如何安全地验证Python 2.7中的HMAC? [英] How to securely verify an HMAC in Python 2.7?

查看:323
本文介绍了如何安全地验证Python 2.7中的HMAC?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我使用Python 2.7并使用 hmac 库创建HMAC。 Python 3.3包含一个 compare_digest()函数,它将比较两个摘要并抵制定时攻击,但这在2.7中不可用。优先的建议不是滚动我自己的加密,所以有什么成熟的Python库提供的功能吗?对于任何人从搜索中找到这个,如果使用Django,那么你也可以使用<$ p>

c $ c> constant_time_compare 函数 django.utils.crypto

  >> from django.utils.crypto import constant_time_compare 
>>>> constant_time_compare(foo,bar)
False
>>> constant_time_compare(foo,foo)
True

注意 hmac.compare_digest (实际使用 hmac.compare_digest 如果存在):


注意:如果a和b长度不同,或者出现错误,定时攻击理论上可以揭示有关a和b的类型和长度的信息,但不是它们的值。 p>


I'm using Python 2.7 and am creating an HMAC using the hmac library. Python 3.3 includes a compare_digest() function that will compare two digests and resist timing attacks, but that's not available in 2.7. Prevailing advice is not to roll my own crypto, so are there any mature Python libraries that provide that functionality? PyCrypto does not appear to.

解决方案

For anyone finding this from search, if using Django, then you can also use the constant_time_compare function in django.utils.crypto.

>>> from django.utils.crypto import constant_time_compare
>>> constant_time_compare("foo", "bar")
False
>>> constant_time_compare("foo", "foo")
True

That this comes with the same caveat as hmac.compare_digest (and actually uses hmac.compare_digest if it exists):

Note: If a and b are of different lengths, or if an error occurs, a timing attack could theoretically reveal information about the types and lengths of a and b–but not their values.

这篇关于如何安全地验证Python 2.7中的HMAC?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆