Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Knock! Knock! Who's There?

Cd7648c536b4dbe940246b74044fbc52?s=47 Markus H
September 10, 2021

Knock! Knock! Who's There?

My talk from the Snakeoil Acadamy / PyCon AU 2021

Cd7648c536b4dbe940246b74044fbc52?s=128

Markus H

September 10, 2021
Tweet

Transcript

  1. Snakeoil Academy 2021 • PyCon AU • @m_holtermann Knock! Knock!

    Who’s There?
  2. Snakeoil Academy 2021 • PyCon AU • @m_holtermann Hi, I’m

    Markus Holtermann
  3. Snakeoil Academy 2021 • PyCon AU • @m_holtermann Hi, I’m

    Markus Holtermann W e're hiring
  4. Snakeoil Academy 2021 • PyCon AU • @m_holtermann The Beginning

  5. Snakeoil Academy 2021 • PyCon AU • @m_holtermann Marian Vanhaeren/Francesco

    d'Errico
  6. Snakeoil Academy 2021 • PyCon AU • @m_holtermann Sketch by

    Sydney Parkinson (1784) Portrait by Louis John Steele (1891)
  7. Snakeoil Academy 2021 • PyCon AU • @m_holtermann

  8. Snakeoil Academy 2021 • PyCon AU • @m_holtermann

  9. Snakeoil Academy 2021 • PyCon AU • @m_holtermann Snakeoil Academy

    2021 • PyCon AU • @m_holtermann # scrypt >>> import base64, hashlib, secrets >>> salt = secrets.token_bytes(16) >>> password = b"my p4ssw0rd!"0 >>> hash = hashlib.scrypt(password, salt=salt, n=2**14, r=8, p=1, maxmem=0, dklen=64).hex() >>> base64.b64encode(hash).decode('ascii').strip() '8ln2EySYjOZRSLaIzjvaOaQQfGshxdH7vxptMyWo9zWJbM1glu0K8LbZf56QH+GefdiCP079IErDhVw UmPsRzQ==' # argon2 >>> from argon2 import PasswordHasher >>> hasher = PasswordHasher() >>> hasher.hash(password) '$argon2id$v=19$m=102400,t=2,p=8$d85wm2Zga0oSPiK6Uxm4zA$03Kc+n7lf3SpL+VYSbMnfA'
  10. Snakeoil Academy 2021 • PyCon AU • @m_holtermann Basic &

    Digest Authentication RFC 2069, RFC 2617, RFC 7617
  11. Snakeoil Academy 2021 • PyCon AU • @m_holtermann Snakeoil Academy

    2021 • PyCon AU • @m_holtermann WWW-Authenticate: Basic realm="PyConAU 2021", charset="UTF-8" Authorization: Basic Y3VybHlib2k6c25ha2VvaWwuYWNhZGVteQ== Server replies with: Client sends:
  12. Snakeoil Academy 2021 • PyCon AU • @m_holtermann Token Authentication

    Authorization: Token soM3r4nDOmByt3s
  13. Snakeoil Academy 2021 • PyCon AU • @m_holtermann Bearer Authentication

    RFC 6750 Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIy MDIxIiwibmFtZSI6ImN1cmx5Ym9pIn0.W8-ixoAkGMe5Gs7c5 DLXFO0fCLypn2xhNExulY5iSEY
  14. Snakeoil Academy 2021 • PyCon AU • @m_holtermann JWT https://groups.google.com/g/django-developers

    /c/6oS9R2GwO4k/m/Rep92xfsAwAJ
  15. Snakeoil Academy 2021 • PyCon AU • @m_holtermann JWT

  16. Snakeoil Academy 2021 • PyCon AU • @m_holtermann Snakeoil Academy

    2021 • PyCon AU • @m_holtermann >>> import base64, json, hmac >>> key = b"snakeoil.academy" >>> data = {"uid": 123, "name": "curlyboi"} >>> payload = base64.b64encode(json.dumps(data).encode()) >>> mac = hmac.new(key, payload, digestmod="sha256") >>> payload + b"." + base64.b64encode(mac.digest()) >>> ret b'eyJ1aWQiOiAxMjMsICJuYW1lIjogImN1cmx5Ym9pIn0=.oJPUWmHZGJIXPCna082U8/SMseX+hZ5av Kjgt1TKovg=' >>> signed, signature = ret.split(b".", 1) >>> hmac.compare_digest(signature, ... base64.b64encode(hmac.new(key, signed, digestmod="sha256").digest())) True >>> json.loads(base64.b64decode(signed)) {'uid': 123, 'name': 'curlyboi'}
  17. Snakeoil Academy 2021 • PyCon AU • @m_holtermann Mutual Authentication

  18. Snakeoil Academy 2021 • PyCon AU • @m_holtermann FIDO2 /

    WebAuthn https://www.w3.org/TR/webauthn-2/
  19. Snakeoil Academy 2021 • PyCon AU • @m_holtermann Snakeoil Academy

    2021 • PyCon AU • @m_holtermann
  20. Snakeoil Academy 2021 • PyCon AU • @m_holtermann I! I

    who? Identification and Authentication!
  21. Snakeoil Academy 2021 • PyCon AU • @m_holtermann Thank you!

  22. Snakeoil Academy 2021 • PyCon AU • @m_holtermann Sources •

    https://www.newscientist.com/article/dn9392-ancient-beads-imply-culture-older-than-we-thought/ • https://rss.onlinelibrary.wiley.com/doi/pdf/10.1111/j.1740-9713.2013.00706.x • https://www.smithsonianmag.com/history/tattoos-144038580/ • https://www.trulioo.com/blog/infographic-the-history-of-id-verification • https://github.blog/2021-04-05-behind-githubs-new-authentication-token-formats/