I am writing a Go OAuth application in which I am generating a UUID and using it as an accessToken, and returning it to the customer. I don't want to save naked accessToken in DB because it is valid for a long time.. So I am generating a hash using Sha1 and saving it like below
import "github.com/pborman/uuid"
accessToken := uuid.NewRandom()
mac := hmac.New(sha1.New, mysecretkey)
mac.Write([]byte(accessToken)
signed := mac.Sum(nil)
accessTokenDB hex.EncodeToString(signed)
By using uuid as accessToken gives me very low probability of collision. I want to know if accessTokenDB will also give same very low probability of collision or not. I am saving accessTokenDB to a column which has unique index.
For good encrypted messages or checksums, the probability of collision is almost impossible.
Good cryptographic and checksum algorithms produce encrypted messages which are indistinguishable from randomness. Anything less means something of the original message survives. That means any given access token is equally likely to map to any possible encrypted message. Anything less would allow an attacker to guess the message.
The cryptographic strength of the HMAC depends upon the cryptographic strength of the underlying hash function, the size of its hash output, and the size and quality of the key.
While it's not exactly broken, the security of SHA-1 has been significantly eroded. You'd should use SHA-256 or better.