Authentication Using Rotor
Irmen de Jong
irmen at -NOSPAM-REMOVE-THIS-xs4all.nl
Fri Mar 14 18:38:05 EST 2003
Ed Young wrote:
> I am writing a distributed application in Python which uses
> sockets to transfer data. I would like to authenticate the
> sender when a socket connection is made.
For authentication, you don't need *encryption*.
I'm not sure what exactly you are doing with the rotor
module for authentication. Encryption is for hiding your
data to eavesdroppers.
The *authentication* I've implemented in Pyro, after talking
it over with various people works like this:
- it is based on a shared private key, the "passphrase".
This is very much like a "password" you'd be using
when logging on on your computer.
- never is a passphrase stored on disk or in memory.
- the secure hash/digest (md5 or sha) of the passphrase
is compared to see if they match. If it matches,
you're in, otherwise the connection is closed.
- server sends unique "challenge" string to client that wants
to connect. This challenge is used together with the
passphrase in calculating the secure hash.
- because the challenge changes everytime, auth hashes
cannot be reused for authentication so this scheme
is safe against eavesdroppers.
- reasonable effort is taken to create very-hard-to-guess
challenge strings.
I think this method is good and safe. As you see it doesn't
use encryption. It uses secure hashing to compare passphrases.
As far as I know, this is the usual way of doing this kind of stuff.
--Irmen.
More information about the Python-list
mailing list