turbid


Nameturbid JSON
Version 0.1.1 PyPI version JSON
download
home_pageNone
SummaryTransparent obfuscation of numeric IDs
upload_time2024-08-02 23:42:24
maintainerNone
docs_urlNone
authorPedro Werneck
requires_python<4.0,>=3.8
licenseMIT
keywords
VCS
bugtrack_url
requirements No requirements were recorded.
Travis-CI No Travis.
coveralls test coverage No coveralls.
            # TurbID

[![Build Status](https://github.com/pjwerneck/turbid/actions/workflows/pytest.yml/badge.svg?branch=main)](https://github.com/pjwerneck/turbid/actions/workflows/pytest.yml)
[![License](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)

## Overview

TurbID is a Python library that provides ID obfuscation and encryption for
sequential integer primary keys. With TurbID, your database can store clear,
sequential integer primary keys, while your public API and the rest of the world
sees opaque and seemingly random long-form string IDs. This approach avoids the
database performance downsides of long random IDs and sidesteps the privacy and
security risks of clear integer IDs.

Unlike other libraries that merely encode integers with a randomized alphabet,
TurbID uses format-preserving encryption for additional security.

TurbID currently supports SQLAlchemy with an optional extension that provides a
custom column type, but it can be extended to work with other ORMs or
frameworks.

> [!WARNING]
>
> TurbID is not intended for protecting sensitive numeric data, such as credit card numbers or PINs. For these use cases, please use standard, secure encryption methods.

## Installation

TurbID is compatible with Python 3.8+ and available on PyPI. Install it with
pip, or your package manager of choice:

```bash
pip install turbid
```

But you probably want to install with the optional SQLAlchemy extension:

```bash
pip install turbid[sqlalchemy]
```

## SQLAlchemy Usage

With SQLAlchemy, just replace your column's `Integer` column type with `TurbIDType`:

```python

class User(Base):
    __tablename__ = "user"

    user_id = sa.Column(TurbIDType(key=KEY, tweak="user"), primary_key=True)
    name = sa.Column(sa.String(200))

```

If you have foreign keys, do the same for the `ForeignKey` columns, but remember
to use the same `key` and `tweak` values as the referenced column:

```python
class Post(Base):
    __tablename__ = "post"

    post_id = sa.Column(TurbIDType(key=KEY, tweak="post"), primary_key=True)
    user_id = sa.Column(TurbIDType(key=KEY, tweak="user"), sa.ForeignKey("user.user_id"))
    title = sa.Column(sa.String(200))

```

You can use your columns as usual, in joins, filters, data retrieval, etc. In
queries or when updating data you can use either the original integer ID or the
obfuscated string ID, but retrievals will always return the obfuscated string
ID.

## TurbIDCipher Usage

If you don't use SQLAlchemy or you want to encrypt/decrypt IDs at another layer
of your application, like when serializing objects for responses, you can use
the `TurbIDCipher` class directly.

```python
>>> from turbid import TurbIDCipher
>>> import secrets
>>>
>>> key = secrets.token_hex()
>>> tweak = "my_table_name"
>>> obscure_id = TurbIDCipher(key, tweak=tweak)
>>>
>>> # Encrypt an integer ID
>>> encrypted_id = obscure_id.encrypt(12345)
>>> print(f"Encrypted ID: {encrypted_id}")
Encrypted ID: VTxLWjgdCWGjLSIiZtCQCMvu
>>>
>>> # Decrypt the ID back to the original integer
>>> original_id = obscure_id.decrypt(encrypted_id)
>>> print(f"Original ID: {original_id}")
Original ID: 12345
```

## Parameters

The required parameters are:

- **key**:
  - A string that will be hashed to generate the encryption key for the AES cipher.
  - Never expose the key in version control or share it publicly.
  - You can generate a random key suitable for this purpose using the
    `secrets.token_hex` function.
- **tweak**:
  - A string that will be hashed to generate the 7-byte tweak value for FF3-1
    encryption.
  - This parameter is not a secret and is used to differentiate the encrypted
    values of different instances using the same secret `key`.
  - The value **must** be unique per table to avoid ID collisions.

SQLAlchemy extension parameters:

- **prefix**:
  - An optional string that will be prepended to the encrypted ID. This is also
    used as the `tweak` value if an explicit one isn't provided.
  - If you don't want a prefix on your encrypted IDs, you must provide a `tweak` for each table.
  - You can provide both a `tweak` and a `prefix`. In this case, the `prefix`
    will be merely cosmetic and the `tweak` will be used to differentiate the
    encrypted values.

Optional parameters with tested defaults:

- **length=`24`**:
  - The length of the encrypted ID. The default is 24 characters, but the
    minimum and maximum lengths are determined by the alphabet length and the
    maximum value you want to encrypt.
  - A `ValueError` will be raised if the alphabet length is incompatible with
    the specified length.
- **alphabet=`string.digits + string.ascii_letters`**:
  - The alphabet used to encode the encrypted ID. The default is all 10 digits
    and all 52 lowercase and uppercase letters.
  - You can use a different alphabet, as long as it contains all 10 digits and
    no repeated characters.
  - The alphabet length must be compatible with the specified `length`.
- **key_length=`128`**:
  - The length of the AES key in bits. The default is 128 bits, which is the
    recommended key length for AES encryption.
  - Note this refers to the length of the hashed key generated internally, not
    the length of the string you provide as the key material.

## Compatibility and Testing

TurbID is tested with the following values:

- input ids: sampled from `0` to `2^63-1`
- `length`: `20` to `32`, inclusive
- `alphabet`: `string.digits + string.ascii_letters` and `"0123456789abcdef"`
- `key_length`: `128`, `194`, and `256`

It probably works with other values, but you should review the limitations of
the FF3-1 algorithm and the [ff3](https://github.com/mysto/python-fpe) library
and implement tests to ensure it works as expected.

## License

TurbID is licensed under the MIT License. See the [LICENSE](LICENSE) file for
details.

            

Raw data

            {
    "_id": null,
    "home_page": null,
    "name": "turbid",
    "maintainer": null,
    "docs_url": null,
    "requires_python": "<4.0,>=3.8",
    "maintainer_email": null,
    "keywords": null,
    "author": "Pedro Werneck",
    "author_email": "pjwerneck@gmail.com",
    "download_url": "https://files.pythonhosted.org/packages/28/03/145a14d7543833ddc8ae450921c040e2855e1c5f6ccb8a6ea066745368d8/turbid-0.1.1.tar.gz",
    "platform": null,
    "description": "# TurbID\n\n[![Build Status](https://github.com/pjwerneck/turbid/actions/workflows/pytest.yml/badge.svg?branch=main)](https://github.com/pjwerneck/turbid/actions/workflows/pytest.yml)\n[![License](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)\n\n## Overview\n\nTurbID is a Python library that provides ID obfuscation and encryption for\nsequential integer primary keys. With TurbID, your database can store clear,\nsequential integer primary keys, while your public API and the rest of the world\nsees opaque and seemingly random long-form string IDs. This approach avoids the\ndatabase performance downsides of long random IDs and sidesteps the privacy and\nsecurity risks of clear integer IDs.\n\nUnlike other libraries that merely encode integers with a randomized alphabet,\nTurbID uses format-preserving encryption for additional security.\n\nTurbID currently supports SQLAlchemy with an optional extension that provides a\ncustom column type, but it can be extended to work with other ORMs or\nframeworks.\n\n> [!WARNING]\n>\n> TurbID is not intended for protecting sensitive numeric data, such as credit card numbers or PINs. For these use cases, please use standard, secure encryption methods.\n\n## Installation\n\nTurbID is compatible with Python 3.8+ and available on PyPI. Install it with\npip, or your package manager of choice:\n\n```bash\npip install turbid\n```\n\nBut you probably want to install with the optional SQLAlchemy extension:\n\n```bash\npip install turbid[sqlalchemy]\n```\n\n## SQLAlchemy Usage\n\nWith SQLAlchemy, just replace your column's `Integer` column type with `TurbIDType`:\n\n```python\n\nclass User(Base):\n    __tablename__ = \"user\"\n\n    user_id = sa.Column(TurbIDType(key=KEY, tweak=\"user\"), primary_key=True)\n    name = sa.Column(sa.String(200))\n\n```\n\nIf you have foreign keys, do the same for the `ForeignKey` columns, but remember\nto use the same `key` and `tweak` values as the referenced column:\n\n```python\nclass Post(Base):\n    __tablename__ = \"post\"\n\n    post_id = sa.Column(TurbIDType(key=KEY, tweak=\"post\"), primary_key=True)\n    user_id = sa.Column(TurbIDType(key=KEY, tweak=\"user\"), sa.ForeignKey(\"user.user_id\"))\n    title = sa.Column(sa.String(200))\n\n```\n\nYou can use your columns as usual, in joins, filters, data retrieval, etc. In\nqueries or when updating data you can use either the original integer ID or the\nobfuscated string ID, but retrievals will always return the obfuscated string\nID.\n\n## TurbIDCipher Usage\n\nIf you don't use SQLAlchemy or you want to encrypt/decrypt IDs at another layer\nof your application, like when serializing objects for responses, you can use\nthe `TurbIDCipher` class directly.\n\n```python\n>>> from turbid import TurbIDCipher\n>>> import secrets\n>>>\n>>> key = secrets.token_hex()\n>>> tweak = \"my_table_name\"\n>>> obscure_id = TurbIDCipher(key, tweak=tweak)\n>>>\n>>> # Encrypt an integer ID\n>>> encrypted_id = obscure_id.encrypt(12345)\n>>> print(f\"Encrypted ID: {encrypted_id}\")\nEncrypted ID: VTxLWjgdCWGjLSIiZtCQCMvu\n>>>\n>>> # Decrypt the ID back to the original integer\n>>> original_id = obscure_id.decrypt(encrypted_id)\n>>> print(f\"Original ID: {original_id}\")\nOriginal ID: 12345\n```\n\n## Parameters\n\nThe required parameters are:\n\n- **key**:\n  - A string that will be hashed to generate the encryption key for the AES cipher.\n  - Never expose the key in version control or share it publicly.\n  - You can generate a random key suitable for this purpose using the\n    `secrets.token_hex` function.\n- **tweak**:\n  - A string that will be hashed to generate the 7-byte tweak value for FF3-1\n    encryption.\n  - This parameter is not a secret and is used to differentiate the encrypted\n    values of different instances using the same secret `key`.\n  - The value **must** be unique per table to avoid ID collisions.\n\nSQLAlchemy extension parameters:\n\n- **prefix**:\n  - An optional string that will be prepended to the encrypted ID. This is also\n    used as the `tweak` value if an explicit one isn't provided.\n  - If you don't want a prefix on your encrypted IDs, you must provide a `tweak` for each table.\n  - You can provide both a `tweak` and a `prefix`. In this case, the `prefix`\n    will be merely cosmetic and the `tweak` will be used to differentiate the\n    encrypted values.\n\nOptional parameters with tested defaults:\n\n- **length=`24`**:\n  - The length of the encrypted ID. The default is 24 characters, but the\n    minimum and maximum lengths are determined by the alphabet length and the\n    maximum value you want to encrypt.\n  - A `ValueError` will be raised if the alphabet length is incompatible with\n    the specified length.\n- **alphabet=`string.digits + string.ascii_letters`**:\n  - The alphabet used to encode the encrypted ID. The default is all 10 digits\n    and all 52 lowercase and uppercase letters.\n  - You can use a different alphabet, as long as it contains all 10 digits and\n    no repeated characters.\n  - The alphabet length must be compatible with the specified `length`.\n- **key_length=`128`**:\n  - The length of the AES key in bits. The default is 128 bits, which is the\n    recommended key length for AES encryption.\n  - Note this refers to the length of the hashed key generated internally, not\n    the length of the string you provide as the key material.\n\n## Compatibility and Testing\n\nTurbID is tested with the following values:\n\n- input ids: sampled from `0` to `2^63-1`\n- `length`: `20` to `32`, inclusive\n- `alphabet`: `string.digits + string.ascii_letters` and `\"0123456789abcdef\"`\n- `key_length`: `128`, `194`, and `256`\n\nIt probably works with other values, but you should review the limitations of\nthe FF3-1 algorithm and the [ff3](https://github.com/mysto/python-fpe) library\nand implement tests to ensure it works as expected.\n\n## License\n\nTurbID is licensed under the MIT License. See the [LICENSE](LICENSE) file for\ndetails.\n",
    "bugtrack_url": null,
    "license": "MIT",
    "summary": "Transparent obfuscation of numeric IDs",
    "version": "0.1.1",
    "project_urls": null,
    "split_keywords": [],
    "urls": [
        {
            "comment_text": "",
            "digests": {
                "blake2b_256": "2593c02109d6b361b8bcf87ef7cf3de53e2bc09582b09a57a0e2d0acfde6fab0",
                "md5": "9e8fbb88587e956e0c1a91ce44d593ac",
                "sha256": "bf5c62e41ab8dcd1072c2b274c800a94fd0a964903717a30f6c57253a9e9e4fa"
            },
            "downloads": -1,
            "filename": "turbid-0.1.1-py3-none-any.whl",
            "has_sig": false,
            "md5_digest": "9e8fbb88587e956e0c1a91ce44d593ac",
            "packagetype": "bdist_wheel",
            "python_version": "py3",
            "requires_python": "<4.0,>=3.8",
            "size": 7346,
            "upload_time": "2024-08-02T23:42:22",
            "upload_time_iso_8601": "2024-08-02T23:42:22.485825Z",
            "url": "https://files.pythonhosted.org/packages/25/93/c02109d6b361b8bcf87ef7cf3de53e2bc09582b09a57a0e2d0acfde6fab0/turbid-0.1.1-py3-none-any.whl",
            "yanked": false,
            "yanked_reason": null
        },
        {
            "comment_text": "",
            "digests": {
                "blake2b_256": "2803145a14d7543833ddc8ae450921c040e2855e1c5f6ccb8a6ea066745368d8",
                "md5": "7123dd52ff8e027e5d8d8a8ca5882b1d",
                "sha256": "5dbf4dd92f3ceead22067b3698f99f6b0cfee0386d72da6b9c63188d3a3375a6"
            },
            "downloads": -1,
            "filename": "turbid-0.1.1.tar.gz",
            "has_sig": false,
            "md5_digest": "7123dd52ff8e027e5d8d8a8ca5882b1d",
            "packagetype": "sdist",
            "python_version": "source",
            "requires_python": "<4.0,>=3.8",
            "size": 6665,
            "upload_time": "2024-08-02T23:42:24",
            "upload_time_iso_8601": "2024-08-02T23:42:24.076586Z",
            "url": "https://files.pythonhosted.org/packages/28/03/145a14d7543833ddc8ae450921c040e2855e1c5f6ccb8a6ea066745368d8/turbid-0.1.1.tar.gz",
            "yanked": false,
            "yanked_reason": null
        }
    ],
    "upload_time": "2024-08-02 23:42:24",
    "github": false,
    "gitlab": false,
    "bitbucket": false,
    "codeberg": false,
    "lcname": "turbid"
}
        
Elapsed time: 0.80680s