Skip to content

Instantly share code, notes, and snippets.

@jamesmunns

jamesmunns/user_crypt_demo.py

Created November 4, 2015 00:05
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save jamesmunns/1198e5340154db433f36 to your computer and use it in GitHub Desktop.
Save jamesmunns/1198e5340154db433f36 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
user_crypt_demo.py
import bcrypt as bc
import simplecrypt as sc
# Assume a SQL database, with two tables:
# "User" - contains username, password hash, website settings
# "Data" - contains data related to all users. Not sensitive (CC#'s, SSN#'s, Addresses),
# but some kind of metric data users may not want publicly associated with them
# such as bookmarks, favorite foods, shoe size, etc.
#
# Instead of encrypting ALL user data, which would be slow and defeat the purpose of
# using a relational database, we just make the user<->data association impossible
# without input from the user (password). We want to keep the user password for the
# minimum time possible in memory. Data should never be relatable back to the user.
# Server Secret Key
ssc = "FooBarEnCrypt"
print "Server secret key is <<<{}>>>".format(ssc)
# Get user key. Would be done during user signup
print "Please enter a sample password: "
pw = raw_input("> ")
print "Password is <<<{}>>>".format(pw)
# This is saved to the database as a hash for use with login
hashwsalt = bc.hashpw(pw, bc.gensalt())
print "Hash <<<{}>>> stored in database".format(hashwsalt)
# This value will be used as a reference whenever the user adds a data row
# to the database. It is NOT kept in the user table (with the password hash)
# This uses the original salt from the user's hash, but does not store the
# salt in the 'data' table.
dbref = bc.hashpw(pw + hashwsalt, hashwsalt)
print "Database key with salt <<<{}>>>".format(dbref)
dbref = dbref[7+22:]
print "Database key actually used <<<{}>>>".format(dbref)
# This is for sending the database reference to the user, for session persistence
# User (or intruder) would need the user password, the original salt, and the
# server secret key to map the user to the data
cookie = sc.encrypt(ssc, dbref)
print "Cookie sent to user: <<<{}>>>".format(cookie)
# The user sends back the cookie, we decrypt it. Since we know the user requesting
# the data, this dbref will lead us to their data
dcookie = sc.decrypt(ssc, cookie)
print "User sends back the cookie, <<<{}>>> used to get userdata".format(dcookie)
@jamesmunns
Copy link
Author 

Server secret key is <<<FooBarEnCrypt>>>

Please enter a sample password: 
> myfooisabar
Password is <<<myfooisabar>>>

Hash <<<$2b$12$ZDrL0zzU0w0WCQdBAG6.ZuOk5hcx1ZQr3.BXx0OxRuDr.i72.zVv.>>> stored in database

Database key with salt <<<$2b$12$ZDrL0zzU0w0WCQdBAG6.ZuStJpg5C.BWTJ0V0Sg8XrHOkecCKbyl6>>>
Database key actually used <<<StJpg5C.BWTJ0V0Sg8XrHOkecCKbyl6>>>

Cookie sent to user: <<<(gibberish binary data here)>>>

User sends back the cookie, <<<StJpg5C.BWTJ0V0Sg8XrHOkecCKbyl6>>> used to get userdata

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment