[lnkForumImage]
TotalShareware - Download Free Software
Confronta i prezzi di migliaia di prodotti.
Asp Forum
 Home | Login | Register | Search 


 

Forums >

comp.lang.python

Encryption Recommendation

rogerrath2@gmail.com

1/28/2008 3:17:00 PM

Hello -

I'm still using Python 2.4. In my code, I want to encrypt a password
and at another point decrypt it. What is the standard way of doing
encryption in python? Is it the Pycrypto module?

Roger
6 Answers

Diez B. Roggisch

1/28/2008 3:28:00 PM

0

rogerrath2@gmail.com wrote:

> Hello -
>
> I'm still using Python 2.4. In my code, I want to encrypt a password
> and at another point decrypt it. What is the standard way of doing
> encryption in python? Is it the Pycrypto module?

Usually, one doesn't store clear-text passwords. Instead, use a
hash-algorithm like md5 or crypt (the former is in the standard lib, don't
know of the other out of my head) and hash the password, and store that
hash.

If a user enters the password, use the same algorithm, and compare the
resulting hashes with the stored one.

Diez

Tim Chase

1/28/2008 4:23:00 PM

0

> Usually, one doesn't store clear-text passwords. Instead, use a
> hash-algorithm like md5 or crypt (the former is in the standard lib, don't
> know of the other out of my head) and hash the password, and store that
> hash.

Python offers md5, and SHA modules built-in. (yay, python!)

http://docs.python.org/lib/modul...
http://docs.python.org/lib/modul...

It does also offer access to the crypt() function on Unix-like
OS'es but not Win32:

http://docs.python.org/lib/module-...

but it's based on DES which is no longer considered particularly
secure. From what I've seen, even MD5 is being phased out in
favor of SHA.

> If a user enters the password, use the same algorithm, and compare the
> resulting hashes with the stored one.

Generally one adds a "salt" to the mix, a random piece of data
that's stored with the password, so that if two users use the
same password, the salt makes them the appear like different
passwords:

import sha
import string
from random import choice

SALT_CHAR_COUNT = 5
salt_chars = string.letters +
string.numbers +
string.punctuation

def is_valid(username, password):
correct_hash, salt = get_hash_and_salt(username)
test_hash = sha.new(salt + password).hexdigest()
return test_hash == correct_hash

def set_password(username, password):
salt = ''.join([random.choice(salt_chars)
for _ in xrange(SALT_CHAR_COUNT)])
hash = sha.new(salt + password)
save_user(username, salt, hash)

Implementing get_hash_and_salt() and save_user() (and perhaps
tweaking the desired set of salt_chars) are left as an exercise
to the reader, using whatever persistent storage mechanism suits.

-tkc

Andreas Tawn

1/28/2008 5:17:00 PM

0

>> I'm still using Python 2.4. In my code, I want to encrypt a password
>> and at another point decrypt it. What is the standard way of doing
>> encryption in python? Is it the Pycrypto module?
>
>Usually, one doesn't store clear-text passwords. Instead, use a
>hash-algorithm like md5 or crypt (the former is in the standard lib,
don't
>know of the other out of my head) and hash the password, and store that
>hash.
>
>If a user enters the password, use the same algorithm, and compare the
>resulting hashes with the stored one.
>

Have a look at the hashlib module. Should have everything you need.

There's a write up in a recent episode of Doug Hellmann's most excellent
"Python Module of the Week".

http://blog.doughellmann.com/2008/01/pymotw-ha...

Cheers,

Drea

Paul Rubin

1/28/2008 5:53:00 PM

0

"Diez B. Roggisch" <deets@nospam.web.de> writes:
> Usually, one doesn't store clear-text passwords. Instead, use a
> hash-algorithm like md5 or crypt (the former is in the standard lib, don't
> know of the other out of my head) and hash the password, and store that
> hash.

Rather, use the HMAC module, with a secret key, to thwart dictionary
attacks against the hash.

Michael Ströder

1/29/2008 9:10:00 AM

0

Diez B. Roggisch wrote:
> rogerrath2@gmail.com wrote:
>
>> I'm still using Python 2.4. In my code, I want to encrypt a password
>> and at another point decrypt it. What is the standard way of doing
>> encryption in python? Is it the Pycrypto module?
>
> Usually, one doesn't store clear-text passwords. Instead, use a
> hash-algorithm like md5 or crypt (the former is in the standard lib, don't
> know of the other out of my head) and hash the password, and store that
> hash.
>
> If a user enters the password, use the same algorithm, and compare the
> resulting hashes with the stored one.

And don't forget to add a salt so that same passwords do not have the
same hash.

But if the password checking is done with a challenge-response mechanism
(e.g. HTTP-Digest Auth or SASL with DIGEST-MD5) it's required that the
instance checking the password has the clear-text password available. So
reversible encryption for storing passwords might be required.

Ciao, Michael.

Paul Rubin

1/29/2008 9:36:00 AM

0

Michael Ströder <michael@stroeder.com> writes:
> But if the password checking is done with a challenge-response
> mechanism (e.g. HTTP-Digest Auth or SASL with DIGEST-MD5) it's
> required that the instance checking the password has the clear-text
> password available. So reversible encryption for storing passwords
> might be required.

If you're trying to authenticate network logins using passwords, and
if you have control over both ends of the protocol but for some reason
don't want to use a full-blown encryption scheme, it's far better to
authenticate with something like SRP (http://srp.st...) than a
more primitive method like HTTP digest auth. SRP doesn't require
storing plaintext passwords, and more importantly, it protects the
password from offline dictionary searches by someone sniffing the
network connection.

There is a Python SRP implementation embedded in TLSLite
(www.trevp.com/tlslite) but it might be nice to extract or reimplement
the SRP code so that it can be used separately from TLS.