andygeers / firebase-keysafe Goto Github PK

Hi,

I just followed the instructions but I am getting the error:

ImportError: No module named oauth2client.client

I have already tried suggestions from SO posts like:

https://stackoverflow.com/questions/44011776/how-to-prevent-importerror-no-module-named-oauth2client-client-on-google-app

but no luck...

Can you share exactly what versions of packages (and python) are you using ?

Thanks!

I'm having issues testing the script locally. I am able to run the development app server on my local machine, however when I make a request, I am getting an error. Any suggestions on how to fix/debug this issue? I've redacted some information using .

POST /key?key=<KMS_API_KEY> HTTP/1.1
Authorization: Bearer <INSERTED USER OAUTH TOKEN HERE>
Host: localhost:61668
Connection: close
User-Agent: Paw/3.1.8 (Macintosh; OS X/10.14.4) GCDHTTPRequest
Content-Length: 0

Error

HTTP/1.1 200 OK
Content-Type: application/octet-stream
Transfer-Encoding: chunked
Connection: close
Date: Sat, 15 Jun 2019 00:09:07 GMT
Server: Nathans-MacBook-Pro.local

�»�cexceptions
RuntimeError
p0
(S"ProtocolBufferDecodeError('Required field: service_name not set.\\n\\tRequired field: method not set.\\n\\tRequired field: request not set.',)"
p1
tp2
Rp3

Just having a dig around this project, after reading your interesting blog post.

I noticed this code in main.py:

  def generate_random_key(self):
    password = b"<USE_A_SECURE_RANDOM_PASSWORD_HERE>"
    salt = os.urandom(16)
    iterations = 20000
    key_len = 16
    raw_key = hashlib.pbkdf2_hmac('sha1', password, salt, iterations, key_len)
    ascii_key = self.line_ending_stripper.sub("", base64.b64encode(raw_key).decode('ascii'))
    return ascii_key

PBKDF2 should be used when turning a user-supplied password into a key of a suitable length.

If you want to generate a random key, just use os.urandom(16) (or whatever length you need). It is more secure.

I was reviewing your blogpost and the source code for this project because I am currently interested in implementing something similar.

From my understanding, the reason for implementing this project in this way is to make it so 2 different google accounts would need to be compromised in order for any individual's user data to be accessible. However, if someone got Admin access to just the firebase account, couldn't they then just use the firebase admin SDK to create a custom auth token for the user, submit that to google app engine and grab the decrypted encryption key plus any of the encrypted data on firebase?

Just want to see if I am missing something?

I have question regarding your blog post, whether we have store to the KMS key in client side to encrypt and decrypt the DEK or we will fetch this KMS key from server and perform the operation on client side.

I found this repository via your article at http://www.geero.net/2017/05/how-to-encrypt-a-google-firebase-realtime-database/ which helped me a lot in trying to understand the architecture for an app with similar requirements I am currently designing. Thanks you for writing this up.

There is one question I would have still though that I am struggling with when transferring these concepts to a non-Firebase / Google Cloud world: considering that the KMS service lives in a different account than the database, how would this make sure an attacker who gains access to the account that the database belongs to does not gain access to also calling the KMS service (i.e. calling GET '/decrypt?value=<encrypted_key>)?

Is authentication against the KMS service being handled by some Firebase feature that I am not aware of in this setup? In case yes, how could one build a similar setup without it?