Created
November 4, 2015 00:05
-
-
Save jamesmunns/1198e5340154db433f36 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import bcrypt as bc | |
import simplecrypt as sc | |
# Assume a SQL database, with two tables: | |
# "User" - contains username, password hash, website settings | |
# "Data" - contains data related to all users. Not sensitive (CC#'s, SSN#'s, Addresses), | |
# but some kind of metric data users may not want publicly associated with them | |
# such as bookmarks, favorite foods, shoe size, etc. | |
# | |
# Instead of encrypting ALL user data, which would be slow and defeat the purpose of | |
# using a relational database, we just make the user<->data association impossible | |
# without input from the user (password). We want to keep the user password for the | |
# minimum time possible in memory. Data should never be relatable back to the user. | |
# Server Secret Key | |
ssc = "FooBarEnCrypt" | |
print "Server secret key is <<<{}>>>".format(ssc) | |
# Get user key. Would be done during user signup | |
print "Please enter a sample password: " | |
pw = raw_input("> ") | |
print "Password is <<<{}>>>".format(pw) | |
# This is saved to the database as a hash for use with login | |
hashwsalt = bc.hashpw(pw, bc.gensalt()) | |
print "Hash <<<{}>>> stored in database".format(hashwsalt) | |
# This value will be used as a reference whenever the user adds a data row | |
# to the database. It is NOT kept in the user table (with the password hash) | |
# This uses the original salt from the user's hash, but does not store the | |
# salt in the 'data' table. | |
dbref = bc.hashpw(pw + hashwsalt, hashwsalt) | |
print "Database key with salt <<<{}>>>".format(dbref) | |
dbref = dbref[7+22:] | |
print "Database key actually used <<<{}>>>".format(dbref) | |
# This is for sending the database reference to the user, for session persistence | |
# User (or intruder) would need the user password, the original salt, and the | |
# server secret key to map the user to the data | |
cookie = sc.encrypt(ssc, dbref) | |
print "Cookie sent to user: <<<{}>>>".format(cookie) | |
# The user sends back the cookie, we decrypt it. Since we know the user requesting | |
# the data, this dbref will lead us to their data | |
dcookie = sc.decrypt(ssc, cookie) | |
print "User sends back the cookie, <<<{}>>> used to get userdata".format(dcookie) |
Author
jamesmunns
commented
Nov 4, 2015
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment