search

gholt / swauth

This is the historical location of Swauth; active development is now at https://github.com/openstack/swauth
45 stars 29 forks source link

More secure auth types #43

Closed michalskalski closed 9 years ago

michalskalski commented 11 years ago

Hi,

I added 2 new classes to store users keys as sha256 and sha512 hashes:

class Sha256(object):
    """
Provides a particular auth type for encoding format for encoding and
matching user keys.

This class must be all lowercase except for the first character, which
must be capitalized. encode and match methods must be provided and are
the only ones that will be used by swauth.
"""
    def encode(self, key):
        """
Encodes a user key into a particular format. The result of this method
will be used by swauth for storing user credentials.

:param key: User's secret key
:returns: A string representing user credentials
"""
        enc_key = '%s%s' % (self.salt, key)
        enc_val = hashlib.sha256(enc_key).hexdigest()
        return "sha256:%s" % (enc_val)

    def match(self, key, creds):
        """
Checks whether the user-provided key matches the user's credentials

:param key: User-supplied key
:param creds: User's stored credentials
:returns: True if the supplied key is valid, False otherwise
"""
        return self.encode(key) == creds

class Sha512(object):
    """
Provides a particular auth type for encoding format for encoding and
matching user keys.

This class must be all lowercase except for the first character, which
must be capitalized. encode and match methods must be provided and are
the only ones that will be used by swauth.
"""
    def encode(self, key):
        """
Encodes a user key into a particular format. The result of this method
will be used by swauth for storing user credentials.

:param key: User's secret key
:returns: A string representing user credentials
"""
        enc_key = '%s%s' % (self.salt, key)
        enc_val = hashlib.sha512(enc_key).hexdigest()
        return "sha512:%s" % (enc_val)

    def match(self, key, creds):
        """
Checks whether the user-provided key matches the user's credentials

:param key: User-supplied key
:param creds: User's stored credentials
:returns: True if the supplied key is valid, False otherwise
"""
        return self.encode(key) == creds

I was wondering if sha1 seems not be secure any more nowadays maybe it should be better to use stronger hashes as default? Do you think it could have notacible impact on performance of swift proxy server? As i can see there is a option to set a global salt only or there is a way to pass salt per user key? If use global salt maybe we shouldn't store salt together with users keys in case of someone stole are database?

rbeede commented 11 years ago

It'd be nice to have iterations of the salt as well. Something like PBKDF2 (http://en.wikipedia.org/wiki/PBKDF2) would be nice.

onovy commented 9 years ago

This PR adds SHA512: https://github.com/gholt/swauth/pull/77 and fixies global salt.

I think, SHA256 is not needed.

PBKDF2 requires additional library.

gholt commented 9 years ago

Closing this since that PR got merged.