{ "info": { "author": "Dan Kamins", "author_email": "dos@axonchisel.net", "bugtrack_url": null, "classifiers": [ "Development Status :: 5 - Production/Stable", "Environment :: Other Environment", "Environment :: Web Environment", "Intended Audience :: Developers", "License :: OSI Approved :: MIT License", "Operating System :: OS Independent", "Programming Language :: Python :: 3", "Topic :: Internet :: WWW/HTTP :: Session", "Topic :: Security :: Cryptography" ], "description": "**Ax_Handoff: Easy secure protocol for passing encrypted structured data over \nunencrypted channels (such as URLs) while maintaining tamper-proof integrity.**\n\n//////////////////////////////////////////////////////////////////////////////\n\n==============================================================================\nOverview\n==============================================================================\n\n------------------------------------------------------------------------------\nOfficial Links\n------------------------------------------------------------------------------\n\nPython Package Index:\n https://pypi.python.org/pypi/Ax_Handoff/\n\nSource Repository & Issue Tracker:\n https://bitbucket.org/dkamins/ax_handoff/\n\nAdvanced Documentation (optional):\n https://bitbucket.org/dkamins/ax_handoff/src/default/docs/\n\n\n------------------------------------------------------------------------------\nAbout This Package\n------------------------------------------------------------------------------\n\nThis package (``axonchisel.handoff`` a.k.a. ``Ax_Handoff``) provides a low\nlevel protocol and a high level wrapper encapsulating a number of complex\nfeatures provided by other libraries and exposes a simple interface\nthat allows a developer to exchange or \"hand off\" secure chunks of\nflexibly structured data (anything JSON-able) over untrusted \ncommunication channels between distributed components of a system.\n\nThe intricate details of thoroughly applied cryptography (AES encryption\nand SHA-family hashes) (more `on crypto`_ below) and compression (gzip) are\nhidden from the developer\nintegrating with this code such that the requirement of handing off chunks\nof data in this manner becomes trivial and secure with little effort \nrequired and less than 5 lines of code (see `code samples`_ below!).\n\nA primary motivation for this package is the case where a user\nis redirected from one web app to another on a different domain\n(i.e. where cookies cannot be shared) but important information\nmust be transmitted with guaranteed integrity and total opaqueness,\nand other mechanisms (such as shared state or out-of-band data exchange)\nare not possible or not desired.\n\n\n------------------------------------------------------------------------------\nStatus\n------------------------------------------------------------------------------\n\nThis library passes rigorous unit tests, is considered production-ready,\nand has been used in live production systems for over a year.\nAs of this release, no security vulnerabilities or bugs have been identified.\nIn 2019, the original 2011 library was upgraded from Python 2 to Python 3.\n\n\n------------------------------------------------------------------------------\nExamples of Use\n------------------------------------------------------------------------------\n\n- A user linking to a supplemental 3rd party support or download \n hosted web service site that offers content based on the user's\n subscription level, location, and other metadata.\n\n- Exchanging session data (including logged in status) between two\n web apps managed by the same company but served by different platforms\n with no shared resources (often called \"Single Sign On\").\n\n- Saving state in cookies that is not intended for users to\n see or modify in any way.\n\n- Embedding complex data in links included in e-mails.\n\n\n------------------------------------------------------------------------------\nHow it Works\n------------------------------------------------------------------------------\n\nOne or more distributed components maintain a shared secret pass phrase.\n\nAx_Handoff converts a (JSON-congruent) Python object to JSON, \ncompresses it, encrypts it, signs it, and packs it up into a custom \nenvelope resulting in a guaranteed URL-safe string suitable for passing as \nquery params.\n\nUpon unpacking, integrity is verified, and the original JSON restored\nas a Python object (or other object in non-Python environments).\n\n\n------------------------------------------------------------------------------\nInstallation\n------------------------------------------------------------------------------\n\nThe recommended way of installing this package is with \"pip\"::\n\n $ pip install pycrypto\n $ pip install Ax_Handoff\n\nThat's it.\n\nIf you don't have/want/like pip or that seems too easy for you,\nthen you should first download and install\nPyCrypto from https://www.dlitz.net/software/pycrypto/.\nThen download this (``Ax_Handoff``) package source and either copy/symlink the ``axonchisel`` \ndirectory from this package into your Python path or run::\n\n $ python setup.py install\n\n\n//////////////////////////////////////////////////////////////////////////////\n\n\n.. _code samples:\n\n==============================================================================\nShow me the code!\n==============================================================================\n\n-----------------------------------\nEncoding / decoding complex objects\n-----------------------------------\n\nThis brief example shows how easy it is to encode and decode complex objects::\n\n from axonchisel.handoff.object import Ax_Handoff\n\n secret = \"mY s3cR3t p@$s phr@s3! Unb-b-b-re@k@ble!!\"\n obj1 = {'foo': \"Big Foo\", 'bar': [10, 20.5, 30]}\n\n # Encode:\n enc = Ax_Handoff.encode(obj1, secret)\n # enc = 'XHADPtqHlzJuuFBpFnTmBz8Uk3tYTczT1oChKQyho9flBqlRbSTSgXBybJ59CI1N4_wnGl3nsuMwJ7ItMxixm8H9bCIsjv5M00At1rElGvuuJ7u4v4WAHX'\n\n # And decode back again:\n obj2 = Ax_Handoff.decode(enc, secret)\n # obj2 = {u'foo': u'Big Foo', u'bar': [10, 20.5, 30]}\n\n-----------------------------------------------\nUsed with URLs for handing off between web apps\n-----------------------------------------------\n\nUse it in a URL::\n\n url = \"https://my.app2.com/xfer/?data=\" + Ax_Handoff.encode(user_data, shared_secret)\n redirect_to(url)\n\nAnd on the receiving end::\n\n user_data = Ax_Handoff.decode(request.get('data'), shared_secret)\n\n\n\n//////////////////////////////////////////////////////////////////////////////\n\n\n==============================================================================\nDetails, Details\n==============================================================================\n\n------------------------------------------------------------------------------\nRequirements\n------------------------------------------------------------------------------\n\n- Python 3.6 is required.\n\n- PyCrypto (>=2.3) is required. To install PyCrypto, try one of:\n\n - Run \"pip install pycrypto\" at the command prompt.\n - Download from https://www.dlitz.net/software/pycrypto/\n and follow installation instructions.\n\n\n------------------------------------------------------------------------------\nProtocol Variants\n------------------------------------------------------------------------------\n\nAx_Handoff currently (as of 3.1.0) supports two protocol variants.\nWhen using the recommended object level API, the variant may optionally\nbe specified at encoding time, and is automatically detected when decoding.\n\n- Variant 'A' (default full): \n\n - Full original standard (default) Ax_Handoff protocol.\n - Includes encryption, compression, signing.\n - Compatible with previous versions of Ax_Handoff.\n \n- Variant 'B' (minimial):\n\n - Simplified concise version of Ax_Handoff protocol.\n - Includes compression and signing, but not encryption.\n - Faster to encode/decode due to lack of AES.\n - Shorter encoded strings (by ~20-40 chars) due to lack of AES iv + padding.\n - Easier integration with platforms without good AES support.\n\n\n\n------------------------------------------------------------------------------\nLicense\n------------------------------------------------------------------------------\n\nThis open-source software is offered for free under standard MIT license\nas contained in the LICENSE.txt file and described here:\nSee: https://opensource.org/licenses/mit-license.php\n\n\n\n------------------------------------------------------------------------------\nHistory\n------------------------------------------------------------------------------\n\n3.1.0 (2019-02-11)\n------------------\n\n- Upgrade library to Python 3 (3.7 tested).\n\n\n1.1.3 (2012-12-24)\n------------------\n\n- Refactor to support multiple protocol variants.\n- Inclusion of new 'B' minimal (non-encrypting) variant.\n- Miscellaneous cleanup.\n- Status update to \"production ready\".\n\n\n1.0.1 (2011-06-11)\n------------------\n\n- Fix over-aggressive type checking of encrypted text.\n- Fix README dates.\n\n\n1.0.0 (2011-06-11)\n------------------\n\n- Official v1 release.\n\n\n0.9.4 (2011-06-10)\n------------------\n\n- Support for unicode secret phrases.\n- Friendlier errors for invalid types.\n- Crypto doc clarifications following positive security review.\n- Major documentation update and formatting.\n- Code cleanup.\n\n\n0.8.4 (2011-06-08)\n------------------\n\n- First public preview release.\n\n\n\n\n------------------------------------------------------------------------------\nBugs, Requests, Feedback, and Contributions\n------------------------------------------------------------------------------\n\nIf you find any bugs or have feedback, please use our issue tracker:\n\n https://bitbucket.org/dkamins/ax_handoff/issues\n\nYou may also e-mail the author directly:\n\n Dan Kamins \n\nWhile you're free to fork this project, \nif you'd like to contribute, please send an e-mail first to one of the \nauthors.\nIf you have patches, let us know and we'll roll them into the next release.\nOur source repository is at:\n\n https://bitbucket.org/dkamins/ax_handoff/\n\nLastly, if you use this code for something interesting, drop us a line too!\n\n------------------------------------------------------------------------------\nAdditional Documentation\n------------------------------------------------------------------------------\n\nExtensive clear documentation, cryptographic analysis, protocol \nspecification, module overview, and more are available in the ``docs`` \ndirectory of this distribution.\n\n\n//////////////////////////////////////////////////////////////////////////////\n\n\n.. _on crypto:\n\n==============================================================================\nCryptography Survey (or \"Why should I trust this library?\")\n==============================================================================\n\n------------------\nHow crypto is used\n------------------\n\n- Data encryption uses AES-128 (CBC mode) with random initialization vector.\n AES-128 is chosen over AES-256 due to recently discovered attacks\n (Biryukov and Khovratovich, 2009), making AES-128 preferable for now\n (Schneier, 2009).\n\n- HMAC(SHA-1) is used for data integrity to sign the encrypted payload and\n prevent tampering, truncation, or errors in transit.\n\n- Because HMAC is verified prior to decryption, the known CBC attack\n \"Padding Oracle\" (Vaudenay, Eurocrypt 2002) is not applicable.\n\n- The AES initialization vector is random bytes (from os.urandom) which are \n then further hashed to avoid potential RNG pattern analysis attacks on \n potentially deficient random sources.\n\n- Keys for AES-128 and HMAC(SHA-1) are generated by extracting bits from\n the SHA-256 and SHA-512 hashes of the secret phrase, respectively.\n\n-----------\nOther notes\n-----------\n\n- PBKDF2 is not used mainly to minimize external dependencies and keep\n code size and potential bugs down. Due to HMAC signature of the encrypted\n stream and sufficient entropy of arbitrary pass phrases, this is not\n considered to be a vulnerability.\n\n- As a further measure of precaution, clients are advised to avoid\n sharing details of possible decoding errors with end users who may \n in the future find ways of using this information for new attacks.\n\n- Details of the protocol specification sufficient to re-implement,\n interoperate with, or audit are provided in the ``docs/protocol.rst`` file.\n\n\n//////////////////////////////////////////////////////////////////////////////\n\nCopyright (c) 2012 Dan Kamins, AxonChisel.net", "description_content_type": "", "docs_url": null, "download_url": "", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "https://bitbucket.org/dkamins/ax_handoff/", "keywords": "encryption,cryptography,single-sign-on,SSO,distributed,handoff,url", "license": "MIT", "maintainer": "", "maintainer_email": "", "name": "Ax-Handoff", "package_url": "https://pypi.org/project/Ax-Handoff/", "platform": "", "project_url": "https://pypi.org/project/Ax-Handoff/", "project_urls": { "Homepage": "https://bitbucket.org/dkamins/ax_handoff/" }, "release_url": "https://pypi.org/project/Ax-Handoff/3.1.0/", "requires_dist": null, "requires_python": "", "summary": "Easy secure protocol for passing encrypted structured data over unencrypted channels (such as URLs) while maintaining tamper-proof integrity.", "version": "3.1.0" }, "last_serial": 4853426, "releases": { "1.0.1": [ { "comment_text": "", "digests": { "md5": "f87a8baa8b1dc855cfcca6f7b5e28957", "sha256": "819c8bab1b471173ec8a64ee92e7513165251c5f0e9ad66acb8e27a39fb4df0c" }, "downloads": -1, "filename": "Ax_Handoff-1.0.1.tar.gz", "has_sig": false, "md5_digest": "f87a8baa8b1dc855cfcca6f7b5e28957", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 15912, "upload_time": "2011-06-12T05:07:28", "url": "https://files.pythonhosted.org/packages/cb/01/5454211d54cea7c5138c0b8d3884e41882d59cde1df03186c740e0287b5b/Ax_Handoff-1.0.1.tar.gz" } ], "1.1.3": [ { "comment_text": "", "digests": { "md5": "25f1685f172cd49776d8e3c96aed9cdb", "sha256": "3ef1372e743ba12b5fc2a61bd4f8736eba603b2c9b9868d30a3e9c9360a2dbb5" }, "downloads": -1, "filename": "Ax_Handoff-1.1.3.tar.gz", "has_sig": false, "md5_digest": "25f1685f172cd49776d8e3c96aed9cdb", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 16921, "upload_time": "2012-12-25T00:18:08", "url": "https://files.pythonhosted.org/packages/80/12/4b89ad46dd2ed8dd9cfe7cd7c08c220efa8eaac5aaea5018f120e4f5437f/Ax_Handoff-1.1.3.tar.gz" } ], "3.1.0": [ { "comment_text": "", "digests": { "md5": "d9ee6afe2450577d46b0689abe93adb5", "sha256": "facd38d465ebeeccc2cf36b5701b205e9c25ed76b7d6795078e35b57e38e1f1f" }, "downloads": -1, "filename": "Ax_Handoff-3.1.0.tar.gz", "has_sig": false, "md5_digest": "d9ee6afe2450577d46b0689abe93adb5", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 17503, "upload_time": "2019-02-22T08:00:53", "url": "https://files.pythonhosted.org/packages/0a/a4/16b014340cf5d15061943ff9442726752d992126373b77fd27870286b889/Ax_Handoff-3.1.0.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "d9ee6afe2450577d46b0689abe93adb5", "sha256": "facd38d465ebeeccc2cf36b5701b205e9c25ed76b7d6795078e35b57e38e1f1f" }, "downloads": -1, "filename": "Ax_Handoff-3.1.0.tar.gz", "has_sig": false, "md5_digest": "d9ee6afe2450577d46b0689abe93adb5", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 17503, "upload_time": "2019-02-22T08:00:53", "url": "https://files.pythonhosted.org/packages/0a/a4/16b014340cf5d15061943ff9442726752d992126373b77fd27870286b889/Ax_Handoff-3.1.0.tar.gz" } ] }