From: Daniel on
Just got done reading this thread:

http://groups.google.com/group/comp.lang.python/browse_thread/thread/b31a5b5f58084f12/0e09f5f5542812c3

and I'd appreciate feedback on this recipe:

http://code.activestate.com/recipes/576980/

Of course, it does not meet all of the requirements set forth by the
OP in the referenced thread (the pycrypto dependency is a problem),
but it is an attempt to provide a simple interface for performing
strong, password-based encryption. Are there already modules out there
that provide such a simple interface? If there are, they seem to be
hiding somewhere out of Google's view.

I looked at ezPyCrypto, but it seemed to require public and private
keys, which was not convenient in my situation... maybe password-based
encryption is trivial to do with ezPyCrypto as well? In addition to
ezPyCrypto, I looked at Google's keyczar, but despite the claims of
the documentation, the API seemed overly complicated. Is it possible
to have a simple API for an industry-strength encryption module? If
not, is it possible to document that complicated API such that a non-
cryptographer could use it and feel confident that he hadn't made a
critical mistake?

Also, slightly related, is there an easy way to get the sha/md5
deprecation warnings emitted by PyCrypto in Python 2.6 to go away?

~ Daniel
From: M.-A. Lemburg on
Daniel wrote:
> Just got done reading this thread:
>
> http://groups.google.com/group/comp.lang.python/browse_thread/thread/b31a5b5f58084f12/0e09f5f5542812c3
>
> and I'd appreciate feedback on this recipe:
>
> http://code.activestate.com/recipes/576980/
>
> Of course, it does not meet all of the requirements set forth by the
> OP in the referenced thread (the pycrypto dependency is a problem),
> but it is an attempt to provide a simple interface for performing
> strong, password-based encryption. Are there already modules out there
> that provide such a simple interface? If there are, they seem to be
> hiding somewhere out of Google's view.
>
> I looked at ezPyCrypto, but it seemed to require public and private
> keys, which was not convenient in my situation... maybe password-based
> encryption is trivial to do with ezPyCrypto as well? In addition to
> ezPyCrypto, I looked at Google's keyczar, but despite the claims of
> the documentation, the API seemed overly complicated. Is it possible
> to have a simple API for an industry-strength encryption module? If
> not, is it possible to document that complicated API such that a non-
> cryptographer could use it and feel confident that he hadn't made a
> critical mistake?

Yes, it is possible, but whatever you come up with will usually
be bound to just one (or a few) different use cases, e.g. just
look at the different cipher modes there are, the different key
sizes, block sizes (for block ciphers), IV strings, padding, etc.
etc.

Note that your code has a padding bug: the decoder doesn't
undo the padding. You're lucky though, since pickle will only
read as much data as it needs and not complain about the extra
data it finds.

You are also using CBC mode, even though you are really after
ECB mode (your code doesn't use chaining). With ECB mode, you
don't need the IV string.

> Also, slightly related, is there an easy way to get the sha/md5
> deprecation warnings emitted by PyCrypto in Python 2.6 to go away?

Yes: you silence them via the warnings module. I suppose that the
latest version of PyCrypto fixes these warnings.

--
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source (#1, Jan 26 2010)
>>> Python/Zope Consulting and Support ... http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
________________________________________________________________________

::: Try our new mxODBC.Connect Python Database Interface for free ! ::::


eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
http://www.egenix.com/company/contact/
From: geremy condra on
On Tue, Jan 26, 2010 at 12:37 PM, M.-A. Lemburg <mal(a)egenix.com> wrote:

<snip>

> You are also using CBC mode, even though you are really after
> ECB mode (your code doesn't use chaining). With ECB mode, you
> don't need the IV string.

However, ECB mode is not as secure- the IV is the right way to go
here.

I'd also note that you aren't supposed to use RandomPool anymore,
and that AES-192 is frequently recommended over AES-256 for
new applications due to a number of recent developments in
the cryptanalysis of its key schedule.

Geremy Condra
From: Paul Rubin on
Daniel <millerdev(a)gmail.com> writes:
> Of course, it does not meet all of the requirements set forth by the
> OP in the referenced thread (the pycrypto dependency is a problem),
> but it is an attempt to provide a simple interface for performing
> strong, password-based encryption. Are there already modules out there
> that provide such a simple interface? If there are, they seem to be
> hiding somewhere out of Google's view.

http://www.nightsong.com/phr/crypto/p3.py

I need to update it to handle 64-bit OS's and use Python 3.x-style print
statements, but that is pretty trivial.
From: M.-A. Lemburg on
M.-A. Lemburg wrote:
> Daniel wrote:
>> Just got done reading this thread:
>>
>> http://groups.google.com/group/comp.lang.python/browse_thread/thread/b31a5b5f58084f12/0e09f5f5542812c3
>>
>> and I'd appreciate feedback on this recipe:
>>
>> http://code.activestate.com/recipes/576980/
>>
> [...]
> You are also using CBC mode, even though you are really after
> ECB mode (your code doesn't use chaining). With ECB mode, you
> don't need the IV string.

Sorry. Forget that last comment - your code does use chaining.
It's hidden away in the PyCrypto code for block cipher encoding:
the .encode() method will automatically apply the cipher to
all blocks of 32 byte input data and apply chaining to all
of them (initializing the data area with the IV string).

--
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source (#1, Jan 26 2010)
>>> Python/Zope Consulting and Support ... http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
________________________________________________________________________

::: Try our new mxODBC.Connect Python Database Interface for free ! ::::


eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
http://www.egenix.com/company/contact/