Re: Let's share some useful Python code
If I do add code to auto generate a key, as long as it's not anything more than user convenience, how would I make sure the right person is decrypting the key?
Internet access, just, isn't reliable. You may have none, or you may be so filtered that you can't even access a service (unlikely) or it could take for ever and everyone might think that you're program is really slow and then you must deal with HTTP libs, and all that fun stuff.
Maybe, just a silly idea maybe, you should do things multithreaded? And throw the key around? Or do something so that if one process pauses the others will wipe the key and die?
First: "If I do add code to auto generate a key, as long as it's not anything more than user convenience, how would I make sure the right person is decrypting the key?" You don't. That's the answer. You cannot determine who is decrypting your file and who is not without adding in internal tracking and all of that, and you'd need a remote service, and even that wouldn't be reliable. If you want that kind of control, you'll need something far more complex than simply encryption, something like ED DSA signing.
Second: "Internet access, just, isn't reliable. You may have none, or you may be so filtered that you can't even access a service (unlikely) or it could take for ever and everyone might think that you're program is really slow and then you must deal with HTTP libs, and all that fun stuff." This is not true. AWS, for example, is well known for being very fast and responsive (does the fact that governments rely on AWS tell you something?). Furthermore, AWS has a Python SDK to interact with their APIs. They've got SDKs in many languages, in fact, that take care of the complex plumming for you. Its called botocore and boto3. Both of which you'll need. I'll provide an example after I'm done with this part. Plus, HTTP requests that involve small things such as retrieving crypto keys usually only take a few seconds, if not less than that.
Third: "Maybe, just a silly idea maybe, you should do things multithreaded? And throw the key around? Or do something so that if one process pauses the others will wipe the key and die?" No. Just no. Not unless you want to master IPC and (somehow) securely pass the key between threads without causing data races, deadlocks, and so on. GCM is already parallelized -- there is absolutely no need, whatsoever, for you to attempt to parallelize it any more than it already is. Keep in mind that the more threads and/or processes that access sensitive data like crypto keys, the less secure the overall process environment is, purely because you are passing that sensitive data all over the place. That leaves traces everywhere, and for a language like Python... yeah, not a good idea.
Now, for a sample of AWS SDKs...
import boto3
import botocore
kms_client = boto3.Session(aws_access_key_id="key_id", aws_secret_access_key="access_key", region_name="region").client("kms")
# get a data key. Requires you to create a customer master key (CMK)
# either through the AWS console or through the API.
data_key = kms_client.generate_data_key(KeyId="key_id", NumberOfBytes=32)
assert len(data_key["Plaintext"])==32
# Get us a random nonce
nonce = kms_client.generate_random(NumberOfBytes=24)["Plaintext"]
assert len(nonce)==24
# replace write() with your actual file IO routines
write(nonce, 24)
write(data_key["CiphertextBlob"], len(data_key["CiphertextBlob"]))
# read data...-- Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
