Niche, possible Naive digital message signing

My goal is a lightweight kind of message signing, comparable to PGP, except there is only a need for one private-key, no public-key associate. The goal is merely to prevent tampering of a string between two trusted entities. It starts from a trusted source, goes over the internet, then arrives at another trusted destination.

I would like to know if my naive approach is secure. In that the signing algorithm would not be practically brute forced.

1) Both source and destination have a "private key" which is just a very random number generated by uuidgen.

2) Source has a string it intends to 开发者_Python百科send to destination.

3) Source concatenates the payload string with the private key, and then sha1's the result, to produce a signature.

4) The resulting plain-text value + signature are sent to destination in a pair. "hello//SIG:12345ABCDEFG"

5) Desination receives the signed-variable, generates a signature with its known private-key, and compares agains the signature paired with the received data. If they match, it is accepted.

A variation of this will incorporate a unix timestamp rounded to the hour, making the signature expire.

My concern is if it would be feasible to bruteforce the private key given a selective set of data payloads and analyzing the resulting signatures with this approach.

Thanks

It seems like what you want to achieve is very similar to an HMAC (article on Wikipedia).

For an HMAC, you perform some additional steps to combine message and secret key into a hash. This makes the resulting hash harder to attack than one which results from simply concatenating original message and secret key and hashing that.

If you want to use cryptographic standards as much as possible (which - in my opinion - is almost always a good thing), I would look into doing it the way the HMAC definition prescribes. To make the signature expire, I would simply attach the expiration date to the message and then build the HMAC of that combined string.