Crypto 101

I was not keen on cryptography before this incident, so I was working on this PR for pagure where I had to write a feature which give  the ability to local user to change the password. You can see the PR here. There are two ways to login to pagure FAS account if you want to use pagure online else if you are hosting it you can use local authentication. I learned a lot from this feature  for starting “how not to write authentication system” that is because the first PR I sent was all about the wrong practices thanks a lot to Pingou and Peter to correct and guide me on how to do it.

Peter pointed me out to this video which cleared a lot of my questions. So some of the basic rules for writing an auth. system is :

  1. Never ever store password
  2. Always adopt the latest encryption technique
  3. Use constant time function to compare password

The technique we used is called salting, this is a very beautiful technique. Before going into salting we try to look into what is hashing because hashing generates a junk string using an algorithm, salting is just a different layer over it which makes this hashing more random. Hashing is a way in which password is converted into a string which cannot be inverted. Practically once you convert a string into hash there is no way you can retrieve it but the drawback is comes when two same string produce same hash string. Now if that is possible then it can be brute forced or rainbow tables can be used to get the password.

Here salting comes into the picture because with salting the entropy of the strings generated is exponentially increased and hence your site a little more secure because even you are storing password in your database even you can’t decipher the password all you see is a junk string. That makes your site secure and impenetrable.

Python comes handy with it, bcrypt is a library which give us a simple interface to use the functionality without getting into much detail.

Now here comes a tricky part we do not compare passwords directly we use something called a constant time function to compare passwords. The sole reason being the normal compare functions are written in such a way that the compare two strings as fast as possible which reduces their efficiency. When we are dealing with passwords accuracy is the most important factor not efficiency hence a constant time comparison function is used.

The PR evolved very organically and finally after discussing about various aspect we landed up writing test cases which exposed one of the vulnerability in the code. We fixed the error and then we went on to complete the PR, Pingou wrote most of the test cases and then after a lot of hard work and working for a long time the PR was finally complete. I even got my name in some of the files.

Advertisements

#SayNoToFreeBasic

No, this is not another article which tells you what Free Basic is  and frankly if you are reading this and you don’t know about what Free Basic is then probably you are one of those who agreed for it because all of your friends on facebook were doing it.

First know what free basic is and then register for it , because this is  not one of those posts which says “1 like = 1 prayer ” . This decision of yours is gong to affect the whole country .  Having said that , this post is not at all about what free basic is , it’s more about what you can do , as a student I can make people aware about how bad  the situation is .

The best way to do that is posting things about Free Basic and net neutrality . People will read and they just know what is wrong with Free Basic. Here comes Python into picture , since I love python I wrote a small script  that fetch all tweets with  #SayNoToFreeBasic and retweet it which automatically gets on my facebook wall. So to beat them at their own game. I user python-twitter and tweepy libraries  there was this necessity for two libraries because one is good with meta-info like id etc the other is good with making api calls.

The following is my code , use it well and use it widely

May the force be with you ……… ALWAYS

favorite_hashtags = ['#saynotofreebasics','#SayNoToFreeBasics']
def follow_user_hashtags_fav(status_object):
user_dict = dict()
user_dict = status_object.AsDict()
tweet_id = user_dict.get('id')
user_name = user_dict['user']['name']
user_id = user_dict['user']['id']
api_tweepy.retweet(tweet_id)
print "Retweet Done!"
api.CreateFavorite(status_object)
print 'You favorited this tweet : \n',status_object.text
api.CreateFriendship(user_id)
print 'You are following : \n',user_name
api_tweepy.retweet(tweet_id)
print "Retweet Done!"
for hashtag in favorite_hashtags:
print 'For hashtag : \t', hashtag
list_statuses = api.GetSearch(hashtag)
for status in list_statuses:
try:
follow_user_hashtags_fav(status)
except twitter.error.TwitterError:
print "Some Error may be you favorited it twice or you are following yourself"
except tweepy.error.TweepError:
pass