← Back to team overview

libravatar-fans team mailing list archive

Re: Discussion: API keys - follow up from IRC

 

On Tue, 12 Mar 2019 at 12:29, Oliver Falk <oliver@xxxxxxxxxxxxxxx> wrote:

> Hi!
>
> So, the basic idea, that I already implemented as PoC, is. You request API
> keys and get a public and a secret key. You use the secret key to 'encrypt'
> the user hash. Eg.:
>
> ConfirmedEmail.objects.first().encrypted_digest(secret_key=APIKey.objects.first())
> would return something like this:
>
>
> b'736300027316f304ae86f4a3ea2f7dc6c1ac43a3165a27bc68d96d23e5f109354c1a98b7d00d404bd62bec30caf60ed98e8653385528b23ef27ac110db79ed0dddfcc7c241d98937dc89606e0cce7ca8fed9aa3b1b103fdfc8d61f4bd94b6990400df154'
>
> In order to to this manually, you'd have to create the hash from the mail
> address, encrypt it with the secret key (I'm currently using simplecrypt
> for this) and hexlify it.
>
> Since you don't know the secret key, you have no chance to say what hash
> is behind that and absolutely no chance to guess the mail address from it.
> You'd then request from libravatar something like this:
>
>
> /avatar/736300027316f304ae86f4a3ea2f7dc6c1ac43a3165a27bc68d96d23e5f109354c1a98b7d00d404bd62bec30caf60ed98e8653385528b23ef27ac110db79ed0dddfcc7c241d98937dc89606e0cce7ca8fed9aa3b1b103fdfc8d61f4bd94b6990400df154&key=bgixjymiejsglc5j3aghw3b78qtp7wac
>
> And even if you now see the public key and the encrypted hash, you still
> don't know anything :-)
>
> On Libravatar side, we find the corresponding secret key with the public
> key 'bgixjymiejsglc5j3aghw3b78qtp7wac' and decrypt it. I leave the rest to
> your imagination.
>
> So, now to the bad performance thing. I made some tests and this is the
> result:
>
> Encrypt digest:        1.9489854159983224
> Encrypt digest_sha256: 1.8158956080005737
> Decrypt digest:        1.6850569540038123
> Decrypt digest_sha256: 1.7364481180047733
>
> You see, it almost takes 2 seconds to encrypt or decrypt - that's
> definitely not going to work on large scale.
> I've tried to reduce the key length (currently 32) to only 10 or only 4
> chars, but that's not changing a lot.
>
> That means, that I have to probably find a better/faster encryption
> mechanism, but even if I find some, it will still hurt the performance and
> shouldn't be used everywhere, but only on security sensitive sites.
>
> The next bad thing that comes to my mind is: What about sites that run
> their own libravatar service? They wouldn't be able to handle this. And one
> cannot get public/secret key on each of these services => This would be a
> feature only available on our main instance.
> The alternative would be, that those sites with some higher security
> considerations, would encrypt the plain mail address and ask libravatar to
> decrypt and libravatar would then proxy it back...
>
> I don't know... Brain dump end (my excuse if the mail might be
> confusing...).
>

I am missing the point encrypting the hash. I could understand it for md5,
which is crackable nowdays but not quite for sha256. That hash should be
non-reversible in practical terms and then we can always just jump to
sha512 in a few years when hardware is stronger

clime


>
> Oliver
>
>
>
>
> On Tue, Mar 12, 2019 at 8:00 AM clime <clime7@xxxxxxxxx> wrote:
>
>> On Mon, 11 Mar 2019 at 19:02, Oliver Falk <oliver@xxxxxxxxxxxxxxx> wrote:
>>
>>> Hi!
>>>
>>> Since I got no reaction on IRC, I'm posting this here as well and would
>>> love to gather feedback:
>>>
>>> <ofalk> quick poll. fr the people who are eventually are around. if we
>>> implement something like api-keys (public/private key), that will be used
>>> for encryption and therefore no longer reveal the mail address hash, this
>>> will cost more cpu power and I'd therefore not open this feature to _all_
>>> users. how shall we give this feature to ppl? currently it's implemented as
>>> group/permission that you can assign to some specific user, but what should
>>> be the process of
>>> <ofalk> requesting it and how do we decide if we give this feature to
>>> someone?
>>>
>>
>> It sounds interesting but I, personally, would need a little bit more
>> information how it would be used and for what use-case.
>>
>>
>>>
>>> Share you mind, public or private, as you wish :-)
>>>
>>> Thanks a lot,
>>>  Oliver
>>> _______________________________________________
>>> Mailing list: https://launchpad.net/~libravatar-fans
>>> Post to     : libravatar-fans@xxxxxxxxxxxxxxxxxxx
>>> Unsubscribe : https://launchpad.net/~libravatar-fans
>>> More help   : https://help.launchpad.net/ListHelp
>>>
>>

Follow ups

References