Awesome! Thanks for looking this up, instead of just speculating.

Btw, in some sense this is exactly the same stuff you'd have to do to make committing to a single-bit work. Or encrypting a short message, in a way that's not easy to crack.


I read this as hashing the content for verification, not hashing for concealment.


The easier it is to brute force an sms message hash, the less sensitive the information is. Generally.


6-digit numerical codes are pretty easy to brute-force, and some of the most sensitive things transported over SMS.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: