[Tutor] CGI problem.

[Mark Kels]

On Sat, 06 Nov 2004 16:44:59 -0500, Lloyd Kvam <pythontutor at venix.com> wrote:
> On Sat, 2004-11-06 at 14:51, Mark Kels wrote:
> 
> 
> > On Sat, 06 Nov 2004 14:20:52 -0500, Lloyd Kvam <pythontutor at venix.com> wrote:
> > > My guess is that you have a trailing \n on the password that you read
> > > from the file.  I believe that the md5 digest is 16 characters, but you
> > > can double check that easily.  If that's true then
> > >         filepass = filepass[:16]
> > > would extract the digest.
> > >
> > > This avoids any kind of issues with line marks between different
> > > operating systems.
> > >
> > > One other point.  It is best to have a secret seed value that is used in
> > > conjunction with the user password when computing the digest.  This
> > > makes it harder to mount a dictionary attack against a copy of the
> > > password file.  You are still vulnerable to on-line dictionary attacks
> > > since your script "knows" the seed.  In actual practice someone who
> > > obtained the password file would often have also been able to obtain
> > > your secret seed value.
> >
> > I'm sorry, but I dint understand what you just wrote... (maybe because
> > of my english, and maybe because of my litle knowldge about this
> > subject).
> your code was something like:
>         filepass = passwordfile.readline()
> The '\n' (new-line) character is part of the data read in from the
> file.  So, filepass contains the MD5 digest along with the character
> that marks the end of the line in the file.  Since the MD5 digest is 16
> bytes long, you can extract the digest from the line you just read in by
> using:
>         filepass = filepass[:16]
> This takes the first 16 characters from the line and saves it using the
> same name as was used originally to save the whole line.  I hope this is
> clear.
> 
> I do not have any simple links covering security in program design.
> Bruce Schneier has written books about security.  The ACM (Association
> for Computer Machinery) also has security information and courses.
> http://acm.org/
> You would need to join to take advantage of much of their material.
> 
> > Can you please fix my code so I'll understand what was the mistake?
> >
> > And BTW, this encription thing security thing is kind of intresting...
> > I'll be glad if you will send me a link or two about this subject (
> > not too complex, and related to python).
> >
> > Thank you very much!!
> --
> Lloyd Kvam
> Venix Corp
> 
> 

Thank you, now I underastand it...
But I doesn't work.

First, I got 49 characters and not 16 in the hash
(\xc8\xff\xe9\xa5\x87\xb1&\xf1R\xed=\x89\xa1F\xb4E).
But, anyway, It doesn't help me... 
I think the problem is to hash the user input (I get  ��饇�&�R�=��F�E,
and not the real hash).

More ideas ?