First, my question is not about password hashing, but password encryption. I'm building a desktop application that needs to authentificate the user to a third party service. To speed up the login process, I want to give the user the option to save his credentials. Since I need the password to authentificate him to the service, it can't be hashed.
I thought of using the pyCrypto module and its Blowfish or AES implementation to encrypt the credentials. The problem is where to store the key. I know some applications store the key directly in the source code, but since I am coding an open source application, this doesn't seem like a very efficient solution.
So I was wondering how, on Linux, you would implement user specific or system specific keys to increase password storing security.
If you have a better solution to this problem than using pyCrypto and system/user specific keys, don't hesitate to share it. As I said before, hashing is not a solution and I know password encryption is vulnerable, but I want to give the option to the user. Using Gnome-Keyring is not an option either, since a lot of people (including myself) don't use it.
Encrypting the passwords doesn't really buy you a whole lot more protection than storing in plaintext. Anyone capable of accessing the database probably also has full access to your webserver machines.
However, if the loss of security is acceptable, and you really need this, I'd generate a new keyfile (from a good source of random data) as part of the installation process and use this. Obviously store this key as securely as possible (locked down file permissions etc). Using a single key embedded in the source is not a good idea - there's no reason why seperate installations should have the same keys.
Try using PAM. You can make a module that automatically un-encrypts the key when the user logs in. This is internally how GNOME-Keyring works (if possible). You can even write PAM modules in Python with pam_python.
Password Safe is designed by Bruce Schneier and open source. It's for Windows, but you should be able to see what they are doing and possibly reuse it.
http://www.schneier.com/passsafe.html
http://passwordsafe.sourceforge.net/
Read this: If you type A-E-S into your code, you're doing it wrong.
Related
I am writing a program in python for a school project and one of its features is that it can send emails out.
However, in order to send an email from the program, you must login to the email account meaning my password for that account is contained within a variable in the program.
Because this is for a school project, I will have to send this to people I am working with and they'll be able to read the code but I don't really want my password being openly left in a variable for them to see.
Is there any way to hide it or encrypt it so that other people can't see it?
Unfortunately, the answer is no.
This is a big security issue and a very common way for people to have programs "hacked" (they post some code on a public repository with an API key or password in it, and people can take that and do what they want with it).
Here are the most common solutions to this problem:
Use a server. This probably isn't very viable for you since it's for a school project, but in larger project, we'd typically send a request to our server (which knows the password), and it would send it form there. Code on a server (if protected correctly) is considered moderately safe. Even still, it would be very bad design to put the password in the code. Since the end user won't see the server's code, they won't be able to get that password. Note that this is an oversimplification and there's more to securing a server than just what I've mentioned.
Use environment variables. Environment variables can be set in your terminal and store the information on your own computer, not in the program. However, for it to work, each user would need to set their environment variables in their own terminal, and if you're trying to share an account, this is not the way to go because then you'd have to give them the password anyways. This is a good article that discusses environment variables and how to set them. In python, you can get the variable using the os module (os.environ["ENV_VARIABLE_NAME"]).
A general rule of thumb is never ever put anything in your source code (for the client side) that you wouldn't want the whole world seeing. It is possible to get this information out of the code and can cause big issues down the road.
Let me know if you have any other questions!
I have a script A that needs to perform authentication on my professional email. Right now, I put that data in a python dict() in a script B that is imported into script A at runtime in an unencrypted form. The script B is not under version control.
This is only for a personal project, so I don't need to have very reusable code, but the authentication in question yields access to critical data.
Is importing unencrypted data at runtime as described in this answer secure?
No, not really.
Two notable issues.
First, if the attacker has access to your main source, finding the authentication information is quite straightforward.
Second, should someone stumble across the B file, there's your credentials laid out in plain sight.
Dealing with this is a key management problem, since what you want to do is encrypt the authentication information, but then you need a key, and you're back to square one. It's an intractable problem.
The game is burying the key.
The simplest solution is to simply prompt for the key (or the credentials) at startup, and not store it anywhere save in memory.
Or you can do a simple encryption of the credentials, store the key in a file, and read it in. This will defeat casual snooping (someone just looking at files), but nobody else.
So, it depends on what you feel your threat profile really is.
I am making a Django application and I am running into an issue. I know Python is interpreted and it would be impossible to completely fight against piracy, however I want to implement some sort of security/licensing feature for my application.
I thought I would post the question because I can't find much information about this online. I'm not sure if I should create some sort of installer which downloads files from a server depending on if a key is valid or not and installs them onto a users host, or if I should encrypt the files upon sending and decrypt them with a key.
If anybody has any pointers or if anybody has faced this before I'd love to hear!
This is very late. but I have implemented license validation through python java bridge. I am generating tokens at the device level. and put a valid key according to that token so that it doesn't work on another device. and I have disabled the main feature for an invalid license key. and also compiled source code in deployment. however, it is not difficult to decompile code but at least we can prevent a normal user.
I am writing a Python code and it is requisite to include a password of one of my online account. I want to cover it in some way as keeping its functionality in the code. Is there nay way to masquerade this kind of credential information as keeping its use in the source code?
I would recommend two levels to secure passwords. 1 encrypt, 2, protect the key used for encrypting in key store.
Details- Encrypt the password using aes 256 or similar based on the risk. Key used for encrypting should be in key store and you can hard code the key store password.
You can also choose number of levels based on risk, usually at least two is recommended.
You should tell us what kind of protection you want. Do you want to make everybody able to execute you script without knowing the password? Do you want to be the only able to execute you script but you want to protect the password from people who can read the source? There may be different solution.
However every solution will require you to insert another password to get access to the stored password. So I think that the best solution would be not to save the password in the source at all.
What I want to do is protect a Python program from being stolen by people with no computer knowledge. I accept the inevitability of the program being pirated, all I want to do is protect it from average users.
I have come up with two ideas.
1.)Set a time restriction by checking online for the date and time. I.E. 10 days from downloaded time.
2.)Checking the IP or Name of the computer that downloaded it and make the program only runs on that computer. (to prevent friends from simply sharing the file).
The problem with both of these is that I'll need to create a .py file "on the fly" and then use something like pytoexe to make it into an .exe so that the user doesn't need to have Python installed.
The problem with the second is that to my understanding ip's change and getting the computer name is a security risk and might scare away users.
So to sum it up, here are my two questions:
1.) Is there a good way in python to only allow the program to run on that single computer?
2.) What is the best way to implement a "on the fly" creation of the exe? (I was going to host the website on my computer and learn php(?)/servers.
I have moderate c/c++ and basic html/css, java, and python experience.
Thank you for your time!
Messy business. You probably already understand that compiled does not mean encrypted.
However, if you're boss considers c-compiled as satisfactory, you can use cython to compile your python code to c-code and then gcc to compile the c-code.
Check here on how to build your setup.py script.
http://docs.cython.org/src/reference/compilation.html#compiling-with-distutils
And you can embed python using into the resulting c code using the --embed option:
# will generate the target.c
$ cython target.py --embed
Give each user a customized installer that has a unique key in it. When it runs, it contacts a server (with the key) and requests the actual program. Server-side, you check if the key is valid and if so, serve the program customized with the key, and mark the key as used. The installer saves the program somewhere the user can access it, and creates a hidden file that contains the key somewhere deep in the bowels of the computer, where the "average user" won't think of looking. When the program is run, the first thing it does is check if the hidden file exists and if it contains the correct key, and refuses to run if not.
(I am assuming that unzipping an executable and reading source code is beyond the ability of the "average user" (read: "grandma"), so using py2exe is ok.)
To avoid having to contact anything on the Internet, you could use the following way to 'dongle' your program:
Take a vital part of your program (something without which the rest won't be useful),
put it into a string,
encrypt that string symmetrically with the MAC address of the computer it shall run on,
then in your program do this:
decrypt that string with the MAC address of the current machine it runs on an and
call that decrypted string using exec.
Example with the vital part being print "hello world":
def getMyMac():
return 123456789L # for testing now
return uuid.getnode() # this would be the real thing
def strxor(s, key):
key *= len(s) / len(key) + 1
return ''.join(chr(ord(key[i]) ^ ord(s[i])) for i in range(len(s)))
def performVitalCode():
code = 'A#ZZA\x16\x15P\\]^\\\x14BYET]\x13'
# I found that code by entering:
# strxor('print "hello world"', str(getMyMac()))
realCode = strxor(code, str(getMyMac()))
exec realCode
I here used a simple xor on strings for crypting (which is not a hard cypher to crack).
Of course the user of the "allowed" computer can hand over his MAC address to the next user which then
either can patch the getMyMac() or
spoof his own MAC address; most network cards allow this.
So this is not a "safe" solution to your problem.
But if a person with just little computer knowledge gave your code to some other guy without any further information (maybe by putting it online in a forum or similar), the receiver won't be able to execute it out of the box.
Finally I need to point out that every chaining of code to a specific computer may well become a hassle for the rightful user of the code. If I'm using a program which stops working just because I switch to a different hardware (maybe just because I get a new laptop), I'm usually pissed and curse the writer of that code. You might not want to annoy your customers.
Seems like a combination of things here. Encapsulating python as others have suggested is a good way to go, for bundling. You may also consider obfuscation, as talked about here in another StackOverflow thread:
Python Code Obfuscation
Which references:
http://freecode.com/projects/pyobfuscate
As for making it so that someone can't just download your program and run it elsewhere or distribute it, how willing are you to inconvenience your end users? :)
As others have noted above, you can generate a compiled and bundled bit of code with the ID specific to the user. That way, if/when the application phones home, you can track usage.
If your end users/customers have the following requirements fulfilled:
An account with you, which they can login and check their subscription/account status
Internet connectivity from the machine running the program
You can make the installation process do the following:
Installer is NOT the full program. Generates a profile of the machine.
This profile bundled up and a hash is generated. Both are uploaded to your servers.
The hash is displayed to the end user to enter, once they have signed into their online web account.
The user installing the application submits the hash, and gets a download link and an unlock key. The key is only good for that dynamically generated download and only on that machine. The downloaded program, however, will accept a range of keys unique to itself(iteratively generated, etc).
The user can then complete the install and run their program. The program will periodically check the profile of the machine it is on, to make sure that the hash does not deviate. If it does, the program can prompt them to login to their web account to generate a new key. The new key is then used to refresh their application. This can be automated by the application, but with the internet laws and such, having the user sign into their account and perhaps agree to any updates to the EULA, would be better.
If they decide to share the program in a VM bundle, they would still need an active account to get keys.
Note, this does not prevent someone from bypassing the hash check. But for the average user, this will serve as a good way for you to deter people giving away or reselling your program.
Just bear in mind, no system is foolproof.