snippetpythonMinor
Canonical Python symmetric cryptography example
Viewed 0 times
canonicalsymmetricexamplepythoncryptography
Problem
Python Cryptography Example
Last weekend I wrote some code to help people use PyCrypto in a canonical fashion to symmetrically encrypt and decrypt strings and files. By canonical I mean I've followed Colin Percival's advice in Cryptographic Right Answers.
The code isn't very verbose, and I'd appreciate any comments or questions about the code, the tests, and the documentation. After I get this review I'm going to submit this to Security Stack Exchange for a design review.
Source code and a subset of tests follow:
crypto.py:
```
# ---------------------------------------------------------------------------
# Copyright (c) 2012 Asim Ihsan (asim dot ihsan at gmail dot com)
# Distributed under the MIT/X11 software license, see the accompanying
# file license.txt or http://www.opensource.org/licenses/mit-license.php.
# ---------------------------------------------------------------------------
import os
import sys
import struct
import cStringIO as StringIO
import bz2
from Crypto.Cipher import AES
from Crypto.Hash import SHA256, HMAC
from Crypto.Protocol.KDF import PBKDF2
# ----------------------------------------------------------------------------
# Constants.
# ----------------------------------------------------------------------------
# Length of salts in bytes.
salt_length_in_bytes = 16
# Hash function to use in general.
hash_function = SHA256
# PBKDF pseudo-random function. Used to mix a password and a salt.
# See Crypto\Protocol\KDF.py
pbkdf2_prf = lambda p, s: HMAC.new(p, s, hash_function).digest()
# PBKDF count, number of iterations.
pbkdf2_count = 1000
# PBKDF derived key length.
pbkdf2_dk_len = 32
# ----------------------------------------------------------------------------
class HMACIsNotValidException(Exception):
pass
class InvalidFormatException(Exception):
def __init__(self, reason):
self.reason = reason
def __str__(self):
return repr(self.reason)
class CTRCounter:
""" Callable class that returns an iterat
Last weekend I wrote some code to help people use PyCrypto in a canonical fashion to symmetrically encrypt and decrypt strings and files. By canonical I mean I've followed Colin Percival's advice in Cryptographic Right Answers.
The code isn't very verbose, and I'd appreciate any comments or questions about the code, the tests, and the documentation. After I get this review I'm going to submit this to Security Stack Exchange for a design review.
Source code and a subset of tests follow:
crypto.py:
```
# ---------------------------------------------------------------------------
# Copyright (c) 2012 Asim Ihsan (asim dot ihsan at gmail dot com)
# Distributed under the MIT/X11 software license, see the accompanying
# file license.txt or http://www.opensource.org/licenses/mit-license.php.
# ---------------------------------------------------------------------------
import os
import sys
import struct
import cStringIO as StringIO
import bz2
from Crypto.Cipher import AES
from Crypto.Hash import SHA256, HMAC
from Crypto.Protocol.KDF import PBKDF2
# ----------------------------------------------------------------------------
# Constants.
# ----------------------------------------------------------------------------
# Length of salts in bytes.
salt_length_in_bytes = 16
# Hash function to use in general.
hash_function = SHA256
# PBKDF pseudo-random function. Used to mix a password and a salt.
# See Crypto\Protocol\KDF.py
pbkdf2_prf = lambda p, s: HMAC.new(p, s, hash_function).digest()
# PBKDF count, number of iterations.
pbkdf2_count = 1000
# PBKDF derived key length.
pbkdf2_dk_len = 32
# ----------------------------------------------------------------------------
class HMACIsNotValidException(Exception):
pass
class InvalidFormatException(Exception):
def __init__(self, reason):
self.reason = reason
def __str__(self):
return repr(self.reason)
class CTRCounter:
""" Callable class that returns an iterat
Solution
Well then, I guess no one is stepping up to review the code! I've been thinking it over and reading over the code and tests a few times and have come up with the following review comments. These comments apply to the git branch at commit 655694e.
If anyone has anything else to add please let me know, thanks.
- crypto.py line 171 compares the calculated HMAC with the correct HMAC using a linear-time comparison operator. This leaks potentially useful information via a timing attack if this function is used as part of a web service. Fix is to use Nate Lawson's constant-time comparison function, described by Coda Hale here.
- crypto.py lines 39 and 42. All different exceptions thrown by this library should derive from a base "BaseCryptoException". This allows callers to catch the base exception, in cases where they don't care why the decryption failed.
- crypto.py line 211. Why is the PBKDF2 iteration count (1000) hard-coded? I agree the caller maybe shouldn't be allowed to modify this, because we want to simply the API. But we may need to increase this number depending on the speed of the machine in use. Automatically determining a constant to use also seems too complicated. I suggest allowing the caller to set a value, with it set to 1000 by default. You'll also want to pack this as an unsigned integer ("I") rather than an unsigned short ("H") in order to allow > 65535 values.
- test_crypto.py lines 31 and 39. Damaging the ciphertext payload and then attempting decryption needs to be more comprehensive. I suggest testing that strings that have a bit-wise Levenshtein edit distance of one (i.e. all strings with one bit added, removed, or toggled) fail decryption either because the format is wrong or because the HMAC fails.
If anyone has anything else to add please let me know, thanks.
Context
StackExchange Code Review Q#10746, answer score: 3
Revisions (0)
No revisions yet.