FAQ
I can't think of a way to do this, not sure it is possible but I feel as
though I might not know what I don't know.

I want to share and example of a python script, to run it needs a google
username and password. Is there a way for me to encrypt my username and
password in the source code? I though about openID but don't really know
anything about it.

*Vincent Davis
720-301-3003 *
vincent at vincentdavis.net
my blog <http://vincentdavis.net> |
LinkedIn<http://www.linkedin.com/in/vincentdavis>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-list/attachments/20100505/9fdcf81b/attachment.html>

Search Discussions

  • Chris Rebert at May 6, 2010 at 1:44 am

    On Wed, May 5, 2010 at 6:12 PM, Vincent Davis wrote:
    I can't think of a way to do this, not sure it is possible but I feel as though I might not know what I don't know.
    I want to share and example of a python script, to run it needs a google username and password. Is there a way for me to encrypt my username and password in the source code? I though about openID but don't really know anything about it.
    Nope. What you're asking for is essentially a form of DRM by including
    the information in a way the program can use it but the user can't
    extract it; DRM schemes have been broken many times and the idea is
    flawed even in theory, for if a person has control of their computer
    (or in the limit case, at least physical access to its innards), they
    can just watch the computation (e.g. memory snoop) until the data gets
    converted to its plain form so the program can actually utilize it,
    and then bada-bing, they have your valuable data.

    Think of it this way. If you encrypted the information in your
    program, the program would need to be able to decrypt it later so it
    could actually use the login info. For it to be able to do that, you'd
    have to include the encryption key in plaintext somewhere in the
    program so it could pass it into the decryption algorithm. But then
    someone can put 2 and 2 together, see that "there's his key!", and
    decrypt your info using the key. So, to prevent this, the key *itself*
    would then have to be encrypted...by another key, which again would be
    stored in plaintext in your program somewhere, where someone could
    then find it and use it to decrypt the first key and then your data,
    so you use yet another key to encrypt that key...(as you can see, this
    goes on ad infinitum, and thus the whole scheme is doomed). See also
    section 1, "DRM Systems Don't Work", of
    http://changethis.com/manifesto/show/4.DRM

    You can alternatively just try to obfuscate it, but that's obviously
    not truly secure and is likewise easily circumvented.

    Just let the user input their own Google Account info. If you're
    trying to show an example that depends on your own exact account, just
    include a transcript of your terminal session (omitting your Google
    Account info obviously).

    Cheers,
    Chris
  • Tim Chase at May 6, 2010 at 1:48 am

    On 05/05/2010 08:12 PM, Vincent Davis wrote:
    I can't think of a way to do this, not sure it is possible but I feel as
    though I might not know what I don't know.

    I want to share and example of a python script, to run it needs a google
    username and password. Is there a way for me to encrypt my username and
    password in the source code?
    No-ish. You can encrypt it, but if you encrypt it, you need to
    include the keys or algorithm for decrypting it, and all it takes
    is a pdb.set_trace() before the decrypted uname/pwd get sent to
    Google to get it, and poof all your encryption/decryption has
    been in vain:

    uname = SUPER_ENCRYPTED_USER
    pwd = SUPER_ENCRYPTED_PASSWORD
    u = secret_decrypt(uname)
    p = secret_decrypt(pwd)
    # regardless of how good the stuff above is
    # you're vulnerable right here:
    # print "%r %r" % (u, p)
    do_google_stuff(u, p)

    Unless the Google API you're using allows for chain-of-authority
    creation of sub-credentials (so your account creates secondary
    accounts that are then distributed in your code/config files and
    managed via your dev login), two possibilities that come to mind:

    1) put in a bogus uname/password and make them get their own
    Google login to put in (which can be done in a config file if
    they're squeamish about editing source code) This assumes that
    any arbitrary Google login can grant access to what you want
    (sometimes this is a developer key, in which case the user would
    need to get their own dev key).

    2) create a web-service on a server somewhere that has your
    credentials, but your distributed code merely hits this web
    service instead of having your actual credentials in the source
    (plain-text or encrypted). The server would have them (I'd just
    put them in plain-text -- no need to be fancy. If you can't
    trust your hosting service, don't use them) but you wouldn't
    expose the credentials outside the application.

    -tkc
  • Vincent Davis at May 6, 2010 at 3:10 am
    Thanks for the replies I though the answer was no.
    Vincent
    On Wed, May 5, 2010 at 7:48 PM, Tim Chase wrote:
    On 05/05/2010 08:12 PM, Vincent Davis wrote:

    I can't think of a way to do this, not sure it is possible but I feel as
    though I might not know what I don't know.

    I want to share and example of a python script, to run it needs a google
    username and password. Is there a way for me to encrypt my username and
    password in the source code?
    No-ish. You can encrypt it, but if you encrypt it, you need to include the
    keys or algorithm for decrypting it, and all it takes is a pdb.set_trace()
    before the decrypted uname/pwd get sent to Google to get it, and poof all
    your encryption/decryption has been in vain:

    uname = SUPER_ENCRYPTED_USER
    pwd = SUPER_ENCRYPTED_PASSWORD
    u = secret_decrypt(uname)
    p = secret_decrypt(pwd)
    # regardless of how good the stuff above is
    # you're vulnerable right here:
    # print "%r %r" % (u, p)
    do_google_stuff(u, p)

    Unless the Google API you're using allows for chain-of-authority creation
    of sub-credentials (so your account creates secondary accounts that are then
    distributed in your code/config files and managed via your dev login), two
    possibilities that come to mind:

    1) put in a bogus uname/password and make them get their own Google login
    to put in (which can be done in a config file if they're squeamish about
    editing source code) This assumes that any arbitrary Google login can grant
    access to what you want (sometimes this is a developer key, in which case
    the user would need to get their own dev key).

    2) create a web-service on a server somewhere that has your credentials,
    but your distributed code merely hits this web service instead of having
    your actual credentials in the source (plain-text or encrypted). The server
    would have them (I'd just put them in plain-text -- no need to be fancy. If
    you can't trust your hosting service, don't use them) but you wouldn't
    expose the credentials outside the application.

    -tkc



    *Vincent Davis
    720-301-3003 *
    vincent at vincentdavis.net
    my blog <http://vincentdavis.net> |
    LinkedIn<http://www.linkedin.com/in/vincentdavis>
    -------------- next part --------------
    An HTML attachment was scrubbed...
    URL: <http://mail.python.org/pipermail/python-list/attachments/20100505/8bdc0b82/attachment.html>

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppython-list @
categoriespython
postedMay 6, '10 at 1:12a
activeMay 6, '10 at 3:10a
posts4
users3
websitepython.org

People

Translate

site design / logo © 2022 Grokbase