Comments (8)
Sounds interesting!
And
bro,
you are truly a security fanatic(at least from my perspective.
from autobahn-python.
I copy the following content from Wiki:
"When the standard was written in the year 2000 the recommended minimum number of iterations was 1,000, but the parameter is intended to be increased over time as CPU speeds increase. A Kerberos standard in 2005 recommended 4,096 iterations;[1] Apple reportedly used 2,000 for iOS 3, and 10,000 for iOS 4;[4] while LastPass in 2011 used 5,000 iterations for JavaScript clients and 100,000 iterations for server-side hashing.[5] In 2023, OWASP recommended to use 600,000 iterations for PBKDF2-HMAC-SHA256 and 210,000 for PBKDF2-HMAC-SHA512.[6]"
It seems an iteration count of 10000 may also not be sufficient. 600,000 iterations should be applied. So, 1000 is obviously not enough.
from autobahn-python.
Actually, I'm designing a new tool for detecting cryptographic vulnerabilities in Python.
And to report some vulnerabilities we have just found. You know, only for papers.
from autobahn-python.
thanks for looking closely and for your suggestions!
rgd 1.: yes, indeed, seems random.choice
would be using random.random
under the hood and the whole module is discouraged for the intended use, but using the secrets
module is encouraged.
IOW, we should use https://docs.python.org/3/library/secrets.html#secrets.choice here
The default iteration for pbkdf2 should be at least 10000,
do you have a source for that statement?
from autobahn-python.
In 2023, OWASP recommended to use 600,000 iterations for PBKDF2-HMAC-SHA256
agreed, even though this might have "breaking consequences" for users practically - as I seem to remember, at least historically, using large number of iterations basically made the function stuck for ages depending on language/run-time .. due to maybe historically bad (performance wise) implementations ... not sure, long ago;)
however, I would like to take the chance to underline:
- WAMP-CRA, salted or not, and with or without using this specific function to generate the underlying secret, is designed and should be "safe to use" providing a modest level of security - however,
- for best-in-class / state-of-the-art security, other WAMP authentication methods should be generally preferred, e.g. WAMP-cryptosign
Further, WAMP-cryptosign should be used with the secret private key stored in a hardware secure module. Or even better: the secret should be derived inside the hardware security module using a https://en.wikipedia.org/wiki/Physical_unclonable_function
The hardware security module must be protected against even a physical attacker ... such stuff is available up to Common Criteria EAL6+ ... and Crossbar.io can be used in such settings!
For both client (== WAMP session) authentication and authorization
and
for WAMP application payload end-to-end encryption!
Only the latter takes out the router operator as a possible attacker from the point-of-view of the application sessions!
Just saying;)
from autobahn-python.
To be honest, learned a lot, LOL.
from autobahn-python.
sure! that's only part of the story though;) you know, I am an absolute no-jokes security fanatic. what are you after? are you implementing a new WAMP router?
from autobahn-python.
detecting cryptographic vulnerabilities in Python
fantastic! I'd say, this is always highly welcome! and hey, you identified an issue in this repo - and we will fix it.
of course "will fix": no one is paying for it, and I am not personally using it, so it might take time. typical OSS problem.
anyways, we - that is WAMP at the protocol level, and this implementation (Autobahn, and Crossbar.io) as well - take security very important .. a must have no discussions or excuses approach
the security goals of WAMP go far beyond mere "secure session authentication" .. we are "almost there";) as in, full application payload end-to-end encryption, thus no implicit trust of WAMP app clients into WAMP infra (routers) or anything in between
full decentralized trust management is the final layer: via Ethereum smart contracts for managing trust relations
fwiw, let me also dump 2 links which might be interesting in this context:
functional / integration testing of all WAMP authentication methods in Crossbar.io:
https://github.com/crossbario/crossbar-examples/tree/master/authentication
the Python classes internally used to abstract away the secure key storage or key ops:
autobahn-python/autobahn/wamp/interfaces.py
Line 881 in 359f868
autobahn-python/autobahn/xbr/_secmod.py
Line 271 in 359f868
I do have an implementation of ISecurityModule
using a hardware security module rather than MutableMapping
...
from autobahn-python.
Related Issues (20)
- Twisted + websockets + TLS (wss) gives "invalid certificate" in Safari (and only there)
- wss:// URIs are not recognized HOT 2
- Successful connection doesn't reset the exponential backoff state HOT 2
- Update asyncio examples HOT 1
- Rapid Cancelling Of Tasks Can Cause InvalidStateError
- Release 22.11.1 HOT 1
- Start a Client without blocking HOT 4
- Undefined behavior for using WAMP features not agreed during feature negotiation HOT 9
- Adjust CI to deploy wheels to PyPI HOT 4
- RTD build for latest broken HOT 1
- 'Distribution' object has no attribute 'convert_2to3_doctests' HOT 1
- component._stopping attribute never cleared HOT 6
- Save the chat results to the database
- Bad error handling in the autobahn_autoreconnect file
- connection lost while called for Twisted, bug-like issue HOT 8
- For version greater than `19.3.3`, autobahn is not able to run in background thread
- Autobahn and pyInstaller not compatible anymore HOT 9
- Crossbar won't start when Installed with Pip HOT 3
- "RuntimeError: Event loop is closed" when running tests with pytest-asyncio 0.23.5.post1 HOT 11
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from autobahn-python.