Using Rotor with password file

Tim Evans t.evans at paradise.net.nz
Sat Feb 1 17:51:15 EST 2003 

Colin Meeks <colin at meeks.ca> writes:

> I'm implementing Rotor within my application and am having a problem with 
> decrypting. Basically I have a file with users similar to this
> 
>     	name||password||level
> 
> each on it's own line.  I read the line in using readline and then split 
> the line into a variable y[]
> 
> y[0] is the username
> y[1] is the password
> y[2] is the level
> 
> If I print Y all the passwords have an extra '\' where there is an initial 
> '\', i.e. '\eda' would read '\\eda'
> If I print y[1] it appears correct. However when I decrypt using y[1] I get 
> the wrong code back. 
> 
> Anybody got any ideas??
> 
> Colin

The more traditional way to implement a password file would be to use
the 'md5' or 'sha' modules.  The following code is a simple
implementation of this:

--------------------------------------------------------
import sha, random, base64

def _makesalt():
    l = [ chr(random.randint(0,255)) for i in range(4) ]
    return ''.join(l)

def create(password):
    salt = _makesalt()
    text = salt + password
    hash = sha.new(text).digest()
    data = salt + hash
    return base64.encodestring(data)

def check(data, password):
    data = base64.decodestring(data)
    salt, hash = data[:4], data[4:]
    hash2 = sha.new(salt + password).digest()
    return hash2 == hash

def _test():
    data = create('parrot')
    for p in 'spam', 'parrot', 'Parrot', 'cheese':
        ok = check(data, p)
        print '%s: %d' % (p, ok)

if __name__ == '__main__':
    _test()
--------------------------------------------------------

SHA is a one-way encryption, meaning that even if someone knows the
algorithm and the contents of the password file, they cannot easily
determine any of the plain-text passwords.  The random salt is
required so that if two users have the same password the entries in
the password file will still be different, so they cannot tell that
their password would also open someone other account.

It might be sensible to extend this to include the username and/or
level in the plain-text along with the salt, so that if someone edits
the password file to change their level they will invalidate their
password.

Warning: I an not a security expert, this implementation may be
insecure or just plain wrong.

-- 
Tim Evans

More information about the Python-list mailing list