Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Request for comments: Peewee integration with pysqlcipher

Uncle Zzzen unclezzzen at gmail.com
Fri Apr 18 20:31:53 PDT 2014


https://github.com/swizzler/peewee/ is our fork of
peewee<http://peewee.readthedocs.org/>(a tiny python orm) that
provides
pysqlcipher <https://github.com/leapcode/pysqlcipher/> integration. There's
also a gist <https://gist.github.com/thedod/11048875> with a minimal
example if you want to play with this without starting from scratch.

First, I'm happy to annouce this (as long as you understand that *this has
not been peer reviewed yet*).

This brings us to the question whether I've introduced new vulnerabilities
(I don't think so, but people never do [?]).

Also, there's an "educational" question:
This is a library, so the target audience is a developer who "should know
better" (but maybe doesn't). I've introduced "reasonable
minimums<https://github.com/swizzler/peewee/blob/sqlcipher/playhouse/sqlcipher_ext.py#L31>"
for passphrase length and kdf_iter. If the developer tries to use
"unreasonable values", the error message says something like "you need more
than that", because the numbers are quite low (8 and 10000).

So the questions are:

   1. What are the "right numbers"?
   2. Is 64000 a "reasonable
default<https://github.com/swizzler/peewee/blob/sqlcipher/playhouse/sqlcipher_ext.py#L30>"
   for kdf_iter?
   3. Anything wrong or misleading in my docs/comments?
   4. Any urls I could send developers who wish to learn more?
   5. [and - of course] Any vulnerabilities you cana think off?

Thanks,

The Dod <http://thedod.github.io> / the
Swizzler<https://github.com/swizzler/swizzler#readme>project
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20140419/966b634c/attachment.html>


More information about the liberationtech mailing list