[PYTHON-CRYPTO] RFC: verifying e-mail addresses using HMACs
Jason R. Mastaler
jason-list-python-crypto at MASTALER.COM
Thu Apr 26 17:44:34 CEST 2001
I'm working on an application that generates and verifies one-time
"expirable" e-mail addresses using HMACs. I thought I'd run my
methodology by the list and would appreciate any comments/suggestions
A 'dated' address is one that is valid only for a certain interval of
Its format is: name-dated-$date.$datemac at domain.dom
(For example, jason-dated-988298746.9d619c at mastaler.com)
An incoming message with such a 'dated' address is accepted if:
$date < currentdate AND $datemac == a new HMAC generated using
$date as input.
A 'sender' address is one that only a particular sender can use.
Its format is: name-sender-$sendermac at domain.dom
(For example, jason-sender-c12d9f6630f00645 at mastaler.com)
An incoming message with such a 'sender' address is accepted if:
$sendermac == a new HMAC generated using the sender's e-mail
address as input.
The following code illustrates how these addresses are generated using
from Crypto.Hash import HMAC
from Crypto.Hash import SHA
now = '%d' % time.time()
hexkey = '0a7ba002d968c2c6a87c91c54ed68a15987cc546'
key = binascii.unhexlify(hexkey)
datemac = HMAC.HMAC(SHA).hash(key,[time])
dated_address = 'jason-dated-' + now + '.' + make_datemac(now)
sendermac = HMAC.HMAC(SHA).hash(key,[address])
sender_address = 'jason-sender-' + make_sendermac('jason at mastaler.com')
More information about the python-crypto