libravatar-fans team mailing list archive

[Oliver Falk <oliver@xxxxxxxxxxxxxxx>]

Hi!

So, the basic idea, that I already implemented as PoC, is. You request API
keys and get a public and a secret key. You use the secret key to 'encrypt'
the user hash. Eg.:

ConfirmedEmail.objects.first().encrypted_digest(secret_key=APIKey.objects.first())
would return something like this:


b'736300027316f304ae86f4a3ea2f7dc6c1ac43a3165a27bc68d96d23e5f109354c1a98b7d00d404bd62bec30caf60ed98e8653385528b23ef27ac110db79ed0dddfcc7c241d98937dc89606e0cce7ca8fed9aa3b1b103fdfc8d61f4bd94b6990400df154'

In order to to this manually, you'd have to create the hash from the mail
address, encrypt it with the secret key (I'm currently using simplecrypt
for this) and hexlify it.

Since you don't know the secret key, you have no chance to say what hash is
behind that and absolutely no chance to guess the mail address from it.
You'd then request from libravatar something like this:


/avatar/736300027316f304ae86f4a3ea2f7dc6c1ac43a3165a27bc68d96d23e5f109354c1a98b7d00d404bd62bec30caf60ed98e8653385528b23ef27ac110db79ed0dddfcc7c241d98937dc89606e0cce7ca8fed9aa3b1b103fdfc8d61f4bd94b6990400df154&key=bgixjymiejsglc5j3aghw3b78qtp7wac

And even if you now see the public key and the encrypted hash, you still
don't know anything :-)

On Libravatar side, we find the corresponding secret key with the public
key 'bgixjymiejsglc5j3aghw3b78qtp7wac' and decrypt it. I leave the rest to
your imagination.

So, now to the bad performance thing. I made some tests and this is the
result:

Encrypt digest:        1.9489854159983224
Encrypt digest_sha256: 1.8158956080005737
Decrypt digest:        1.6850569540038123
Decrypt digest_sha256: 1.7364481180047733

You see, it almost takes 2 seconds to encrypt or decrypt - that's
definitely not going to work on large scale.
I've tried to reduce the key length (currently 32) to only 10 or only 4
chars, but that's not changing a lot.

That means, that I have to probably find a better/faster encryption
mechanism, but even if I find some, it will still hurt the performance and
shouldn't be used everywhere, but only on security sensitive sites.

The next bad thing that comes to my mind is: What about sites that run
their own libravatar service? They wouldn't be able to handle this. And one
cannot get public/secret key on each of these services => This would be a
feature only available on our main instance.
The alternative would be, that those sites with some higher security
considerations, would encrypt the plain mail address and ask libravatar to
decrypt and libravatar would then proxy it back...

I don't know... Brain dump end (my excuse if the mail might be
confusing...).

Oliver




On Tue, Mar 12, 2019 at 8:00 AM clime <clime7@xxxxxxxxx> wrote:

> On Mon, 11 Mar 2019 at 19:02, Oliver Falk <oliver@xxxxxxxxxxxxxxx> wrote:
>
>> Hi!
>>
>> Since I got no reaction on IRC, I'm posting this here as well and would
>> love to gather feedback:
>>
>> <ofalk> quick poll. fr the people who are eventually are around. if we
>> implement something like api-keys (public/private key), that will be used
>> for encryption and therefore no longer reveal the mail address hash, this
>> will cost more cpu power and I'd therefore not open this feature to _all_
>> users. how shall we give this feature to ppl? currently it's implemented as
>> group/permission that you can assign to some specific user, but what should
>> be the process of
>> <ofalk> requesting it and how do we decide if we give this feature to
>> someone?
>>
>
> It sounds interesting but I, personally, would need a little bit more
> information how it would be used and for what use-case.
>
>
>>
>> Share you mind, public or private, as you wish :-)
>>
>> Thanks a lot,
>>  Oliver
>> _______________________________________________
>> Mailing list: https://launchpad.net/~libravatar-fans
>> Post to     : libravatar-fans@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~libravatar-fans
>> More help   : https://help.launchpad.net/ListHelp
>>
>