Security helper for the OpenAlchemy package service
Project description
Security
Performs calculations for creating pubic and secret keys. A credential is made up of a public and secret key, a salt and a hash of the secret key that is safe to store.
Service Secret
For certain operations, such as the creation of secret keys, a service secret is retrieved which required access to AWS secrets manager.
Create
Create a new credential.
Input:
sub
: unique identifier for the user.
Output:
public_key
: a unique public identifier for the key,secret_key
: a secret key for the public key,salt
: a random value used to create the credential andsecret_key_hash
: a value derived from the secret key that is safe to store.
Retrieve Secret
Re-calculates the secret key based on known values.
Input:
sub
andsalt
.
Output:
secret_key
.
Calculate Secret Hash
Calculate the secret key has for a secret.
Input:
secret_key
andsalt
.
Output:
secret_key_hash
.
Compare Secret Hashes
Safely compare two secret key hashes
Input:
left
: asecret_key_hash
andright
: asecret_key_hash
.
Output:
- Whether
left
==right
.
Algorithm:
- use https://docs.python.org/3/library/hmac.html#hmac.compare_digest to compare the secret key hashes.
Salt
A salt is a random string generated using https://docs.python.org/3/library/secrets.html#secrets.token_bytes .
Public Key
The public key is a hash based on the sub
of the user and a salt. The
following algorithm is used:
- create a message by combining the
sub
and a random salt created using https://docs.python.org/3/library/secrets.html#secrets.token_bytes, - digest the message using
sha256
using https://docs.python.org/3/library/hashlib.html#hash-algorithms and - convert to string using
https://docs.python.org/3/library/base64.html#base64.urlsafe_b64encode
decoding and and pre-pending it with
pk_
.
Secret Key
The secret key is a hash based on the sub
, salt
and a secret associated
with the service. The following algorithm is used:
- retrieve the service secret,
- create a message by combining
sub
,salt
and the service secret, - digest the message using
sha256
using https://docs.python.org/3/library/hashlib.html#hash-algorithms and - convert to string using
https://docs.python.org/3/library/base64.html#base64.urlsafe_b64encode
decoding and and pre-pending it with
sk_
.
Secret Key Hash
The secret key itself is not stored but a value that is derived from it but hard to reverse is. The following function is used to calculate it: https://docs.python.org/3/library/hashlib.html#hashlib.scrypt where:
password
is thesecret_key
,salt
is the credential salt,n
is2 ** 14
,r
is 8 andp
is 1.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for open-alchemy.package-security-1.0.4.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | 3f6e4f367202849b4aeebe3bcff9e0ce9addf4da88783995ef0138560e037548 |
|
MD5 | 70534e09b1d4e16a0f06c599d4a0ac5a |
|
BLAKE2b-256 | d5aa28a34c33497054086d60f8ee09eb0d3a0a67aaf245d0f6ce71720b42e8d1 |
Hashes for open_alchemy.package_security-1.0.4-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 698c112e5382c98f7197c723dd2a68afa12f11b1c53a07e11db9fcc5459a0cda |
|
MD5 | 2f7279227d74d57d25d5498ee068bf0a |
|
BLAKE2b-256 | 09d838fb566d2f977ffe83bd57ec388a771dc03e2f1c67aa419dd08cc484eba9 |