.. image:: https://github.com/MatthiasValvekens/python-pae/workflows/pytest/badge.svg
:target: https://github.com/MatthiasValvekens/python-pae
:alt: pytest status
.. image:: https://codecov.io/gh/MatthiasValvekens/python-pae/branch/master/graph/badge.svg?token=XPRS49L0X6
:target: https://codecov.io/gh/MatthiasValvekens/python-pae
:alt: Coverage status
.. image:: https://readthedocs.org/projects/python-pae/badge/?version=latest
:target: https://python-pae.readthedocs.io/en/latest/?badge=latest
:alt: Documentation Status
Pre-authentication encoding in Python
=====================================
This minimal library offers an implementation of (a variant of)
`PASETO <https://github.com/paragonie/paseto>`_'s pre-authentication encoding
(PAE) scheme in Python, with some extra tools to handle data types other than lists of byte arrays.
Why use pre-authentication encoding?
------------------------------------
When passing around data between services, it's often necessary to authenticate and validate
encoded messages. When those messages are flat byte streams, that's easy enough. However,
when authenticating complex data structures with many fields (some of which may be optional or
perhaps exempt from authentication), the input data must first be serialised before it can
be passed on to the authentication mechanism.
The interchange formats that are commonly used to hold such complex data in transit between web
services (e.g. JSON or HTTP query parameters) are poorly suited for this task.
Naively concatenating all inputs before authentication is typically not a good idea, since
it can lead to vulnerabilities through
`length extension attacks <https://en.wikipedia.org/wiki/Length_extension_attack>`_
or other types of `canonicalisation attacks <https://soatok.blog/2021/07/30/canonicalization-attacks-against-macs-and-signatures/>`_.
Pre-authentication encoding (PAE) can help you protect yourself against a large class of such
exploits, by explicitly making the *number* of data fields and the *length* of each field part of
the data covered by the MAC/signature.
PAE can be used explicitly or implicitly. In the explicit case, PAE serves as both the interchange
format and the authentication format.
In the implicit case, PAE is used to preprocess data in some other container format before
signing/authenticating it, but its output isn't transmitted directly.
A typical use case would be a ``signature`` entry in a JSON object that authenticates one or more
of its sibling entries. The signature value would then be computed by applying PAE to the
authenticated sibling entries, and passing the result to the signature algorithm.
Requirements
------------
Requires Python 3.7 or later.
Notes
-----
This library has no runtime dependencies, and does not supply any cryptographic operations.
Its main purpose is to preprocess complex data structures before authenticating their contents
using a MAC or digital signature. The actual authentication mechanism is out of scope, and left
to the caller.
This library also does not offer any abstractions to handle token expiration, revocation,
algorithm selection or anything of the sort.
Stability
---------
Experimental.
Links
-----
- `Homepage <https://github.com/MatthiasValvekens/python-pae>`_
- `Documentation <https://python-pae.readthedocs.io/en/latest/index.html>`_
- `PyPI <https://pypi.org/project/python-pae/>`_
Raw data
{
"_id": null,
"home_page": "https://github.com/MatthiasValvekens/python-pae",
"name": "python-pae",
"maintainer": "",
"docs_url": null,
"requires_python": ">=3.7,<4.0",
"maintainer_email": "",
"keywords": "",
"author": "Matthias Valvekens",
"author_email": "dev@mvalvekens.be",
"download_url": "https://files.pythonhosted.org/packages/e6/d5/545481c1fcadd7c293bd1c07b2a5ddb29f9da09934153596dbc9513f9b81/python-pae-0.1.0.tar.gz",
"platform": "",
"description": ".. image:: https://github.com/MatthiasValvekens/python-pae/workflows/pytest/badge.svg\n :target: https://github.com/MatthiasValvekens/python-pae\n :alt: pytest status\n\n.. image:: https://codecov.io/gh/MatthiasValvekens/python-pae/branch/master/graph/badge.svg?token=XPRS49L0X6\n :target: https://codecov.io/gh/MatthiasValvekens/python-pae\n :alt: Coverage status\n\n.. image:: https://readthedocs.org/projects/python-pae/badge/?version=latest\n :target: https://python-pae.readthedocs.io/en/latest/?badge=latest\n :alt: Documentation Status\n\n\nPre-authentication encoding in Python\n=====================================\n\nThis minimal library offers an implementation of (a variant of)\n`PASETO <https://github.com/paragonie/paseto>`_'s pre-authentication encoding\n(PAE) scheme in Python, with some extra tools to handle data types other than lists of byte arrays.\n\n\nWhy use pre-authentication encoding?\n------------------------------------\n\nWhen passing around data between services, it's often necessary to authenticate and validate\nencoded messages. When those messages are flat byte streams, that's easy enough. However,\nwhen authenticating complex data structures with many fields (some of which may be optional or\nperhaps exempt from authentication), the input data must first be serialised before it can\nbe passed on to the authentication mechanism.\nThe interchange formats that are commonly used to hold such complex data in transit between web\nservices (e.g. JSON or HTTP query parameters) are poorly suited for this task.\n\nNaively concatenating all inputs before authentication is typically not a good idea, since\nit can lead to vulnerabilities through\n`length extension attacks <https://en.wikipedia.org/wiki/Length_extension_attack>`_\nor other types of `canonicalisation attacks <https://soatok.blog/2021/07/30/canonicalization-attacks-against-macs-and-signatures/>`_.\n\nPre-authentication encoding (PAE) can help you protect yourself against a large class of such\nexploits, by explicitly making the *number* of data fields and the *length* of each field part of\nthe data covered by the MAC/signature.\n\nPAE can be used explicitly or implicitly. In the explicit case, PAE serves as both the interchange\nformat and the authentication format.\nIn the implicit case, PAE is used to preprocess data in some other container format before\nsigning/authenticating it, but its output isn't transmitted directly.\n\nA typical use case would be a ``signature`` entry in a JSON object that authenticates one or more\nof its sibling entries. The signature value would then be computed by applying PAE to the\nauthenticated sibling entries, and passing the result to the signature algorithm.\n\n\nRequirements\n------------\n\nRequires Python 3.7 or later.\n\n\nNotes\n-----\n\nThis library has no runtime dependencies, and does not supply any cryptographic operations.\nIts main purpose is to preprocess complex data structures before authenticating their contents\nusing a MAC or digital signature. The actual authentication mechanism is out of scope, and left\nto the caller.\nThis library also does not offer any abstractions to handle token expiration, revocation,\nalgorithm selection or anything of the sort.\n\n\nStability\n---------\n\nExperimental.\n\n\nLinks\n-----\n\n - `Homepage <https://github.com/MatthiasValvekens/python-pae>`_\n - `Documentation <https://python-pae.readthedocs.io/en/latest/index.html>`_\n - `PyPI <https://pypi.org/project/python-pae/>`_\n\n",
"bugtrack_url": null,
"license": "MIT",
"summary": "Pre-authentication encoding (PAE) implementation in Python",
"version": "0.1.0",
"split_keywords": [],
"urls": [
{
"comment_text": "",
"digests": {
"md5": "c6c9175f3a0d76e63eb50280b69ea84f",
"sha256": "484a939eb6c31a9786665577a895ffc559f50bb538417b6e91a4fb623c48ef82"
},
"downloads": -1,
"filename": "python_pae-0.1.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "c6c9175f3a0d76e63eb50280b69ea84f",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.7,<4.0",
"size": 9740,
"upload_time": "2021-11-12T14:50:34",
"upload_time_iso_8601": "2021-11-12T14:50:34.680629Z",
"url": "https://files.pythonhosted.org/packages/83/f6/b6e0203b66a27ee16a3727d46d20768f6075635dca1fe1ab2e55838d2105/python_pae-0.1.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"md5": "66448a2044a9198f82942cd41ea23064",
"sha256": "85f3f32a06731c30436b5c3779c8029dc328af81e74e9fac3ddd361476ed806a"
},
"downloads": -1,
"filename": "python-pae-0.1.0.tar.gz",
"has_sig": false,
"md5_digest": "66448a2044a9198f82942cd41ea23064",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.7,<4.0",
"size": 9675,
"upload_time": "2021-11-12T14:50:36",
"upload_time_iso_8601": "2021-11-12T14:50:36.091489Z",
"url": "https://files.pythonhosted.org/packages/e6/d5/545481c1fcadd7c293bd1c07b2a5ddb29f9da09934153596dbc9513f9b81/python-pae-0.1.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2021-11-12 14:50:36",
"github": true,
"gitlab": false,
"bitbucket": false,
"github_user": "MatthiasValvekens",
"github_project": "python-pae",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "python-pae"
}
JSON
