From 7715f972ed8cb462f964af14512d9c1e80eacb05 Mon Sep 17 00:00:00 2001 From: Ian Norton Date: Mon, 29 Jan 2018 20:05:13 +0000 Subject: [PATCH] Safely make one-way randomized uploaderIDs --- src/eddn/Relay.py | 37 +++++++++++++++++++++++++++++++++++-- 1 file changed, 35 insertions(+), 2 deletions(-) diff --git a/src/eddn/Relay.py b/src/eddn/Relay.py index c2300e5..6a3242f 100644 --- a/src/eddn/Relay.py +++ b/src/eddn/Relay.py @@ -11,6 +11,10 @@ from threading import Thread logger = logging.getLogger(__name__) import zlib +import random +import string +import hashlib + import gevent import simplejson import zmq.green as zmq @@ -40,6 +44,35 @@ def stats(): return simplejson.dumps(stats) +def onetime_prefix(): + """ + Return random string 8 character string + :return: + """ + prefix = "" + while len(prefix) < 8: + prefix += random.choice(string.lowercase + string.digits + string.uppercase) + return prefix + + +# used by scramble_uploader to give a unique "key" each time the relay process is started +_onetime_prefix_value = onetime_prefix() + + +def scramble_uploader(uploaderId): + """ + Make a one-way hash of the uploader that can't be undone from. + + This is kind of like an HMac with _onetime_prefix_value as an ephemeral key. + the public data + :param uploaderId: + :return: + """ + hasher = hashlib.sha1() + hasher.update(_onetime_prefix_value + uploaderId) + return hasher.hexdigest()[:20] + + class Relay(Thread): def run(self): @@ -95,9 +128,9 @@ class Relay(Thread): statsCollector.tally("duplicate") return - # Remove ID to end consumer (Avoid realtime user tracking without their consent) + # Scramble ID to end consumer (Avoid realtime user tracking without their consent) if 'uploaderID' in json['header']: - del json['header']['uploaderID'] + json['header']['uploaderID'] = scramble_uploader(json['header']['uploaderID']) # Remove IP to end consumer if 'uploaderIP' in json['header']: