Re: Encryption Recommendation
Diez B. Roggisch wrote: [EMAIL PROTECTED] wrote: I'm still using Python 2.4. In my code, I want to encrypt a password and at another point decrypt it. What is the standard way of doing encryption in python? Is it the Pycrypto module? Usually, one doesn't store clear-text passwords. Instead, use a hash-algorithm like md5 or crypt (the former is in the standard lib, don't know of the other out of my head) and hash the password, and store that hash. If a user enters the password, use the same algorithm, and compare the resulting hashes with the stored one. And don't forget to add a salt so that same passwords do not have the same hash. But if the password checking is done with a challenge-response mechanism (e.g. HTTP-Digest Auth or SASL with DIGEST-MD5) it's required that the instance checking the password has the clear-text password available. So reversible encryption for storing passwords might be required. Ciao, Michael. -- http://mail.python.org/mailman/listinfo/python-list
Re: Encryption Recommendation
Michael Ströder [EMAIL PROTECTED] writes: But if the password checking is done with a challenge-response mechanism (e.g. HTTP-Digest Auth or SASL with DIGEST-MD5) it's required that the instance checking the password has the clear-text password available. So reversible encryption for storing passwords might be required. If you're trying to authenticate network logins using passwords, and if you have control over both ends of the protocol but for some reason don't want to use a full-blown encryption scheme, it's far better to authenticate with something like SRP (http://srp.stanford.edu) than a more primitive method like HTTP digest auth. SRP doesn't require storing plaintext passwords, and more importantly, it protects the password from offline dictionary searches by someone sniffing the network connection. There is a Python SRP implementation embedded in TLSLite (www.trevp.com/tlslite) but it might be nice to extract or reimplement the SRP code so that it can be used separately from TLS. -- http://mail.python.org/mailman/listinfo/python-list
Re: Encryption Recommendation
Usually, one doesn't store clear-text passwords. Instead, use a hash-algorithm like md5 or crypt (the former is in the standard lib, don't know of the other out of my head) and hash the password, and store that hash. Python offers md5, and SHA modules built-in. (yay, python!) http://docs.python.org/lib/module-md5.html http://docs.python.org/lib/module-sha.html It does also offer access to the crypt() function on Unix-like OS'es but not Win32: http://docs.python.org/lib/module-crypt.html but it's based on DES which is no longer considered particularly secure. From what I've seen, even MD5 is being phased out in favor of SHA. If a user enters the password, use the same algorithm, and compare the resulting hashes with the stored one. Generally one adds a salt to the mix, a random piece of data that's stored with the password, so that if two users use the same password, the salt makes them the appear like different passwords: import sha import string from random import choice SALT_CHAR_COUNT = 5 salt_chars = string.letters + string.numbers + string.punctuation def is_valid(username, password): correct_hash, salt = get_hash_and_salt(username) test_hash = sha.new(salt + password).hexdigest() return test_hash == correct_hash def set_password(username, password): salt = ''.join([random.choice(salt_chars) for _ in xrange(SALT_CHAR_COUNT)]) hash = sha.new(salt + password) save_user(username, salt, hash) Implementing get_hash_and_salt() and save_user() (and perhaps tweaking the desired set of salt_chars) are left as an exercise to the reader, using whatever persistent storage mechanism suits. -tkc -- http://mail.python.org/mailman/listinfo/python-list
Re: Encryption Recommendation
[EMAIL PROTECTED] wrote: Hello - I'm still using Python 2.4. In my code, I want to encrypt a password and at another point decrypt it. What is the standard way of doing encryption in python? Is it the Pycrypto module? Usually, one doesn't store clear-text passwords. Instead, use a hash-algorithm like md5 or crypt (the former is in the standard lib, don't know of the other out of my head) and hash the password, and store that hash. If a user enters the password, use the same algorithm, and compare the resulting hashes with the stored one. Diez -- http://mail.python.org/mailman/listinfo/python-list
Re: Encryption Recommendation
Diez B. Roggisch [EMAIL PROTECTED] writes: Usually, one doesn't store clear-text passwords. Instead, use a hash-algorithm like md5 or crypt (the former is in the standard lib, don't know of the other out of my head) and hash the password, and store that hash. Rather, use the HMAC module, with a secret key, to thwart dictionary attacks against the hash. -- http://mail.python.org/mailman/listinfo/python-list
RE: Encryption Recommendation
I'm still using Python 2.4. In my code, I want to encrypt a password and at another point decrypt it. What is the standard way of doing encryption in python? Is it the Pycrypto module? Usually, one doesn't store clear-text passwords. Instead, use a hash-algorithm like md5 or crypt (the former is in the standard lib, don't know of the other out of my head) and hash the password, and store that hash. If a user enters the password, use the same algorithm, and compare the resulting hashes with the stored one. Have a look at the hashlib module. Should have everything you need. There's a write up in a recent episode of Doug Hellmann's most excellent Python Module of the Week. http://blog.doughellmann.com/2008/01/pymotw-hashlib.html Cheers, Drea -- http://mail.python.org/mailman/listinfo/python-list
Re: Encryption recommendation
On Jul 31, 10:19 am, JS [EMAIL PROTECTED] wrote: Can someone help me find the proper way to do AES encryption/decryption using Python? Thanks! I did a quick look around the internet and found this seemingly good link AES in general. Might be a good start. http://msdn.microsoft.com/msdnmag/issues/03/11/AES/#S4 Looks like you'll need some matrix manipulations modules, and hopefully you'll be able to utilize Python's indexing and data strengths to keep things simple! -- http://mail.python.org/mailman/listinfo/python-list
Re: Encryption recommendation
JS [EMAIL PROTECTED] writes: Can someone help me find the proper way to do AES encryption/decryption using Python? http://google.com/search?q=AES+Python -- http://mail.python.org/mailman/listinfo/python-list
Re: Encryption recommendation
Azazello wrote: On Jul 31, 10:19 am, JS [EMAIL PROTECTED] wrote: Can someone help me find the proper way to do AES encryption/decryption using Python? Thanks! I did a quick look around the internet and found this seemingly good link AES in general. Might be a good start. http://msdn.microsoft.com/msdnmag/issues/03/11/AES/#S4 Looks like you'll need some matrix manipulations modules, and hopefully you'll be able to utilize Python's indexing and data strengths to keep things simple! Or you might use PyCrypto (http://python.codezoo.com/pub/component/5284) which might be easier. -- http://mail.python.org/mailman/listinfo/python-list
Re: Encryption recommendation
JS wrote: Can someone help me find the proper way to do AES encryption/decryption using Python? Thanks! Use pycrypto. You can roll it into a standalone program for any major OS. See http://passerby.sf.net. Don't attempt to write your own AES implementation for production software. -- James Stroud UCLA-DOE Institute for Genomics and Proteomics Box 951570 Los Angeles, CA 90095 http://www.jamesstroud.com/ -- http://mail.python.org/mailman/listinfo/python-list
