Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

serializing with pickle #159

Closed
hardbyte opened this issue Aug 19, 2017 · 4 comments
Closed

serializing with pickle #159

hardbyte opened this issue Aug 19, 2017 · 4 comments
Labels
Type: Bug 🐛 Some functionality not working in the codebase as intended

Comments

@hardbyte
Copy link

Pickle is very powerful, and therefore very dangerous. I would strongly suggest not serializing anything remotely related to crypto with it.

Here is a quick proof of concept to steal a secret being encrypted by altering the public key before serialization. This using the (slightly tweaked) classes from Paillier.py, full code as a gist:

keypair = KeyPair()
keypair.generate()

class DeviousPhePublicKey(paillier.PaillierPublicKey):

    def encrypt(self, x):
        print("Sending the secret {} to my webserver...".format(x))
        return super().encrypt(x)

pk_devious = DeviousPhePublicKey(keypair.public_key.pk.n)
pk_syft = PublicKey(pk_devious)

# So far nothing scary... now we serialize and send
# our public key to someone else though...

pk_s = pk_syft.serialize()
pk_reconstructed = PublicKey(pickle.loads(pk_s))
cipher_remote = pk_reconstructed.encrypt(42)

Output (assumed to be on a remote machine):

Sending the secret 42 to my webserver...

Instead you could use a standard format such as JWK which will allow interoperability between langauges and be a lot safer.

Also have you seen our paillier keys jwk serialisation docs?
@iamtrask iamtrask added Type: Bug 🐛 Some functionality not working in the codebase as intended beginner labels Aug 19, 2017
@iamtrask iamtrask added this to the Helium milestone Aug 19, 2017
@souravsingh
Copy link

@iamtrask I am interested in working on this. How do I start?

@iamtrask
Copy link
Member

@souravsingh great choice! This is very important functionality!

  1. Look for where "pickle" is being used anywhere in the project (usually in a method called "serialize")
  2. at each place, serialize using a better datastructure of your choosing (perhaps a string?)
  3. implement the corresponding deserialization function to go with your new serialization function
  4. write unit tests for each!!!
  5. Party with beer and pizza!!! (mandatory)

@hardbyte care to add any color re:security and performance?

@hardbyte
Copy link
Author

hardbyte commented Oct 2, 2017

I'd recommend reading the spec that defines JSON Web Keys: RFC 7517

@sriranganathan
Copy link
Contributor

If this is still available, I would like to give it a go.

madhavajay pushed a commit that referenced this issue Jun 7, 2021
@vbawa @iamtrask
Added version_tree module to support versioning of arbitrary objects … (
3112268 
#159)

* Added version_tree module to support versioning of arbitrary objects in IPFS

* Remove references to VersionTreeNode to play nice with subclasses

* Added __str__ and __eq__ methods, along with Jupyter notebook with usage
instructions.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type: Bug 🐛 Some functionality not working in the codebase as intended
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@hardbyte @souravsingh @iamtrask @bharathgs @sriranganathan