Authenticated encryption with PyCrypto
in [Python]
|
Prev: how can i know if a python object have a attribute such as'attr1'?
Next: announcement: expy release 0.5
From: M.-A. Lemburg on 26 Jan 2010 16:00 geremy condra wrote: > On Tue, Jan 26, 2010 at 12:37 PM, M.-A. Lemburg <mal(a)egenix.com> wrote: > > <snip> > >> You are also using CBC mode, even though you are really after >> ECB mode (your code doesn't use chaining). With ECB mode, you >> don't need the IV string. > > However, ECB mode is not as secure- the IV is the right way to go > here. Right - I forgot that PyCrypto applies the chaining internally when being passed data of more than 32 bytes. > I'd also note that you aren't supposed to use RandomPool anymore, > and that AES-192 is frequently recommended over AES-256 for > new applications due to a number of recent developments in > the cryptanalysis of its key schedule. Do you have pointers for this ? I could only find http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Security and https://cryptolux.org/Block My reading of their FAQ (https://cryptolux.org/FAQ_on_the_attacks) is that using AES-128 is the way to go (and it's faster too) - at least for the time being. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Jan 26 2010) >>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/
From: Daniel on 26 Jan 2010 17:51 On Jan 26, 12:37 pm, "M.-A. Lemburg" <m...(a)egenix.com> wrote: > Note that your code has a padding bug: the decoder doesn't > undo the padding. You're lucky though, since pickle will only > read as much data as it needs and not complain about the extra > data it finds. Doesn't the last line in decrypt() do it? return data[:-ord(data[-1])] Given, it's a bit cryptic... no pun intended :) > > Also, slightly related, is there an easy way to get the sha/md5 > > deprecation warnings emitted by PyCrypto in Python 2.6 to go away? > > Yes: you silence them via the warnings module. I suppose that the > latest version of PyCrypto fixes these warnings. The version that gets installed by easy_install or pip (2.0.1) emits those warnings. Is there a more recent version? Thanks for the feedback. ~ Daniel
From: M.-A. Lemburg on 26 Jan 2010 18:22 Daniel wrote: > On Jan 26, 12:37 pm, "M.-A. Lemburg" <m...(a)egenix.com> wrote: >> Note that your code has a padding bug: the decoder doesn't >> undo the padding. You're lucky though, since pickle will only >> read as much data as it needs and not complain about the extra >> data it finds. > > Doesn't the last line in decrypt() do it? > > return data[:-ord(data[-1])] > > Given, it's a bit cryptic... no pun intended :) That's cryptic indeed... I just found that you're not padding with zero bytes, but instead with char(pad) where pad is the number of bytes you add: pad = AES_BLOCK_SIZE - len(data) % AES_BLOCK_SIZE data = data + pad * chr(pad) This code will pad with 16 bytes of chr(16) in case len(data) is in fact on a block size boundary. When using pickle, you don't need this, since pickle includes all necessary length information in the serialized data stream. I'd just pad with \0 and not worry about the extra bytes at the end when using pickle to serialize the objects. It's more important to worry about whether you really want to unpickle the data or not, since pickle opens up lots of possibilities of executing code on the decoding side of the communication channel. >>> Also, slightly related, is there an easy way to get the sha/md5 >>> deprecation warnings emitted by PyCrypto in Python 2.6 to go away? >> >> Yes: you silence them via the warnings module. I suppose that the >> latest version of PyCrypto fixes these warnings. > > The version that gets installed by easy_install or pip (2.0.1) emits > those warnings. Is there a more recent version? This is the most recent version: http://www.dlitz.net/software/pycrypto/ -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Jan 27 2010) >>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/
From: Daniel on 26 Jan 2010 19:07 geremy condra wrote: > I'd also note that you aren't supposed to use RandomPool anymore, OK, I updated the recipe to use os.urandom() > and that AES-192 is frequently recommended over AES-256 for > new applications due to a number of recent developments in > the cryptanalysis of its key schedule. Changed easily enough. The updated recipe defaults to AES-192. I also made one other minor tweak: the global constants were moved to class-level so they can be overridden more easily if needed. Daniel
From: Daniel on 26 Jan 2010 19:23 M.-A. Lemburg wrote: > Daniel wrote: > > On Jan 26, 12:37 pm, "M.-A. Lemburg" <m...(a)egenix.com> wrote: > >> Note that your code has a padding bug: the decoder doesn't > >> undo the padding. You're lucky though, since pickle will only > >> read as much data as it needs and not complain about the extra > >> data it finds. > > > Doesn't the last line in decrypt() do it? > > > return data[:-ord(data[-1])] > > > Given, it's a bit cryptic... no pun intended :) > > That's cryptic indeed... I just found that you're not padding > with zero bytes, but instead with char(pad) where pad is the > number of bytes you add: > > pad = AES_BLOCK_SIZE - len(data) % AES_BLOCK_SIZE > data = data + pad * chr(pad) > > This code will pad with 16 bytes of chr(16) in case len(data) > is in fact on a block size boundary. > > When using pickle, you don't need this, since pickle includes > all necessary length information in the serialized data stream. > > I'd just pad with \0 and not worry about the extra bytes > at the end when using pickle to serialize the objects. I think I'll leave the padding in there since it keeps the encrypt/ decrypt methods usable for non-pickle data. > It's more important to worry about whether you really > want to unpickle the data or not, since pickle opens > up lots of possibilities of executing code on the decoding > side of the communication channel. I understand the risks of unpickle. With strong, authenticated encryption I think it is reasonably safe to send an encrypted pickle through an untrusted medium (the Internet) and know that it has not been modified enroute. That is, unless someone has obtained the key, in which case I have a bigger problem to worry about. > >>> Also, slightly related, is there an easy way to get the sha/md5 > >>> deprecation warnings emitted by PyCrypto in Python 2.6 to go away? > > >> Yes: you silence them via the warnings module. I suppose that the > >> latest version of PyCrypto fixes these warnings. > > > The version that gets installed by easy_install or pip (2.0.1) emits > > those warnings. Is there a more recent version? > > This is the most recent version: > > http://www.dlitz.net/software/pycrypto/ Thanks. Daniel
First
|
Prev
|
Next
|
Last
Pages: 1 2 3 Prev: how can i know if a python object have a attribute such as'attr1'? Next: announcement: expy release 0.5 |