-1

Problem

I wrote a function which signs an uploaded document. In order to increase the security of the function, I would like to add a SALT to it. As I am reading the bytes of the uploaded file, so I guess I would have to prepend or append it somehow?

Code

This is the (working) function without SALT I currently have:

def sign(file):
    with open(private_key_path, 'rb') as f:
        key = f.read()
    hash = SHA256.new(file.read())
    # do signing stuff
    return signature

I tried to update the hash afterwards, but that does not work:

SALT = "random string";
def sign(file):
    with open(private_key_path, 'rb') as f:
        key = f.read()
    h = SHA256.new(file.read())
    hash = h.update(str.encode(SALT))
    # do signing stuff
    return signature

How could I fix this? Is there a proper standard way to do this?

Gh05d
  • 7,923
  • 7
  • 33
  • 64
  • 1
    Are there any error message? Or returned hash doesn't match with expected? Could you add some temp file, salt and expected result to your post? You can do simple `SHA256.new(file.read() + SALT.encode())` – Olvin Roght Apr 11 '22 at 15:37
  • 1
    `h.update()` operates in place, it doesn't return a new hash. – Barmar Apr 11 '22 at 15:38
  • 1
    How would adding a salt increase security in this use case? – wovano Apr 11 '22 at 16:07
  • Basically that it makes harder to forge an identical hash of the document as it will be public. But in the best case no one will ever get the SALT. – Gh05d Apr 11 '22 at 16:09
  • I *highly* doubt that adding a salt will make it harder to forge a SHA256... The complete purpose of SHA256 is to prevent that, while salts are generally used to avoid duplicate password hashes in case two accounts use the same password. It has a completely different purpose. – wovano Apr 11 '22 at 16:45
  • So what do you propose as a solution? – Gh05d Apr 11 '22 at 21:34

1 Answers1

2

Try this instead:

SALT = "random string";
def sign(file):
    with open(private_key_path, 'rb') as f:
        key = f.read()
    hash_ = SHA256.new(file.read())
    hash_.update(SALT.encode())
    # do signing stuff
    return signature

According to the official hashlib documentation:

hash.update(data) updates the hash object with the bytes-like object (data).

This means that SHA256.new() actually creates a python object, and .update() is a method of this python object which updates the object's property. It doesn't return anything, and hence nothing will be stored in the hash variable of your 2nd code.

For more information, please take a look at this answer.

Asclepius
  • 57,944
  • 17
  • 167
  • 143
SmartOinker
  • 136
  • 7
  • 4
    Your answer is good, but consider to not use names of built-in [functions](https://docs.python.org/3/library/functions.html)/[constants](https://docs.python.org/3/library/constants.html)/[types](https://docs.python.org/3/library/stdtypes.html) in variable naming *([`hash()`](https://docs.python.org/3/library/functions.html#hash))*, it could lead to unexpected behavior. – Olvin Roght Apr 11 '22 at 16:33