Authentication Using Rotor

Irmen de Jong irmen at -NOSPAM-REMOVE-THIS-xs4all.nl
Sat Mar 15 00:38:05 CET 2003


Ed Young wrote:
> I am writing a distributed application in Python which uses 
> sockets to transfer data.  I would like to authenticate the 
> sender when a socket connection is made.

For authentication, you don't need *encryption*.
I'm not sure what exactly you are doing with the rotor
module for authentication. Encryption is for hiding your
data to eavesdroppers.

The *authentication* I've implemented in Pyro, after talking
it over with various people works like this:

- it is based on a shared private key, the "passphrase".
   This is very much like a "password" you'd be using
   when logging on on your computer.
- never is a passphrase stored on disk or in memory.
- the secure hash/digest (md5 or sha) of the passphrase
   is compared to see if they match. If it matches,
   you're in, otherwise the connection is closed.
- server sends unique "challenge" string to client that wants
   to connect. This challenge is used together with the
   passphrase in calculating the secure hash.
- because the challenge changes everytime, auth hashes
   cannot be reused for authentication so this scheme
   is safe against eavesdroppers.
- reasonable effort is taken to create very-hard-to-guess
   challenge strings.

I think this method is good and safe. As you see it doesn't
use encryption. It uses secure hashing to compare passphrases.
As far as I know, this is the usual way of doing this kind of stuff.

--Irmen.





More information about the Python-list mailing list