10

The application I develop dictates that the software should prevent unauthorized access. In order to implement this, I've used user and password based authentication with two roles available - standard user and administrator.

This was implemented completely in Python by using SQLAlchemy for interacting with the database, PyQt for user interface.

The entered password is hashed using brcypt and then compared with the hash present on the database for the respective username (standard authentication technique used in web services).

After successful authentication, a variable called self.authenticatedUser holds an SQLAlchemy instance of class User.

The consequence of this implementation is that anyone can edit the login method to simply query the database directly for an object of type User with username admin and assign the returned SQLAlchemy instance of User to self.authenticatedUser and bingo the hacker has access to the system.

Since, I am distributing this software written in python, it is a matter of minutes for an hacker(or any sort of programmer) to disable the authentication mechanism. Also, I cannot use a web service here to authenticate or authorize by getting login login token because the software would be used in an environment with an air gap.

Are there any concrete ways to implement this in a much secure way ?

  1. Using a local MySQLDatabase
  2. Using a secure (relatively hard to reverse engineer would probably be appropriate) mechanism.
RHLK
  • 347
  • 3
  • 14
  • You could think about distributing it with [PyInstaller](http://www.pyinstaller.org/) as an OS binary. SQLAlchemy and PyQt are on the list of supported packages. PyInstaller even supports PyCrypto. – Sven-Eric Krüger Oct 24 '17 at 09:16

3 Answers3

3

Everything is just a matter of how hard is to reverse engineer the code, so here are some techniques to "protect" it.

  • precompile your application to byte code (but there are tools to decompile it back like uncompyle6)
  • use some obfuscator to your code, so it is hardly readable (like pyminifier)
  • encrypt your application (e.g. pyconcrete)
  • use users password to encrypt important part of the application itself on the fly. With password, hacker can recreate unencrypted application, but without it, it is impossible.
j123b567
  • 3,110
  • 1
  • 23
  • 32
0

Even with an air gap a service is possible. However if you do not want to do this, you should protect your data as if you gave every user a propper SQL client (like pgAdmin or SQL Server Management Studio). I suggest you start configuring your roles / users on the database level.

Rick
  • 3,361
  • 1
  • 22
  • 29
0

Since bcrypt is no longer adopted and you can easily use SHA2x. I think you need to consider using SHA2x for security reason.Secondly , you can either use JWT , since it works 100% with python. Also have a deep look at the 2 factors authentication which would be another plus to your security check.

DorkSeal3R
  • 13
  • 5