Authenticated encryption with PyCrypto
in [Python]
|
Prev: how can i know if a python object have a attribute such as'attr1'?
Next: announcement: expy release 0.5
From: Daniel on 26 Jan 2010 00:26 Just got done reading this thread: http://groups.google.com/group/comp.lang.python/browse_thread/thread/b31a5b5f58084f12/0e09f5f5542812c3 and I'd appreciate feedback on this recipe: http://code.activestate.com/recipes/576980/ Of course, it does not meet all of the requirements set forth by the OP in the referenced thread (the pycrypto dependency is a problem), but it is an attempt to provide a simple interface for performing strong, password-based encryption. Are there already modules out there that provide such a simple interface? If there are, they seem to be hiding somewhere out of Google's view. I looked at ezPyCrypto, but it seemed to require public and private keys, which was not convenient in my situation... maybe password-based encryption is trivial to do with ezPyCrypto as well? In addition to ezPyCrypto, I looked at Google's keyczar, but despite the claims of the documentation, the API seemed overly complicated. Is it possible to have a simple API for an industry-strength encryption module? If not, is it possible to document that complicated API such that a non- cryptographer could use it and feel confident that he hadn't made a critical mistake? Also, slightly related, is there an easy way to get the sha/md5 deprecation warnings emitted by PyCrypto in Python 2.6 to go away? ~ Daniel
From: M.-A. Lemburg on 26 Jan 2010 12:37 Daniel wrote: > Just got done reading this thread: > > http://groups.google.com/group/comp.lang.python/browse_thread/thread/b31a5b5f58084f12/0e09f5f5542812c3 > > and I'd appreciate feedback on this recipe: > > http://code.activestate.com/recipes/576980/ > > Of course, it does not meet all of the requirements set forth by the > OP in the referenced thread (the pycrypto dependency is a problem), > but it is an attempt to provide a simple interface for performing > strong, password-based encryption. Are there already modules out there > that provide such a simple interface? If there are, they seem to be > hiding somewhere out of Google's view. > > I looked at ezPyCrypto, but it seemed to require public and private > keys, which was not convenient in my situation... maybe password-based > encryption is trivial to do with ezPyCrypto as well? In addition to > ezPyCrypto, I looked at Google's keyczar, but despite the claims of > the documentation, the API seemed overly complicated. Is it possible > to have a simple API for an industry-strength encryption module? If > not, is it possible to document that complicated API such that a non- > cryptographer could use it and feel confident that he hadn't made a > critical mistake? Yes, it is possible, but whatever you come up with will usually be bound to just one (or a few) different use cases, e.g. just look at the different cipher modes there are, the different key sizes, block sizes (for block ciphers), IV strings, padding, etc. etc. Note that your code has a padding bug: the decoder doesn't undo the padding. You're lucky though, since pickle will only read as much data as it needs and not complain about the extra data it finds. You are also using CBC mode, even though you are really after ECB mode (your code doesn't use chaining). With ECB mode, you don't need the IV string. > Also, slightly related, is there an easy way to get the sha/md5 > deprecation warnings emitted by PyCrypto in Python 2.6 to go away? Yes: you silence them via the warnings module. I suppose that the latest version of PyCrypto fixes these warnings. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Jan 26 2010) >>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/
From: geremy condra on 26 Jan 2010 14:40 On Tue, Jan 26, 2010 at 12:37 PM, M.-A. Lemburg <mal(a)egenix.com> wrote: <snip> > You are also using CBC mode, even though you are really after > ECB mode (your code doesn't use chaining). With ECB mode, you > don't need the IV string. However, ECB mode is not as secure- the IV is the right way to go here. I'd also note that you aren't supposed to use RandomPool anymore, and that AES-192 is frequently recommended over AES-256 for new applications due to a number of recent developments in the cryptanalysis of its key schedule. Geremy Condra
From: Paul Rubin on 26 Jan 2010 14:45 Daniel <millerdev(a)gmail.com> writes: > Of course, it does not meet all of the requirements set forth by the > OP in the referenced thread (the pycrypto dependency is a problem), > but it is an attempt to provide a simple interface for performing > strong, password-based encryption. Are there already modules out there > that provide such a simple interface? If there are, they seem to be > hiding somewhere out of Google's view. http://www.nightsong.com/phr/crypto/p3.py I need to update it to handle 64-bit OS's and use Python 3.x-style print statements, but that is pretty trivial.
From: M.-A. Lemburg on 26 Jan 2010 15:52 M.-A. Lemburg wrote: > Daniel wrote: >> Just got done reading this thread: >> >> http://groups.google.com/group/comp.lang.python/browse_thread/thread/b31a5b5f58084f12/0e09f5f5542812c3 >> >> and I'd appreciate feedback on this recipe: >> >> http://code.activestate.com/recipes/576980/ >> > [...] > You are also using CBC mode, even though you are really after > ECB mode (your code doesn't use chaining). With ECB mode, you > don't need the IV string. Sorry. Forget that last comment - your code does use chaining. It's hidden away in the PyCrypto code for block cipher encoding: the .encode() method will automatically apply the cipher to all blocks of 32 byte input data and apply chaining to all of them (initializing the data area with the IV string). -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Jan 26 2010) >>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/
|
Next
|
Last
Pages: 1 2 3 Prev: how can i know if a python object have a attribute such as'attr1'? Next: announcement: expy release 0.5 |