Can anyone suggest a good crypto package?

Discussion in 'Python' started by Fett, Sep 4, 2008.

  1. Fett

    Fett Guest

    I need a crypto package that works on windows with python 2.5. Can
    anyone suggest one for me?

    I have been searching for a couple days for a good cryptography
    package to use for public/private key encryption, at this point I
    would settle for symmetric even.

    Every encryption package I have found for python was either operating
    system specific (read *nix only):
    http://www.freenet.org.nz/ezPyCrypto/
    http://www.keyczar.org/

    There was one exception, this version was specifically built to run on
    any platform (yay), but the compiler for windows complained that I
    wasn't using python2.2 (though the package was said to only need 2.2
    or newer).

    Is there any crypto package that is actually written in python? I
    seriously don't care how slow it is.
    Fett, Sep 4, 2008
    #1
    1. Advertising

  2. On Sep 4, 1:39 pm, Fett <> wrote:
    > I need a crypto package that works on windows with python 2.5. Can
    > anyone suggest one for me?
    >
    > I have been searching for a couple days for a good cryptography
    > package to use for public/private key encryption, at this point I
    > would settle for symmetric even.
    >
    > Every encryption package I have found for python was either operating
    > system specific (read *nix only):http://www.freenet.org.nz/ezPyCrypto/http://www.keyczar.org/
    >
    > There was one exception, this version was specifically built to run on
    > any platform (yay), but the compiler for windows complained that I
    > wasn't using python2.2 (though the package was said to only need 2.2
    > or newer).
    >
    > Is there any crypto package that is actually written in python? I
    > seriously don't care how slow it is.


    How about M2Crypto: http://chandlerproject.org/Projects/MeTooCrypto#Downloads

    Mike
    Mike Driscoll, Sep 4, 2008
    #2
    1. Advertising

  3. Fett

    Fett Guest

    On Sep 4, 2:23 pm, Mike Driscoll <> wrote:
    > On Sep 4, 1:39 pm, Fett <> wrote:
    >
    >
    >
    > > I need a crypto package that works on windows with python 2.5. Can
    > > anyone suggest one for me?

    >
    > > I have been searching for a couple days for a good cryptography
    > > package to use for public/private key encryption, at this point I
    > > would settle for symmetric even.

    >
    > > Every encryption package I have found for python was either operating
    > > system specific (read *nix only):http://www.freenet.org.nz/ezPyCrypto/http://www.keyczar.org/

    >
    > > There was one exception, this version was specifically built to run on
    > > any platform (yay), but the compiler for windows complained that I
    > > wasn't using python2.2 (though the package was said to only need 2.2
    > > or newer).

    >
    > > Is there any crypto package that is actually written in python? I
    > > seriously don't care how slow it is.

    >
    > How about M2Crypto:http://chandlerproject.org/Projects/MeTooCrypto#Downloads
    >
    > Mike


    Seems that this is intended more for webapps or something, I intend to
    use this for a client application. This means that I can't require
    outside dependencies, or I risk annoying the clients (if you have
    installed many open-source projects with dependencies that aren't
    handled by portage/apt-get, you know what I would be doing to them).

    I seriously can't believe that there isn't a single python native
    crypto package. Why do they all need to have outside dependencies?
    Fett, Sep 4, 2008
    #3
  4. On Sep 4, 2:50 pm, Fett <> wrote:
    > On Sep 4, 2:23 pm, Mike Driscoll <> wrote:
    >
    >
    >
    > > On Sep 4, 1:39 pm, Fett <> wrote:

    >
    > > > I need a crypto package that works on windows with python 2.5. Can
    > > > anyone suggest one for me?

    >
    > > > I have been searching for a couple days for a good cryptography
    > > > package to use for public/private key encryption, at this point I
    > > > would settle for symmetric even.

    >
    > > > Every encryption package I have found for python was either operating
    > > > system specific (read *nix only):http://www.freenet.org.nz/ezPyCrypto/http://www.keyczar.org/

    >
    > > > There was one exception, this version was specifically built to run on
    > > > any platform (yay), but the compiler for windows complained that I
    > > > wasn't using python2.2 (though the package was said to only need 2.2
    > > > or newer).

    >
    > > > Is there any crypto package that is actually written in python? I
    > > > seriously don't care how slow it is.

    >
    > > How about M2Crypto:http://chandlerproject.org/Projects/MeTooCrypto#Downloads

    >
    > > Mike

    >
    > Seems that this is intended more for webapps or something, I intend to
    > use this for a client application. This means that I can't require
    > outside dependencies, or I risk annoying the clients (if you have
    > installed many open-source projects with dependencies that aren't
    > handled by portage/apt-get, you know what I would be doing to them).
    >
    > I seriously can't believe that there isn't a single python native
    > crypto package. Why do they all need to have outside dependencies?


    If you are distributing your application on Windows (which is what
    your original post implied), then you can easily roll up dependencies
    with py2exe / Gui2Exe and something like Inno Setup or NSIS. I'm going
    to try to compile the crypto package (http://www.amk.ca/python/code/
    crypto) into an installer for 2.5, but no promises.

    Mike
    Mike Driscoll, Sep 4, 2008
    #4
  5. Fett

    Paul Rubin Guest

    Fett <> writes:
    > Is there any crypto package that is actually written in python? I
    > seriously don't care how slow it is.


    I wrote a simple symmetric encryption function in python:

    http://nightsong.com/phr/crypto/p3.py

    I wrote a somewhat fancier package that did public key a while back,
    that is unreleased because of insufficient testing and some features
    I'd like to have done differently, but I ought to get around to
    cleaning it up sometime.

    There is also tlslite, which you might be able to extract
    some public key functions from: http://trevp.net/tlslite
    Paul Rubin, Sep 4, 2008
    #5
  6. Fett

    Trent Nelson Guest

    On Thu, Sep 04, 2008 at 11:39:42AM -0700, Fett wrote:
    > I need a crypto package that works on windows with python 2.5. Can
    > anyone suggest one for me?


    You could always rely on the the APIs Windows provides to do this
    sort out stuff, either via pywin32 or ctypes.

    Trent.
    Trent Nelson, Sep 4, 2008
    #6
  7. Fett

    Fett Guest

    On Sep 4, 3:09 pm, Paul Rubin <http://> wrote:
    > Fett <> writes:
    > > Is there any crypto package that is actually written in python? I
    > > seriously don't care how slow it is.

    >
    > I wrote a simple symmetric encryption function in python:
    >
    >  http://nightsong.com/phr/crypto/p3.py
    >
    > I wrote a somewhat fancier package that did public key a while back,
    > that is unreleased because of insufficient testing and some features
    > I'd like to have done differently, but I ought to get around to
    > cleaning it up sometime.
    >
    > There is also tlslite, which you might be able to extract
    > some public key functions from:  http://trevp.net/tlslite


    Wow, I have no idea how that works, but I think it will do nicely. The
    main goal is simply to ensure that data coming in (from a website), is
    valid (ie. posted by me). The site is supposedly secure, and the code
    only accepts data of the type I expect, so the only security risk was
    someone posting bad data. This simple method should stop anyone from
    bothering to do even that.

    Kudos for writing the code in a way that I can see how it is used,
    even without documentation this is small enough to dissect.

    Thank you, I think we have a winner. (BTW, I have no idea how this
    whole encrypting gives many strings, decrypting all gives the correct
    one works, but it sure seems to work just fine, more fully featured
    than I even felt I needed.)
    Fett, Sep 4, 2008
    #7
  8. Fett wrote:
    > On Sep 4, 2:23 pm, Mike Driscoll <> wrote:
    >> How about M2Crypto:http://chandlerproject.org/Projects/MeTooCrypto#Downloads

    >
    > Seems that this is intended more for webapps or something,


    Why do you think so? It's a C wrapper module around the
    OpenSSL crypto libs.

    Ciao, Michael.
    Michael Ströder, Sep 5, 2008
    #8
  9. On 2008-09-04 20:39, Fett wrote:
    > I need a crypto package that works on windows with python 2.5. Can
    > anyone suggest one for me?
    >
    > I have been searching for a couple days for a good cryptography
    > package to use for public/private key encryption, at this point I
    > would settle for symmetric even.


    I'm not really sure what you're after, but if it's about end-to-end
    encryption and authentication, then OpenSSL is the way to go, e.g.
    using pyOpenSSL:

    http://www.egenix.com/products/python/pyOpenSSL/

    > Every encryption package I have found for python was either operating
    > system specific (read *nix only):
    > http://www.freenet.org.nz/ezPyCrypto/
    > http://www.keyczar.org/
    >
    > There was one exception, this version was specifically built to run on
    > any platform (yay), but the compiler for windows complained that I
    > wasn't using python2.2 (though the package was said to only need 2.2
    > or newer).
    >
    > Is there any crypto package that is actually written in python? I
    > seriously don't care how slow it is.


    --
    Marc-Andre Lemburg
    eGenix.com

    Professional Python Services directly from the Source (#1, Sep 05 2008)
    >>> Python/Zope Consulting and Support ... http://www.egenix.com/
    >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
    >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/

    ________________________________________________________________________

    :::: Try mxODBC.Zope.DA for Windows,Linux,Solaris,MacOSX for free ! ::::


    eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
    Registered at Amtsgericht Duesseldorf: HRB 46611
    M.-A. Lemburg, Sep 5, 2008
    #9
  10. Fett

    Paul Rubin Guest

    Fett <> writes:
    > Wow, I have no idea how that works, but I think it will do nicely. The
    > main goal is simply to ensure that data coming in (from a website), is
    > valid (ie. posted by me).


    If you just want to authenticate the strings without confidentiality,
    use the built-in HMAC module. But beware of replay attacks.

    > Thank you, I think we have a winner. (BTW, I have no idea how this
    > whole encrypting gives many strings, decrypting all gives the correct
    > one works,


    The plaintext gets a random string attached at encryption time, and
    the random string gets removed at decryption. Of course there are
    many possible random strings, so many possible ciphertexts for each
    plaintext. That means the ciphertext is a necessarily somewhat longer
    than the plaintext, so you have to be willing to deal with that.

    Note there's possibly a lot of other subtle issues you have to be
    careful of, like if you're authenticating a series of messages, how do
    you detect if one has been repeated or dropped from the middle?
    Until you've got all that figured out, you are leaving attacks possible.
    Paul Rubin, Sep 5, 2008
    #10
  11. Fett

    Fett Guest

    On Sep 4, 8:04 pm, Paul Rubin <http://> wrote:
    > If you just want to authenticate the strings without confidentiality,
    > use the built-in HMAC module. But beware of replay attacks.


    I looked into this and it looks like I might be able to get by with
    this. I didn't find this function before, I am asking my primary
    customer if the signature would be sufficient.

    I am having trouble seeing how I would post the encrypted data to a
    website and get it back without it changing some. So this option might
    work better for me (at least quicker), if he's ok with that option.

    By replay attack I assume you mean posting old data with the signature
    that is valid for that data? Thanks for the warning, I suppose I could
    include a date/timestamp in the data.

    Thanks again, this has been very helpful.
    Fett, Sep 5, 2008
    #11
  12. Fett

    Paul Rubin Guest

    Fett <> writes:
    > I am having trouble seeing how I would post the encrypted data to a
    > website and get it back without it changing some.


    I don't understand why it would change. I'm a little confused though,
    I didn't realize you wanted to post the data to a web site. What
    exactly are you trying to do?

    > By replay attack I assume you mean posting old data with the signature
    > that is valid for that data?


    Yes, the usual case is injecting an old message into a sequence of
    messages that is part of a protocol.

    > Thanks for the warning, I suppose I could include a date/timestamp
    > in the data.


    Be aware in general that security is a messy and difficult subject and
    there are a lot of subtle errors you can make. You might look at some
    of the articles at www.dwheeler.com or the book "Security Engineering"
    (http://www.cl.cam.ac.uk/~rja14/book.html) to see some of the issues.
    Paul Rubin, Sep 6, 2008
    #12
  13. Fett wrote:
    > On Sep 4, 2:23 pm, Mike Driscoll <> wrote:
    >> On Sep 4, 1:39 pm, Fett <> wrote:
    >>
    >>
    >>
    >>> I need a crypto package that works on windows with python 2.5. Can
    >>> anyone suggest one for me?
    >>> I have been searching for a couple days for a good cryptography
    >>> package to use for public/private key encryption, at this point I
    >>> would settle for symmetric even.
    >>> Every encryption package I have found for python was either operating
    >>> system specific (read *nix only):http://www.freenet.org.nz/ezPyCrypto/http://www.keyczar.org/
    >>> There was one exception, this version was specifically built to run on
    >>> any platform (yay), but the compiler for windows complained that I
    >>> wasn't using python2.2 (though the package was said to only need 2.2
    >>> or newer).
    >>> Is there any crypto package that is actually written in python? I
    >>> seriously don't care how slow it is.

    >> How about M2Crypto:http://chandlerproject.org/Projects/MeTooCrypto#Downloads
    >>
    >> Mike

    >
    > Seems that this is intended more for webapps or something, I intend to
    > use this for a client application. This means that I can't require
    > outside dependencies, or I risk annoying the clients (if you have
    > installed many open-source projects with dependencies that aren't
    > handled by portage/apt-get, you know what I would be doing to them).
    >
    > I seriously can't believe that there isn't a single python native
    > crypto package. Why do they all need to have outside dependencies?
    > --
    > http://mail.python.org/mailman/listinfo/python-list
    >



    Hi, maybe I'm a little late but today scanning through "The daily
    Python-URL" I came through something that might be pertinent.

    The link is http://www.keyczar.org/
    And here is the intro to the site :
    """
    Keyczar is an open source cryptographic toolkit designed to make it
    easier and safer for developers to use cryptography in their
    applications. Keyczar supports authentication and encryption with both
    symmetric and asymmetric keys. Some features of Keyczar include:

    * A simple API
    * Key rotation and versioning
    * Safe default algorithms, modes, and key lengths
    * Automated generation of initialization vectors and ciphertext
    signatures
    * Java and Python implementations (C++ coming soon)
    * International support in Java (Python coming soon)

    Keyczar was originally developed by members of the Google Security Team
    and is released under an Apache 2.0 license.
    """

    HTH
    Ricardo Aráoz, Sep 10, 2008
    #13
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Rukmal Fernando
    Replies:
    4
    Views:
    845
    Richard Grimes [MVP]
    Oct 27, 2003
  2. Kottiyath
    Replies:
    1
    Views:
    306
    Saju Pillai
    Dec 17, 2008
  3. Jean-Paul Calderone

    Re: Can anyone suggest a good HTTP/1.1 web client?

    Jean-Paul Calderone, Dec 16, 2008, in forum: Python
    Replies:
    1
    Views:
    422
    Kottiyath
    Dec 17, 2008
  4. Rukmal Fernando

    Trace: Can anyone suggest a good tool to catch trace messages?

    Rukmal Fernando, Oct 10, 2003, in forum: ASP .Net Web Controls
    Replies:
    4
    Views:
    300
    Richard Grimes [MVP]
    Oct 27, 2003
  5. Daz
    Replies:
    1
    Views:
    136
Loading...

Share This Page