How can I use bcrypt/scrypt on appengine for Python? - python

I want make an authentication system for my app along the lines of SUAS, except instead of using SHA256 for hashing passwords I'd like to use bcrypt or scrypt. Unfortunately both py-bcrypt and scrypt for python use native c, which is unsupported by GAE.
Any way around this?

Scrypt and BCrypt are both extremely processor-intensive (by design). Because of this, I very much doubt any pure-python implementation is going to be fast enough to be secure - that is, be able to hash using a sufficient number of rounds within a reasonable amount of time.
I can personally attest to this, I've tried writing a pure-python BCrypt, and it was way too slow to be useful. The docs for the pure-python bcrypt implementation mentioned in another answer note this exact flaw - to beware of using it for actual security, it's rounds must be set too low. The only time such implementations will be fast enough is under pypy, which is not the situation you're faced with.
What you want to go with is something based on an available hash primitive like SHA-2. That way the heavy calculation bit will still be able to be written in C, even under GAE. I'd recommend something based on PBKDF2 or SHA-512-Crypt (note: this is not just a plain sha512 hash). The security of the algorithms is just as good, but pure-python implementations will be much more efficient, since they can leverage hashlib to do the heavy lifting.
The Passlib library might be useful in this case, it contains implementations of PBKDF2 and SHA-512-Crypt in pure python. (Disclaimer: I'm the author of that library). Another Python library with PBKDF2 support is Cryptacular.

This guy ported py-bcrypt to pure python so you can use it on GAE:
https://github.com/erlichmen/py-bcrypt

Related

Why does bcrypt need C++ and Python?

I've noticed that the node.js Javascript package for bcrypt requires lots of non-Javascript libraries - C++, Python 2.7, etc.
Why is this necessary? Is there something special about encryption that requires non-Javascript languages?
A algorithm like bcrypt never depends on a specific language. All general-purpose-langauges like C, Java, Pyton, JS, PHP etc.etc. can be sued to implement such algorithms.
Why they chose to use eg. C instead of just JS is likely because, at least with the currently available tools (compiler, interpreter etc.), C programs are much faster than JS. Encrypting large data sets shouldn't be unnecessary slow.

access numpy array from a functional language

My primary language is Python. Often when I need to do some cpu heavy task on a numpy array I use scipy.weave.inline to hook up c++ with great results.
I suspect many of the algorithms (machine learning stuff) can however be written simpler in a functional language (scheme, haskell...).
I was thinking. Is it possible to access numpy array data (read and write) from a functional language instead of having to use c++?
You might have a look at using a shared-memory array of some sort. This implementation would probably be a good place to start: https://bitbucket.org/cleemesser/numpy-sharedmem/src
This implementation is intended to be shared between python processes, but it's using named shared memory to do it, so you should be able to access the relevant chunk of memory from any other process.
I'm not familiar enough with haskell to give you any advice on that side, but I assume you can use a pointer to a shared memory buffer as an array of some sort in haskell...
There's no single standard way to call Haskell from Python at the moment. There are certainly ways to call haskell from C, which means there's no obstacle in principle to calling Haskell -- the work simply hasn't been done to make this particularly easy.
On the other hand, if your data structures aren't themselves enormous, serializing them to a Haskell program (either via the command line, or using, a client-server model with e.g. thrift) is very straightforward, and if the computation cost is what sufficiently dominates, the cost may be minimal.
Finally, it is very easy to call Python from Haskell! The classic package for this is missingpy: http://hackage.haskell.org/package/MissingPy
There's also a newer package called cpython which attempts to be more comprehensive: http://hackage.haskell.org/package/cpython
Conceptually, it shouldn't be very hard, I imagine, to host your Python app in Haskell rather than the other way around.
In case you have no requirements on the platform to use, you might take a look at the Numpy implementation for .NET and IronPython running on CLI. With this you'll be able to use F# as a functional language for instance. Some details to Numpy and Scipy on .NET are here and a list of CLI languages.
I can't imagine trying to use numpy through haskell or scheme will be easier than just writing functional python. Try using itertools and functools if you want a more functional flavored python.

Most Secure Encryption algorithm

I have been given this hypothetical problem:
"Osama returns from the dead and wants revenge. He now wants to communicate with his sleeper cells around the world and plan an attack. But he has to make sure know one else gets it and hence, will like to send it in an encrypted form. He's recruited you for the job. Design a system with encryption and decryption modules for the text message."
I am currently considering following scheme for encryption/decryption:
Now I want to know about the best PKC and SKC and Hash function for implementing above scheme.I did a bit of research over net on best algorithm and narrowed my algorithm choices to following:
Hash:MD5
PKC:RSA or Diffie-Hellman
SKC:DSA
Can you please suggest if there is something that I am missing or any better/new algorithem available.
I am planning to implement this in python.
EDIT:
After reading replies I think I should go with followings:
Hash:SHA-2
PKC:ECC
SKC:AES
Any advice on python library that will provide these algorithm.
The short answer is: it cannot be secure if you do it yourself.
Cryptography provides some basic tools, such as symmetric encryption or digital signatures. Assembling those tools into a communication protocol is devilishly difficult, and when I invoke the name of the Devil I mean it: it looks easy, but there are many details, and it is known that the Devil hides in the details.
Your problem here is akin to "secure emailing", and there are two main protocols for that: OpenPGP and CMS (as used in S/MIME). Look them up: you will see that the solution to your problem is not easy. For the implementation, just use an existing library, e.g. M2Crypto.
MD5 has been known to have weaknesses since 1996, and is considered to be utterly broken since 2004. You should try to get some more up-to-date sources.
If you really want "better" algorithms:
Hash: any of SHA-2 family (sha-224/256/384/512)
PKC: ECC (Elliptic Curve Cryptography)
Other related info: Elliptic curve Diffie–Hellman, Elliptic Curve DSA
Also read Applied Cryptography and other books by Bruce Schneier
For your SKC, AES is a more modern standard than DSA, though DSA isn't broken in the same way that MD5 is.
Strictly speaking, the question does not require sender authentication or nonrepudiation, so the digital signature is not necessary either.
Alot of asymmetric cryptography is vulnerable to quantum cryptography. If you're Osama your're going up against the NSA and it's a safe bet they've got a quantum computer sitting around somewhere.
The only system that is able to provide perfect secrecy is the One Time Pad and it is this reason that satalites use use it.
It is essentially a chunk of random data that you XOR a message with to produce a ciphertext with and XOR with the key key again to produce the plaintext.
**Pros:**Eliptic
Perfect secrecy
Cons:
Key is the length of the message.
Unable to re-use a key without revealing the plaintext of both messages
Use a fallback of AES in feedback mode to encrypt your messageselliptic curve crypto for document signing and HMAC to ensure message integrity.
Pycrypto is a python library with everything you would need to implement this yourself.

Performance of Python worth the cost?

I'm looking at implementing a fuzzy logic controller based on either PyFuzzy (Python) or FFLL (C++) libraries.
I'd prefer to work with python but am unsure if the performance will be acceptable in the embedded environment it will work in (either ARM or embedded x86 proc both ~64Mbs of RAM).
The main concern is that response times are as fast as possible (an update rate of 5hz+ would be ideal >2Hz is required). The system would be reading from multiple (probably 5) sensors from an RS232 port and provide 2/3 outputs based on the results of the fuzzy evaluation.
Should I be concerned that Python will be too slow for this task?
In general, you shouldn't obsess over performance until you've actually seen it become a problem. Since we don't know the details of your app, we can't say how it'd perform if implemented in Python. And since you haven't implemented it yet, neither can you.
Implement the version you're most comfortable with, and can implement fastest, first. Then benchmark it. And if it is too slow, you have three options which should be done in order:
First, optimize your Python code
If that's not enough, write the most performance-critical functions in C/C++, and call that from your Python code
And finally, if you really need top performance, you might have to rewrite the whole thing in C++. But then at least you'll have a working prototype in Python, and you'll have a much clearer idea of how it should be implemented. You'll know what pitfalls to avoid, and you'll have an already correct implementation to test against and compare results to.
Python is very slow at handling large amounts of non-string data. For some operations, you may see that it is 1000 times slower than C/C++, so yes, you should investigate into this and do necessary benchmarks before you make time-critical algorithms in Python.
However, you can extend python with modules in C/C++ code, so that time-critical things are fast, while still being able to use python for the main code.
Make it work, then make it work fast.
If most of your runtime is spent in C libraries, the language you use to call these libraries isn't important. What language are your time-eating libraries written in ?
From your description, speed should not be much of a concern (and you can use C, cython, whatever you want to make it faster), but memory would be. For environments with 64 Mb max (where the OS and all should fit as well, right ?), I think there is a good chance that python may not be the right tool for target deployment.
If you have non trivial logic to handle, I would still prototype in python, though.
I never really measured the performance of pyfuzzy's examples, but as the new version 0.1.0 can read FCL files as FFLL does. Just describe your fuzzy system in this format, write some wrappers, and check the performance of both variants.
For reading FCL with pyfuzzy you need the antlr python runtime, but after reading you should be able to pickle the read object, so you don't need the antlr overhead on the target.

What's a good two-way encryption library implemented in Python?

The authentication system for an application we're using right now uses a two-way hash that's basically little more than a glorified caesar cypher. Without going into too much detail about what's going on with it, I'd like to replace it with a more secure encryption algorithm (and it needs to be done server-side). Unfortunately, it needs to be two-way and the algorithms in hashlib are all one-way.
What are some good encryption libraries that will include algorithms for this kind of thing?
I assume you want an encryption algorithm, not a hash. The PyCrypto library offers a pretty wide range of options. It's in the middle of moving over to a new maintainer, so the docs are a little disorganized, but this is roughly where you want to start looking. I usually use AES for stuff like this.
If it's two-way, it's not really a "hash". It's encryption (and from the sounds of things this is really more of a 'salt' or 'cypher', not real encryption.) A hash is one-way by definition. So rather than something like MD5 or SHA1 you need to look for something more like PGP.
Secondly, can you explain the reasoning behind the 2-way requirement? That's not generally considered good practice for authentication systems any more.
PyCrypto supports AES, DES, IDEA, RSA, ElGamal, etc.
I've found the documentation here.

Categories

Resources