My talk from the Snakeoil Acadamy / PyCon AU 2021
Snakeoil Academy 2021 • PyCon AU • @m_holtermannKnock! Knock!Who’s There?
View Slide
Snakeoil Academy 2021 • PyCon AU • @m_holtermannHi, I’mMarkus Holtermann
Snakeoil Academy 2021 • PyCon AU • @m_holtermannHi, I’mMarkus HoltermannWe'rehiring
Snakeoil Academy 2021 • PyCon AU • @m_holtermannThe Beginning
Snakeoil Academy 2021 • PyCon AU • @m_holtermannMarian Vanhaeren/Francesco d'Errico
Snakeoil Academy 2021 • PyCon AU • @m_holtermannSketch by Sydney Parkinson (1784) Portrait by Louis John Steele (1891)
Snakeoil Academy 2021 • PyCon AU • @m_holtermann
Snakeoil Academy 2021 • PyCon AU • @m_holtermannSnakeoil Academy 2021 • PyCon AU • @m_holtermann# scrypt>>> import base64, hashlib, secrets>>> salt = secrets.token_bytes(16)>>> password = b"my p4ssw0rd!"0>>> hash = hashlib.scrypt(password, salt=salt, n=2**14, r=8, p=1, maxmem=0,dklen=64).hex()>>> base64.b64encode(hash).decode('ascii').strip()'8ln2EySYjOZRSLaIzjvaOaQQfGshxdH7vxptMyWo9zWJbM1glu0K8LbZf56QH+GefdiCP079IErDhVwUmPsRzQ=='# argon2>>> from argon2 import PasswordHasher>>> hasher = PasswordHasher()>>> hasher.hash(password)'$argon2id$v=19$m=102400,t=2,p=8$d85wm2Zga0oSPiK6Uxm4zA$03Kc+n7lf3SpL+VYSbMnfA'
Snakeoil Academy 2021 • PyCon AU • @m_holtermannBasic & Digest AuthenticationRFC 2069, RFC 2617, RFC 7617
Snakeoil Academy 2021 • PyCon AU • @m_holtermannSnakeoil Academy 2021 • PyCon AU • @m_holtermannWWW-Authenticate: Basic realm="PyConAU 2021", charset="UTF-8"Authorization: Basic Y3VybHlib2k6c25ha2VvaWwuYWNhZGVteQ==Server replies with:Client sends:
Snakeoil Academy 2021 • PyCon AU • @m_holtermannToken AuthenticationAuthorization: Token soM3r4nDOmByt3s
Snakeoil Academy 2021 • PyCon AU • @m_holtermannBearer AuthenticationRFC 6750Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIyMDIxIiwibmFtZSI6ImN1cmx5Ym9pIn0.W8-ixoAkGMe5Gs7c5DLXFO0fCLypn2xhNExulY5iSEY
Snakeoil Academy 2021 • PyCon AU • @m_holtermannJWThttps://groups.google.com/g/django-developers/c/6oS9R2GwO4k/m/Rep92xfsAwAJ
Snakeoil Academy 2021 • PyCon AU • @m_holtermannJWT
Snakeoil Academy 2021 • PyCon AU • @m_holtermannSnakeoil Academy 2021 • PyCon AU • @m_holtermann>>> import base64, json, hmac>>> key = b"snakeoil.academy">>> data = {"uid": 123, "name": "curlyboi"}>>> payload = base64.b64encode(json.dumps(data).encode())>>> mac = hmac.new(key, payload, digestmod="sha256")>>> payload + b"." + base64.b64encode(mac.digest())>>> retb'eyJ1aWQiOiAxMjMsICJuYW1lIjogImN1cmx5Ym9pIn0=.oJPUWmHZGJIXPCna082U8/SMseX+hZ5avKjgt1TKovg='>>> signed, signature = ret.split(b".", 1)>>> hmac.compare_digest(signature,... base64.b64encode(hmac.new(key, signed, digestmod="sha256").digest()))True>>> json.loads(base64.b64decode(signed)){'uid': 123, 'name': 'curlyboi'}
Snakeoil Academy 2021 • PyCon AU • @m_holtermannMutual Authentication
Snakeoil Academy 2021 • PyCon AU • @m_holtermannFIDO2 / WebAuthnhttps://www.w3.org/TR/webauthn-2/
Snakeoil Academy 2021 • PyCon AU • @m_holtermannSnakeoil Academy 2021 • PyCon AU • @m_holtermann
Snakeoil Academy 2021 • PyCon AU • @m_holtermannI!I who?Identification and Authentication!
Snakeoil Academy 2021 • PyCon AU • @m_holtermannThank you!
Snakeoil Academy 2021 • PyCon AU • @m_holtermannSources• https://www.newscientist.com/article/dn9392-ancient-beads-imply-culture-older-than-we-thought/• https://rss.onlinelibrary.wiley.com/doi/pdf/10.1111/j.1740-9713.2013.00706.x• https://www.smithsonianmag.com/history/tattoos-144038580/• https://www.trulioo.com/blog/infographic-the-history-of-id-verification• https://github.blog/2021-04-05-behind-githubs-new-authentication-token-formats/