Password generation¶

c’t SESAM uses an encrypted secret to generate your passwords: the kgk (Key-Generation-Key). This trick enables you to change your masterpassword and makes sure that the secret used for the calculation of passwords is 64 bytes.

The kgk is stored and decrypted in the KgkManager class:

The KGK manager stores the kgk and manages storage and encryption of kgk blocks.

class kgk_manager.KgkManager[source]¶

New KgkManagers are uninitialized and need either a new kgk or get one by decrypting an existing one.

create_and_save_new_kgk_block(kgk_crypter=None)[source]¶

Creates a fresh kgk block and saves it.

Parameters:	kgk_crypter (Crypter) –
Returns:	kgk block
Return type:	bytes

create_new_kgk()[source]¶

Creates a new kgk. This overwrites the previous one.

Returns:	the new kgk
Return type:	bytes

decrypt_kgk(encrypted_kgk, kgk_crypter=None, password=b'', salt=b'')[source]¶

Decrypts kgk blobs. If a crypter is passed it is used. If none is passed a new crypter is created with the salt and password. This takes relatively long. If the encrypted_kgk has a wrong length a new kgk is created.

Parameters:	encrypted_kgk (bytes) – kgk_crypter (Crypter) – password (bytes) – salt (bytes) –

fresh_iv2()[source]¶: Creates a fresh iv for the settings encryption (iv2).

fresh_salt2()[source]¶: Creates a fresh salt for the settings encryption (salt2).

get_encrypted_kgk()[source]¶

Returns an encrypted kgk block.

Returns:	kgk block
Return type:	bytes

get_fresh_encrypted_kgk()[source]¶

Returns a new encrypted kgk block with fresh salt2 and iv2. This does not create a new kgk.

Returns:	kgk block
Return type:	bytes

get_iv2()[source]¶

Returns the iv2

Returns:	iv2
Return type:	bytes

get_kgk()[source]¶

Returns the kgk.

Returns:	the kgk
Return type:	bytes

get_kgk_crypter(password, salt)[source]¶

Creates a kgk crypter for the given credentials. This is a very expensive operation.

Parameters:	password (bytes) – salt (bytes) –
Returns:	a kgk crypter
Return type:	Crypter

get_kgk_crypter_salt()[source]¶

Loads the public salt. If there is none it is created and stored.

Returns:

get_salt2()[source]¶

Returns the salt2

Returns:	salt2
Return type:	bytes

has_kgk()[source]¶

Returns true if there is a kgk and a crypter.

Returns:	kgk state
Return type:	bool

reset()[source]¶: Resets the kgk manager.

set_preference_manager(preference_manager)[source]¶

Pass a preference manager to load and store settings locally

Parameters:	preference_manager (PreferenceManager) –

store_local_kgk_block()[source]¶: Stores the local kgk block.

store_salt(salt)[source]¶

Stores the salt using the preference manager.

Parameters:	salt (bytes) – the salt

update_from_blob(password, blob)[source]¶

Updates the kgk from a remote data blob.

Parameters:	password (bytes) – the masterpassword blob (bytes) – the encrypted data

The encrypted kgk, and the settings are stored in the hidden file .ctSESAM.pws in your home directory. Reading and writing of this file is handled by the PreferenceManager:

The preference manager handles the access to the settings file.

class preference_manager.PreferenceManager(settings_file='/home/docs/.ctSESAM.pws')[source]¶

Parameters:	settings_file (str) – Filename of the settings file. Defaults to PASSWORD_SETTINGS_FILE as defined in the source

get_kgk_block()[source]¶

Reads the kgk_block.

Returns:	112 bytes of kgk data
Return type:	bytes

get_salt()[source]¶

Reads the salt.

Returns:	the salt
Return type:	bytes

get_settings_data()[source]¶

Reads the settings data.

Returns:	encrypted settings
Return type:	bytes

read_file()[source]¶: Read the settings file.

set_hidden()[source]¶: Hides the settings file if possible.

store_kgk_block(kgk_block)[source]¶

Writes the kgk_block into bytes 32 to 143.

Parameters:	kgk_block (bytes) – encrypted kgk data

store_salt(salt)[source]¶

Writes the salt into the first 32 bytes of the file.

Parameters:	salt (bytes) – 32 bytes salt

store_settings_data(settings_data)[source]¶

Writes the settings data after byte 144.

Parameters:	settings_data (bytes) – encrypted settings data

Passwords are generated with the PasswordManager class:

Password manager. It’s name is CtSesam because it produces passwords which are compatible to those created by other c’t SESAM implementations.

class password_generator.CtSesam(domain, username, kgk, salt=b'pepper', iterations=4096)[source]¶

Calculates passwords from masterpasswords and domain names. You may set the salt and iteration count to something of your liking. If not set default values will be used.

Parameters:	domain (str) – the domain str username (str) – the username str kgk (bytes) – the kgk salt (bytes) – the salt iterations (int) – iteration count (should be 1 or higher, default is 4096)

generate(setting)[source]¶

Generates a password string.

Parameters:	setting (PasswordSetting) – a setting object
Returns:	password
Return type:	str