Secrets3:49 with Kenneth Love
Last, but not least, Python has a new module `secrets`. This module has handy tools for generating cryptographically strong random numbers and tokens.
One of the bigger changes that came to 3.6, is the new secrets module. 0:00 This module provides handy tools for generating random numbers, tokens, and 0:04 other security related data. 0:08 Let me show you quickly how to use some of these new features, and 0:09 I'm gonna start by importing secrets. 0:12 The first useful thing in the secrets module, is the ability to generate 0:14 cryptographically strong, random numbers and tokens. 0:17 You would use these numbers and tokens for generating encrypted messages, 0:20 passwords, and even further tokens. 0:23 Now, why not use the random module? 0:26 Well, random is meant for modeling in every day usage like in games, not for 0:28 security implementations. 0:32 To get a random number though, from the secrets module, 0:34 you'll generally use one of two functions, randbelow and randbits. 0:37 randbelow, as you can probably guess, 0:42 gives you a random number below some other number. 0:44 It's similar to random Rand range function but again it's meant for 0:48 use in cryptographic scenarios. 0:52 Probably more often though you're going to want a random number 0:54 of a given number of bits, so of a given size. 0:57 If you're generating keys for instance, 1:00 it's really recommended to have a seed of at least 32 bytes which would be 256 bits. 1:02 So randbits, and then we pass in the number of bits which we want 256 of them, 1:07 and we get a number like that. 1:12 Now that 256 is for current security recommendations. 1:15 That number is only going to go up a CPUs use and GPUs become more powerful, and 1:20 brute forcing operations get easier to use. 1:24 There are three different functions for generating tokens and 1:28 each of them taken number of tokens to use in the generation of that token. 1:30 Well, let's get a 256 bit token, so 32 bytes. 1:34 We can get bytes, hexadecimal or a token that would be URL friendly. 1:39 Let's try the hex in URL versions. 1:43 So secrets.token_hex, and we pass in the number of bytes and 1:44 secrets.url or token URL safe and also the number of bytes 32. 1:50 So those are both handy little tokens that we could use. 1:56 Not a lot of difference between these two like they're both the same kind of range 2:00 of characters. 2:03 But still a good idea to use the URL safe method when you know your token is going 2:04 to travel across the wire in a URL. 2:08 Now we can use these tokens or tokens like them to encode a message, and 2:09 then use the secrets module to make sure the message hasn't been tampered with. 2:13 So I'm gonna import hmac, so 2:17 that I can generate a cryptographically secure message. 2:19 And then I'm going to a new token, and this time I'm going to use the token bytes 2:23 because hmac expects a bytes string for the key. 2:28 And again I want to be 32 bytes. 2:33 If I look at token, it's a bunch of bytes, and let's make msg1 = hmac.new, 2:35 and we're going to use that token to encrypt it. 2:42 And we have to give a message here, so I'm just gonna say 'Hi there'. 2:45 And the message needs to be bytes as well. 2:50 So now, let's be sneaky, and we'll do msg1.copy and make a copy of that message. 2:52 And then we'll do msg2.update 2:58 'Sneaky sneaky', and we'll add a new message to it. 3:04 So now I can use secrets.compare_digest. 3:08 And I can compare msg1.digest to msg1.digest, 3:12 and I get that that's true. 3:18 Because it is, it's the exact same message that message has not changed. 3:21 But if I compare msg1's digest to msg2's digest, I get false, since I tampered with 3:25 the message by adding more data to it, the comparison fails for the second one. 3:31 I'm sure the secrets module is going to get even more handy functions in 3:34 the future so be sure to keep your eyes on it. 3:37 There's lots more to explore in this update to Python. 3:40 I've linked to the release notes in the teacher's notes. 3:43 And you should go check out the related peps and documentation for 3:45 these new features. 3:47 I'll see you next time. 3:48
You need to sign up for Treehouse in order to download course files.Sign up