I need to set key on my program, which would be an exe file. I want to see:
User clicks on exe file then program requers key, user paste the key and key never asks again. User can't send this acivated exe to other users also other users can't use this key again.
or suggest better idea.
p. c. exe file is console app
You can for instance use the platform module to (almost) uniquely identify a machine. They key can then be the sha256 hexdigest of this identifier viewed as a string, like this:
import hashlib
import platform
# Only an example, you can add whatever you want provided by the platform module to identify the machine
identifier = platform.platform()
key = hashlib.sha256(identifier.encode()).hexdigest()
Pros:
Can't be shared
Isn't reusable
Cons:
Doesn't respect Kerchkoff's principle
Hence, it means that your system is secure as long as the user does not know how to compute the identifier by themselves.
You can ellaborate on this model, using maybe a server of your own. For instance, you can compute a key on your server using the identifier you computed and a secret string.
Pros:
You don't have to store a random key for each user, you just need to have access to its identifier
Cons:
If your identifier isn't accurate enough, two users may have the same key
To solve this problem, you can define a random string for each user that you append to their identifier, but it means that you have to store this random string for each user.
Note also that the last two solutions make use of an external server. Hence, you assume that you will be able to do network requests.
Related
I am making a Django project that will be hosted locally in different environments.
I want users to be able to login by just entering a six-digit PIN on a touch screen or keyboard instead of having to type out a lengthy username/password.
I need to store a PIN for users in the DB. I want the PIN to be hashed or encrypted in some way so that it is not visible in the database. The PIN (and therefore its hash) must be unique but it also must be converted to the same value each time. For instance, every time 123456 is entered it needs to be converted to "jhs8d67RandomString34kds" so that no two users can save the same PIN as the DB column will be unique.
I need to know how to change a user-entered integer and hash it to save in the database.
Then I need to know how to compare it when a user enters the PIN.
I really need some examples on how to implement this and not a lesson in telling me why this is "insecure" or won't work.
Any ideas would be greatly appreciated.
Hashing something doesn't make it secure
All hash function have clashes, the only difference is the probability
Integers have hash function implemented, just use that
Note that for security reasons hashing for strings in randomized in each python process. so those hashes cannot be used for persistent data
You can use module-hashlib:
import hashlib
pincode = "123456"
hashlib.md5(pincode).hexdigest()
'e10adc3949ba59abbe56e057f20f883e'
And the to compare you can do the same:
if hashlib.md5(pincode).hexdigest() == 'e10adc3949ba59abbe56e057f20f883e':
you code here
...
Or use hashlib.pbkdf2_hmac with salt:
hashlib.pbkdf2_hmac(hash_name, password, salt, iterations, dklen=None)
import hashlib
dk = hashlib.pbkdf2_hmac('sha256', b'password', b'salt', 100000)
dk.hex()
'0394a2ede332c9a13eb82e9b24631604c31df978b4e2f0fbd2c549944f9d79a5'
I want to create unique string ids that will be used in a user management system. I want each user to have a string that allows them to access their own database on a server. I read here that you can use the secrets module to create random strings, but since I don't know anything about user management I'm not sure whether to trust the pseudo-random numbers that lie behind the secrets package.
Question: Is it safe to generate a string for each user like this
secrets.token_hex(nbytes = 50)
Out[8]: '24d72775ae86151c600b6a64cef7191e2a55271615894a0ad3b05671978add68a16ad2beb66fa87e66ccdcc442ef4e57e9a4'
and let them use that string to identify themselves to enter the database on my server? Is there a better way that is as quick?
I am writing a Python script that will manage multiple Oracle databases on a single box. Each database has its own OracleService, but they all run under one TNSListener. Because each computer's install might name things differently I want to make this as dynamic as possible.
First, I need to start the TNSListener service. Most of these are on local laptops that only start the listener when we are going to use an Oracle database. In addition, some laptops run different versions of Oracle so the actual service name is different. For this I need to be able to find the full service name or names that contains the string 'TNSListener'.
Second, all of the OracleService names will be appended by the instance name (i.e., OracleServiceTESTING1). So I need to get a list of all the OracleServices on the machine and then display a selection of the instances based on the appended portion of the service names.
I thought about accessing the registry and trying to pull services from there, but the overhead to parse through that seems excessive. I'm just looking for some general guidance on how to find all services that match the string 'TNSListener' and 'OracleService'.
I would recommend a library like pywinservicemanager. A short code example to check if a particular service exists would look like this:
from pywinservicemanager.WindowsServiceConfigurationManager import ServiceExists
serviceName = 'TestService'
serviceExists = ServiceExists(serviceName)
print serviceExists
I want to code a custom key generator in Python. This key will be used as an input (along with the plain text) to AES algorithm for encryption (I will probably use pycrypto or m2crypto libraries for that).
But the key generator has to be custom, as it would generate the key based on the string that would be supplied by the user.
str = date + case-id + name
where:
date = current date when a case was submitted
(we work on separate security analysis cases, submitted on our ticketing tool)
name = person handling the case
case-id = the ticket id with which it was submitted.
This same key needs to be known to the decryptor (on a different system) so that it can decrypt the data.
So the key will have to be fixed for a specific set of date name and case-id for a specific order and will only be different if any of these 3 change in value or order and should not be random every time.
I've gone through some of stackoverflow articles, where it is suggested to use
random_key = os.urandom(16)
but I don't believe this will serve my purpose.
Suggestion on some articles where to start with if I want to design a key generator from scratch, or some pointers on existing libraries will be highly appreciated.
You're looking for a Password hashing algorithm, such as Argon2 or PBKDF2. It will allow you to deterministically extend the 'password' generated from the input values into a suitable key.
However, note that your passwords may still be very weak. I suspect that there is a strong correlation between case-id and date. Names are probably only a small list of people easily found out. Also, isn't this data sent along with the encrypted data by your system? This makes using it as a password a bad idea.
I am trying to modify a python based-authenticator for murmur (voip software) to work with my ldap tree.
The LDAP authenticator is available at:
http://www.winex.org/linux/zealot/src/mumble-scripts/Authenticators/LDAP/LDAPauth.py
It works, but not quite with my ldap layout, so I have to modify it a bit. I know an approach that could work, but unfortunately I have no more knowledge about python than what I learned from google (I have some other programming expertise though).
My ldap layout looks like this:
charName=xxx, ou=people, dc=xxx, dc=com
Under this there are attributes stored such as userPassword and login among others.
The python script above is tailored to use a ldap bind to authenticate. In this case I would have to bind as "charName=logindatafromapp, ou=people, dc=xxx, dc=com". Unfortunately people don't log in with "charName" but with "login" which is an attribute, but isn't identical with "charName".
I do not know a way to bind to an attribute, so here is my idea:
I first bind as ldap admin and perform a search over all entries for "logindatafromapp" and match that value against "login". If a match is found I grab the matching "charName" and re-bind with that charName as originally intended.
I am currently stuck on querying the "charName" value and at assigning that value to a variable, so i could use it in a second ldap bind (google didn't really help me).
Here is my code:
ldap_conn = ldap.initialize(ldap_uri, 0)
ldap_conn.bind_s("cn=admin,dc=xxxxxxxx,dc=com","pass")
res = ldap_conn.search_s('ou=people,dc=xxxxxx,dc=com', ldap.SCOPE_ONELEVEL,'login=trony',['charName'])
print(res)
It then prints "[('charName=Trony,ou=people,dc=xxxxxxx,dc=com', {'charName': ['Trony']})]".
(the "login=trony") is a temporary filter that I would have to replace with the applogin var. My problem is now how can I assign "Trony" (in this case) to a variable? The output seems to be a special struct?
'Trony' is in
res[0][1]['charName'][0]
You take the first element of the list — it's a tuple; then the first element of the tuple; it's a dictionary; then value of the dictionary for the key 'charName'; it's a list once again; and then the first element of the list.
There are at least two alternatives:
Use the method you describe to search for the entry using the information you have, in this case the value of the login attribute as entered by the user and then using the DN that was found in a simple or SASL bind or
Use SASL with identity mapping to map the authId (the value of the login attribute) in such a way that a SASL bind will succeed where only the value of the login attribute is known
The first method requires a search and then a bind, the second might require that user entries have reversible passwords (AES is a good encryption scheme for that purpose) depending on the SASL mechanism that is chosen. Using SASL with the DIGEST-MD5 mechanism would provide a way to map identities as described (all professional-quality LDAP servers support such a mapping mechanism) and would obviate the need to send a password in the clear over a network, but has the disadvantage of not being as secure as using simple bind where the password is stored as a salted SHA-2 digest. Although DIGEST-MD5 should not be used because it requires reversible passwords and thus is not as secure as using the strong SHA-2 (with salt) it is available for applications that require it.