Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Knock! Knock! Who's There?

Markus H
September 10, 2021

Knock! Knock! Who's There?

My talk from the Snakeoil Acadamy / PyCon AU 2021

Markus H

September 10, 2021
Tweet

More Decks by Markus H

Other Decks in Programming

Transcript

  1. Snakeoil Academy 2021 • PyCon AU • @m_holtermann
    Knock! Knock!
    Who’s There?

    View Slide

  2. Snakeoil Academy 2021 • PyCon AU • @m_holtermann
    Hi, I’m
    Markus Holtermann

    View Slide

  3. Snakeoil Academy 2021 • PyCon AU • @m_holtermann
    Hi, I’m
    Markus Holtermann
    W
    e're
    hiring

    View Slide

  4. Snakeoil Academy 2021 • PyCon AU • @m_holtermann
    The Beginning

    View Slide

  5. Snakeoil Academy 2021 • PyCon AU • @m_holtermann
    Marian Vanhaeren/Francesco d'Errico

    View Slide

  6. Snakeoil Academy 2021 • PyCon AU • @m_holtermann
    Sketch by Sydney Parkinson (1784) Portrait by Louis John Steele (1891)

    View Slide

  7. Snakeoil Academy 2021 • PyCon AU • @m_holtermann

    View Slide

  8. Snakeoil Academy 2021 • PyCon AU • @m_holtermann

    View Slide

  9. Snakeoil Academy 2021 • PyCon AU • @m_holtermann
    Snakeoil Academy 2021 • PyCon AU • @m_holtermann
    # scrypt
    >>> import base64, hashlib, secrets
    >>> salt = secrets.token_bytes(16)
    >>> password = b"my p4ssw0rd!"0
    >>> hash = hashlib.scrypt(password, salt=salt, n=2**14, r=8, p=1, maxmem=0,
    dklen=64).hex()
    >>> base64.b64encode(hash).decode('ascii').strip()
    '8ln2EySYjOZRSLaIzjvaOaQQfGshxdH7vxptMyWo9zWJbM1glu0K8LbZf56QH+GefdiCP079IErDhVw
    UmPsRzQ=='
    # argon2
    >>> from argon2 import PasswordHasher
    >>> hasher = PasswordHasher()
    >>> hasher.hash(password)
    '$argon2id$v=19$m=102400,t=2,p=8$d85wm2Zga0oSPiK6Uxm4zA$03Kc+n7lf3SpL+VYSbMnfA'

    View Slide

  10. Snakeoil Academy 2021 • PyCon AU • @m_holtermann
    Basic & Digest Authentication
    RFC 2069, RFC 2617, RFC 7617

    View Slide

  11. Snakeoil Academy 2021 • PyCon AU • @m_holtermann
    Snakeoil Academy 2021 • PyCon AU • @m_holtermann
    WWW-Authenticate: Basic realm="PyConAU 2021", charset="UTF-8"
    Authorization: Basic Y3VybHlib2k6c25ha2VvaWwuYWNhZGVteQ==
    Server replies with:
    Client sends:

    View Slide

  12. Snakeoil Academy 2021 • PyCon AU • @m_holtermann
    Token Authentication
    Authorization: Token soM3r4nDOmByt3s

    View Slide

  13. Snakeoil Academy 2021 • PyCon AU • @m_holtermann
    Bearer Authentication
    RFC 6750
    Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIy
    MDIxIiwibmFtZSI6ImN1cmx5Ym9pIn0.W8-ixoAkGMe5Gs7c5
    DLXFO0fCLypn2xhNExulY5iSEY

    View Slide

  14. Snakeoil Academy 2021 • PyCon AU • @m_holtermann
    JWT
    https://groups.google.com/g/django-developers
    /c/6oS9R2GwO4k/m/Rep92xfsAwAJ

    View Slide

  15. Snakeoil Academy 2021 • PyCon AU • @m_holtermann
    JWT

    View Slide

  16. Snakeoil Academy 2021 • PyCon AU • @m_holtermann
    Snakeoil Academy 2021 • PyCon AU • @m_holtermann
    >>> import base64, json, hmac
    >>> key = b"snakeoil.academy"
    >>> data = {"uid": 123, "name": "curlyboi"}
    >>> payload = base64.b64encode(json.dumps(data).encode())
    >>> mac = hmac.new(key, payload, digestmod="sha256")
    >>> payload + b"." + base64.b64encode(mac.digest())
    >>> ret
    b'eyJ1aWQiOiAxMjMsICJuYW1lIjogImN1cmx5Ym9pIn0=.oJPUWmHZGJIXPCna082U8/SMseX+hZ5av
    Kjgt1TKovg='
    >>> signed, signature = ret.split(b".", 1)
    >>> hmac.compare_digest(signature,
    ... base64.b64encode(hmac.new(key, signed, digestmod="sha256").digest()))
    True
    >>> json.loads(base64.b64decode(signed))
    {'uid': 123, 'name': 'curlyboi'}

    View Slide

  17. Snakeoil Academy 2021 • PyCon AU • @m_holtermann
    Mutual Authentication

    View Slide

  18. Snakeoil Academy 2021 • PyCon AU • @m_holtermann
    FIDO2 / WebAuthn
    https://www.w3.org/TR/webauthn-2/

    View Slide

  19. Snakeoil Academy 2021 • PyCon AU • @m_holtermann
    Snakeoil Academy 2021 • PyCon AU • @m_holtermann

    View Slide

  20. Snakeoil Academy 2021 • PyCon AU • @m_holtermann
    I!
    I who?
    Identification and Authentication!

    View Slide

  21. Snakeoil Academy 2021 • PyCon AU • @m_holtermann
    Thank you!

    View Slide

  22. Snakeoil Academy 2021 • PyCon AU • @m_holtermann
    Sources
    • https://www.newscientist.com/article/dn9392-ancient-beads-imply-culture-older-than-we-thought/
    • https://rss.onlinelibrary.wiley.com/doi/pdf/10.1111/j.1740-9713.2013.00706.x
    • https://www.smithsonianmag.com/history/tattoos-144038580/
    • https://www.trulioo.com/blog/infographic-the-history-of-id-verification
    • https://github.blog/2021-04-05-behind-githubs-new-authentication-token-formats/

    View Slide