Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Knock! Knock! Who's There?
Search
Markus H
September 10, 2021
Programming
100
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Knock! Knock! Who's There?
My talk from the Snakeoil Acadamy / PyCon AU 2021
Markus H
September 10, 2021
More Decks by Markus H
See All by Markus H
Oh, I Found a Security Issue (reloaded 2026)
markush
0
35
🐍 ❤️ 🦀 — Python loves Rust
markush
0
290
An Introduction To Kubernetes ☸
markush
0
140
Writing Safe Database Migrations (DjangoCon Europe 2021)
markush
0
14k
A Pony On The Move: How Migrations Work In Django 🐎
markush
0
13k
All Hands on Deck — Handling Security Issues
markush
0
14k
Logging Rethought 2: The Actions of Frank Taylor Jr. (PyCon UK 2019)
markush
0
78
Logging Rethought 2: The Actions of Frank Taylor Jr. (PyCon Australia 2019)
markush
1
240
Logging Rethought 2: The Actions of Frank Taylor Jr. (DjangoCon Europe 2019)
markush
0
13k
Other Decks in Programming
See All in Programming
コーディングルールの鮮度を保ちたい for SRE NEXT 2026 / keep-fresh-go-internal-conventions-sre-next-2026
handlename
0
140
Dataformのリポジトリを立ち上げるときにまずやること / dataform-day0-2026
snhryt
0
220
才能?センス?知らん、 続けたもん勝ちだ。-- 結婚・出産・癌を越えてなお、私がプロダクトを創り続ける理由
16bitidol
2
820
決定論的オーケストレーションの設計と実装 / Design and Implementation of Deterministic Orchestration
nrslib
4
1.6k
エンジニアと一緒にテストコードの設計と実装を改善した話
mototakatsu
0
260
なぜ型を書くのか? TSKaigi2026で改めて考える #tskaigi_smarthr
kajitack
0
320
Go1.27で導入されるジェネリクスメソッドでできること
mackee
0
260
Webフレームワークの ベンチマークについて
yusukebe
0
200
ローカルLLMでどこまでコードが書けるか -拡張版 / How much code can be written on a local LLM Extended
kishida
12
4.7k
LaravelLive Japan の裏方のすべて — 第188回 PHP勉強会@東京 (2026-06-24)
suguruooki
2
150
ローカルLLMでどこまでコードが書けるか -縮小版 / How much code can be written on a local LLM Shortened
kishida
2
180
OSINT for SRE: 学術論文とポストモーテムから探る システム障害の共通パターン / SRE NEXT 2026
tomoyk
1
3.2k
Featured
See All Featured
The State of eCommerce SEO: How to Win in Today's Products SERPs - #SEOweek
aleyda
2
11k
Balancing Empowerment & Direction
lara
6
1.2k
More Than Pixels: Becoming A User Experience Designer
marktimemedia
3
460
Measuring Dark Social's Impact On Conversion and Attribution
stephenakadiri
2
230
Sam Torres - BigQuery for SEOs
techseoconnect
PRO
0
300
<Decoding/> the Language of Devs - We Love SEO 2024
nikkihalliwell
1
270
The Illustrated Children's Guide to Kubernetes
chrisshort
51
52k
Noah Learner - AI + Me: how we built a GSC Bulk Export data pipeline
techseoconnect
PRO
0
210
Bridging the Design Gap: How Collaborative Modelling removes blockers to flow between stakeholders and teams @FastFlow conf
baasie
0
610
GitHub's CSS Performance
jonrohan
1033
470k
Primal Persuasion: How to Engage the Brain for Learning That Lasts
tmiket
0
390
How to build a perfect <img>
jonoalderson
1
5.8k
Transcript
Snakeoil Academy 2021 • PyCon AU • @m_holtermann Knock! Knock!
Who’s There?
Snakeoil Academy 2021 • PyCon AU • @m_holtermann Hi, I’m
Markus Holtermann
Snakeoil Academy 2021 • PyCon AU • @m_holtermann Hi, I’m
Markus Holtermann W e're hiring
Snakeoil Academy 2021 • PyCon AU • @m_holtermann The Beginning
Snakeoil Academy 2021 • PyCon AU • @m_holtermann Marian Vanhaeren/Francesco
d'Errico
Snakeoil Academy 2021 • PyCon AU • @m_holtermann Sketch by
Sydney Parkinson (1784) Portrait by Louis John Steele (1891)
Snakeoil Academy 2021 • PyCon AU • @m_holtermann
Snakeoil Academy 2021 • PyCon AU • @m_holtermann
Snakeoil Academy 2021 • PyCon AU • @m_holtermann Snakeoil Academy
2021 • PyCon AU • @m_holtermann # scrypt >>> import base64, hashlib, secrets >>> salt = secrets.token_bytes(16) >>> password = b"my p4ssw0rd!"0 >>> hash = hashlib.scrypt(password, salt=salt, n=2**14, r=8, p=1, maxmem=0, dklen=64).hex() >>> base64.b64encode(hash).decode('ascii').strip() '8ln2EySYjOZRSLaIzjvaOaQQfGshxdH7vxptMyWo9zWJbM1glu0K8LbZf56QH+GefdiCP079IErDhVw UmPsRzQ==' # argon2 >>> from argon2 import PasswordHasher >>> hasher = PasswordHasher() >>> hasher.hash(password) '$argon2id$v=19$m=102400,t=2,p=8$d85wm2Zga0oSPiK6Uxm4zA$03Kc+n7lf3SpL+VYSbMnfA'
Snakeoil Academy 2021 • PyCon AU • @m_holtermann Basic &
Digest Authentication RFC 2069, RFC 2617, RFC 7617
Snakeoil Academy 2021 • PyCon AU • @m_holtermann Snakeoil Academy
2021 • PyCon AU • @m_holtermann WWW-Authenticate: Basic realm="PyConAU 2021", charset="UTF-8" Authorization: Basic Y3VybHlib2k6c25ha2VvaWwuYWNhZGVteQ== Server replies with: Client sends:
Snakeoil Academy 2021 • PyCon AU • @m_holtermann Token Authentication
Authorization: Token soM3r4nDOmByt3s
Snakeoil Academy 2021 • PyCon AU • @m_holtermann Bearer Authentication
RFC 6750 Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIy MDIxIiwibmFtZSI6ImN1cmx5Ym9pIn0.W8-ixoAkGMe5Gs7c5 DLXFO0fCLypn2xhNExulY5iSEY
Snakeoil Academy 2021 • PyCon AU • @m_holtermann JWT https://groups.google.com/g/django-developers
/c/6oS9R2GwO4k/m/Rep92xfsAwAJ
Snakeoil Academy 2021 • PyCon AU • @m_holtermann JWT
Snakeoil Academy 2021 • PyCon AU • @m_holtermann Snakeoil Academy
2021 • PyCon AU • @m_holtermann >>> import base64, json, hmac >>> key = b"snakeoil.academy" >>> data = {"uid": 123, "name": "curlyboi"} >>> payload = base64.b64encode(json.dumps(data).encode()) >>> mac = hmac.new(key, payload, digestmod="sha256") >>> payload + b"." + base64.b64encode(mac.digest()) >>> ret b'eyJ1aWQiOiAxMjMsICJuYW1lIjogImN1cmx5Ym9pIn0=.oJPUWmHZGJIXPCna082U8/SMseX+hZ5av Kjgt1TKovg=' >>> signed, signature = ret.split(b".", 1) >>> hmac.compare_digest(signature, ... base64.b64encode(hmac.new(key, signed, digestmod="sha256").digest())) True >>> json.loads(base64.b64decode(signed)) {'uid': 123, 'name': 'curlyboi'}
Snakeoil Academy 2021 • PyCon AU • @m_holtermann Mutual Authentication
Snakeoil Academy 2021 • PyCon AU • @m_holtermann FIDO2 /
WebAuthn https://www.w3.org/TR/webauthn-2/
Snakeoil Academy 2021 • PyCon AU • @m_holtermann Snakeoil Academy
2021 • PyCon AU • @m_holtermann
Snakeoil Academy 2021 • PyCon AU • @m_holtermann I! I
who? Identification and Authentication!
Snakeoil Academy 2021 • PyCon AU • @m_holtermann Thank you!
Snakeoil Academy 2021 • PyCon AU • @m_holtermann Sources •
https://www.newscientist.com/article/dn9392-ancient-beads-imply-culture-older-than-we-thought/ • https://rss.onlinelibrary.wiley.com/doi/pdf/10.1111/j.1740-9713.2013.00706.x • https://www.smithsonianmag.com/history/tattoos-144038580/ • https://www.trulioo.com/blog/infographic-the-history-of-id-verification • https://github.blog/2021-04-05-behind-githubs-new-authentication-token-formats/