1 00:00:00,720 --> 00:00:04,445 One of the bigger changes that came to 3.6, is the new secrets module. 2 00:00:04,445 --> 00:00:08,149 This module provides handy tools for generating random numbers, tokens, and 3 00:00:08,149 --> 00:00:09,597 other security related data. 4 00:00:09,597 --> 00:00:12,120 Let me show you quickly how to use some of these new features, and 5 00:00:12,120 --> 00:00:14,590 I'm gonna start by importing secrets. 6 00:00:14,590 --> 00:00:17,310 The first useful thing in the secrets module, is the ability to generate 7 00:00:17,310 --> 00:00:20,870 cryptographically strong, random numbers and tokens. 8 00:00:20,870 --> 00:00:23,970 You would use these numbers and tokens for generating encrypted messages, 9 00:00:23,970 --> 00:00:26,870 passwords, and even further tokens. 10 00:00:26,870 --> 00:00:28,580 Now, why not use the random module? 11 00:00:28,580 --> 00:00:32,586 Well, random is meant for modeling in every day usage like in games, not for 12 00:00:32,586 --> 00:00:34,163 security implementations. 13 00:00:34,163 --> 00:00:37,794 To get a random number though, from the secrets module, 14 00:00:37,794 --> 00:00:42,385 you'll generally use one of two functions, randbelow and randbits. 15 00:00:42,385 --> 00:00:44,810 randbelow, as you can probably guess, 16 00:00:44,810 --> 00:00:48,680 gives you a random number below some other number. 17 00:00:48,680 --> 00:00:52,360 It's similar to random Rand range function but again it's meant for 18 00:00:52,360 --> 00:00:54,590 use in cryptographic scenarios. 19 00:00:54,590 --> 00:00:57,300 Probably more often though you're going to want a random number 20 00:00:57,300 --> 00:01:00,130 of a given number of bits, so of a given size. 21 00:01:00,130 --> 00:01:02,070 If you're generating keys for instance, 22 00:01:02,070 --> 00:01:06,320 it's really recommended to have a seed of at least 32 bytes which would be 256 bits. 23 00:01:07,996 --> 00:01:12,230 So randbits, and then we pass in the number of bits which we want 256 of them, 24 00:01:12,230 --> 00:01:14,460 and we get a number like that. 25 00:01:15,760 --> 00:01:20,390 Now that 256 is for current security recommendations. 26 00:01:20,390 --> 00:01:24,780 That number is only going to go up a CPUs use and GPUs become more powerful, and 27 00:01:24,780 --> 00:01:26,710 brute forcing operations get easier to use. 28 00:01:28,010 --> 00:01:30,680 There are three different functions for generating tokens and 29 00:01:30,680 --> 00:01:34,540 each of them taken number of tokens to use in the generation of that token. 30 00:01:34,540 --> 00:01:39,076 Well, let's get a 256 bit token, so 32 bytes. 31 00:01:39,076 --> 00:01:43,050 We can get bytes, hexadecimal or a token that would be URL friendly. 32 00:01:43,050 --> 00:01:44,488 Let's try the hex in URL versions. 33 00:01:44,488 --> 00:01:50,323 So secrets.token_hex, and we pass in the number of bytes and 34 00:01:50,323 --> 00:01:56,390 secrets.url or token URL safe and also the number of bytes 32. 35 00:01:56,390 --> 00:02:00,200 So those are both handy little tokens that we could use. 36 00:02:00,200 --> 00:02:03,515 Not a lot of difference between these two like they're both the same kind of range 37 00:02:03,515 --> 00:02:04,209 of characters. 38 00:02:04,209 --> 00:02:08,048 But still a good idea to use the URL safe method when you know your token is going 39 00:02:08,048 --> 00:02:09,778 to travel across the wire in a URL. 40 00:02:09,778 --> 00:02:13,384 Now we can use these tokens or tokens like them to encode a message, and 41 00:02:13,384 --> 00:02:17,561 then use the secrets module to make sure the message hasn't been tampered with. 42 00:02:17,561 --> 00:02:19,061 So I'm gonna import hmac, so 43 00:02:19,061 --> 00:02:22,010 that I can generate a cryptographically secure message. 44 00:02:23,460 --> 00:02:28,470 And then I'm going to a new token, and this time I'm going to use the token bytes 45 00:02:28,470 --> 00:02:32,820 because hmac expects a bytes string for the key. 46 00:02:33,990 --> 00:02:35,667 And again I want to be 32 bytes. 47 00:02:35,667 --> 00:02:42,003 If I look at token, it's a bunch of bytes, and let's make msg1 = hmac.new, 48 00:02:42,003 --> 00:02:45,894 and we're going to use that token to encrypt it. 49 00:02:45,894 --> 00:02:50,290 And we have to give a message here, so I'm just gonna say 'Hi there'. 50 00:02:50,290 --> 00:02:51,780 And the message needs to be bytes as well. 51 00:02:52,870 --> 00:02:58,675 So now, let's be sneaky, and we'll do msg1.copy and make a copy of that message. 52 00:02:58,675 --> 00:03:04,313 And then we'll do msg2.update 53 00:03:04,313 --> 00:03:07,430 'Sneaky sneaky', and we'll add a new message to it. 54 00:03:08,490 --> 00:03:12,310 So now I can use secrets.compare_digest. 55 00:03:12,310 --> 00:03:18,211 And I can compare msg1.digest to msg1.digest, 56 00:03:18,211 --> 00:03:21,436 and I get that that's true. 57 00:03:21,436 --> 00:03:25,010 Because it is, it's the exact same message that message has not changed. 58 00:03:25,010 --> 00:03:31,080 But if I compare msg1's digest to msg2's digest, I get false, since I tampered with 59 00:03:31,080 --> 00:03:34,870 the message by adding more data to it, the comparison fails for the second one. 60 00:03:34,870 --> 00:03:37,910 I'm sure the secrets module is going to get even more handy functions in 61 00:03:37,910 --> 00:03:39,670 the future so be sure to keep your eyes on it. 62 00:03:40,745 --> 00:03:43,200 There's lots more to explore in this update to Python. 63 00:03:43,200 --> 00:03:45,170 I've linked to the release notes in the teacher's notes. 64 00:03:45,170 --> 00:03:47,580 And you should go check out the related peps and documentation for 65 00:03:47,580 --> 00:03:48,690 these new features. 66 00:03:48,690 --> 00:03:49,380 I'll see you next time.