I'm using hmac sha1 to sign a userid which is passed to a third party service. The same secret is used for all users and the salt is unique for each user.
token = userid : timestamp+2hours : hmac(userid : timestamp+2hours, salt+secret)
token_hex = hex(hash)
Will hmac work for short strings? userid:timestamp can be for example 12:1304985212 Does the order of salt and secret matters? (salt+secret vs secret+salt) What should be the shared secret length and what should be the salt length? Can I use the same secret to also sign messages between the server and the remote service or is it better to generate a separate secret?
Thanks
You should calculate hmac(salt : userid : timestamp+2hours, secret) and transmit salt : userid : timestamp+2hours : hash. Purpose of salt here is to make plaintext longer and not repeating, so it better be appended to plaintext, not secret.
If you really want to change secret, do hmac(userid : timestamp+2hours, hash(salt : secret)), it will make one-time secret look more like random number.