Encrypt password within source code.
Chris Rebert
clp2 at rebertia.com
Wed May 5 21:44:59 EDT 2010
On Wed, May 5, 2010 at 6:12 PM, Vincent Davis <vincent at vincentdavis.net> wrote:
> I can't think of a way to do this, not sure it is possible but I feel as though I might not know what I don't know.
> I want to share and example of a python script, to run it needs a google username and password. Is there a way for me to encrypt my username and password in the source code? I though about openID but don't really know anything about it.
Nope. What you're asking for is essentially a form of DRM by including
the information in a way the program can use it but the user can't
extract it; DRM schemes have been broken many times and the idea is
flawed even in theory, for if a person has control of their computer
(or in the limit case, at least physical access to its innards), they
can just watch the computation (e.g. memory snoop) until the data gets
converted to its plain form so the program can actually utilize it,
and then bada-bing, they have your valuable data.
Think of it this way. If you encrypted the information in your
program, the program would need to be able to decrypt it later so it
could actually use the login info. For it to be able to do that, you'd
have to include the encryption key in plaintext somewhere in the
program so it could pass it into the decryption algorithm. But then
someone can put 2 and 2 together, see that "there's his key!", and
decrypt your info using the key. So, to prevent this, the key *itself*
would then have to be encrypted...by another key, which again would be
stored in plaintext in your program somewhere, where someone could
then find it and use it to decrypt the first key and then your data,
so you use yet another key to encrypt that key...(as you can see, this
goes on ad infinitum, and thus the whole scheme is doomed). See also
section 1, "DRM Systems Don't Work", of
http://changethis.com/manifesto/show/4.DRM
You can alternatively just try to obfuscate it, but that's obviously
not truly secure and is likewise easily circumvented.
Just let the user input their own Google Account info. If you're
trying to show an example that depends on your own exact account, just
include a transcript of your terminal session (omitting your Google
Account info obviously).
Cheers,
Chris
--
DRM is http://defectiveByDesign.org
http://blog.rebertia.com
More information about the Python-list
mailing list