views:

175

answers:

2

I'm building a centralized desktop application using Python/wxPython. One of the requirements is User authentication, which I'm trying to implement using LDAP (although this is not mandatory).

Users of the system will be mechanical and electrical engineers making budgets, and the biggest problem would be industrial espionage. Its a common problem that leaks occur commonly from the bottom on informal ways, and this could pose problems. The system is set up in such a way that every user has access to all and only the information it needs, so that no one person but the people on top has monetary information on the whole project.

The problem is that, for every way I can think to implement the authentication system, Python's openness makes me think of at least one way of bypassing/getting sensible information from the system, because "compiling" with py2exe is the closest I can get to obfuscation of the code on Windows.

I'm not really trying to hide the code, but rather make the authentication routine secure by itself, make it in such a way that access to the code doesn't mean capability to access the application. One thing I wanted to add, was some sort of code signing to the access routine, so the user can be sure that he is not running a modified client app.

One of the ways I've thought to avoid this is making a C module for the authentication, but I would rather not have to do that.

Of course this question is changing now and is not just "Could anyone point me in the right direction as to how to build a secure authentication system running on Python? Does something like this already exist?", but "How do you harden an scripting (Python) against wrongful modification?"

+1  A: 

Possibly:

  1. The user enters their credentials into the desktop client.
  2. The client says to the server: "Hi, my name username and my password is password".
  3. The server checks these.
  4. The server says to the client: "Hi, username. Here is your secret token: ..."
  5. Subsequently the client uses the secret token together with the username to "sign" communications with the server.
John Fouhy
The problem with this approach, is that I'm fearful of an attacker modifying some validation elements. Maybe I could simply validate serverside the credentials on every database request (something that is already on the design). Even as I agree with most of your recommendations, I'm really trying to see if someone comes up with ways to break this scheme. *I'm not fearful of the failures I can foresee, but rather of those that I can not*.
voyager
+3  A: 

How malicious are your users? Really.

Exactly how malicious?

If your users are evil sociopaths and can't be trusted with a desktop solution, then don't build a desktop solution. Build a web site.

If your users are ordinary users, they'll screw the environment up by installing viruses, malware and keyloggers from porn sites before they try to (a) learn Python (b) learn how your security works and (c) make a sincere effort at breaking it.

If you actually have desktop security issues (i.e., public safety, military, etc.) then rethink using the desktop.

Otherwise, relax, do the right thing, and don't worry about "scripting".

C++ programs are easier to hack because people are lazy and permit SQL injection.

S.Lott
I've come to **not** trust user input, or trust it as little as possible, but of course is one thing to not trust your users *input* and another completely different to not trust your **users**. My users will be both electrical and mechanical engineers (on an enterprise network), so they will definetly have the smarts to grasp Python (some scripting features are planned). Actually my biggest problem would be industrial espionage. May be I'm overthinking this, and trying to <analogy type='bad'>nail this down with programming, when what is needed is an organizational screwdriver.</analogy>
voyager