Encryption source code with md5

C

catalinfest

Dear friends .

I have two simple questions:
It is possible to encrypt with md5 python source code?
What option do I have to protect my python source code?

Thank you .
 
L

Lawrence D'Oliveiro

In message <91541c26-6f18-40c7-
(e-mail address removed)>, (e-mail address removed)
wrote:
It is possible to encrypt with md5 python source code?

Don’t use MD5.
What option do I have to protect my python source code?

Copyright.
 
I

Irmen de Jong

In message<91541c26-6f18-40c7-
(e-mail address removed)>, (e-mail address removed)
wrote:


Don’t use MD5.

Also, md5 is not an encryption algorithm at all, it is a secure hashing function.
(well, not so secure anymore nowadays, which probably is why Lawrence already wrote to
avoid using it).

irmen
 
C

catalinfest

I had a talk about Python and distribution of commercial products
created with python. This made me think of a way to protect my source
code to be distributed. I thought a live CD version and then to an
encryption method of a portion of source code. These thoughts are the
source of two questions.
 
S

Steve Holden

I had a talk about Python and distribution of commercial products
created with python. This made me think of a way to protect my source
code to be distributed. I thought a live CD version and then to an
encryption method of a portion of source code. These thoughts are the
source of two questions.

I'd suggest that you don't think about encrypting your source code until
you have a rather better handle on encryption technology. Your mention
of MD5, a hashing rather than an encryption algorithm, makes it clear
that you aren't familiar with the technologies at present.

There's nothing wrong with ignorance (I have a more than adequate supply
of my own), but in encryption it's *very* easy to make mistakes that
render whole systems vulnerable to trivial attack. So you do really need
to know what you are doing.

regards
Steve
 
H

Harishankar

I'd suggest that you don't think about encrypting your source code until
you have a rather better handle on encryption technology. Your mention
of MD5, a hashing rather than an encryption algorithm, makes it clear
that you aren't familiar with the technologies at present.

There's nothing wrong with ignorance (I have a more than adequate supply
of my own), but in encryption it's *very* easy to make mistakes that
render whole systems vulnerable to trivial attack. So you do really need
to know what you are doing.

regards
Steve

This article offers some good ideas and also sums up some good points
*against* code obfuscation.

http://stackoverflow.com/questions/261638/how-do-i-protect-python-code

Read it and judge whether the benefits of not obfuscating code outweighs
the advantages of obfuscating it.
 
S

Steven D'Aprano

I'd suggest that you don't think about encrypting your source code until
you have a rather better handle on encryption technology. Your mention
of MD5, a hashing rather than an encryption algorithm, makes it clear
that you aren't familiar with the technologies at present.

Furthermore, you should forget about encrypting your program until you
are sure that it is something that needs encrypting. In my experience,
most times newbies start waffling on about encrypting their precious code
(usually displaying total confusion about encryption technology), it
turns out their critical application is something like Notepad only with
fewer features.

Not that I'm jaded at all.
 
S

Steven D'Aprano

You can use hash functions for encryption.

The purpose of encryption is for the holder of the secret key to be able
to reverse the encryption easily and reliably, while nobody else can.
Hash functions fail on three counts.

Since there is no secret key to a hash function, if you can reverse it,
so can anyone. That alone rules it out as encryption.

Secondly, hash functions are generally difficult to reverse. For
cryptographic hash functions, ideally they should be impossible to
reverse short of trying every possible input.

Thirdly, even when reversible, hash functions have collisions.
Consequently, you can't be sure whether you have found the intended
message, or merely some random string which happens to accidentally hash
to the same value.

Admittedly if you found a message that *made sense*, you could make a
probabilistic argument that it probably was the original message. The
shorter the message, the more you could be confident that you had found
the right one: there is probably only one short, grammatically correct,
semantically meaningful English sentence of less than ten words that has
a MD5 hex digest of 22008290c5d1ff0bd5fae9e425b01d41, so if you find one,
it probably will be "Meet at railway station at 3pm".

On the other hand, there are a very large number of (say) 20GB data files
that hash to 22008290c5d1ff0bd5fae9e425b01d41, and probably no practical
way of distinguishing the true message from the false collisions. Even if
you can distinguish them, since the cost of reversing the hash is
prohibitive, every false positive hurts you a lot.

Of course, none of this is to prohibit using a hash function as a
component of a larger encryption scheme.
 
R

Robert Kern

You can use hash functions for encryption.

You can *build* an encryption algorithm out of hash functions as a primitive,
yes. Paul Rubin's p3.py is an example of using SHA-1 to build an encryption
algorithm:

http://www.nightsong.com/phr/crypto/p3.py

However, a hash function is not an encryption algorithm itself. One does not
"encrypt with md5" as the OP asked. For crypto-knowledgeable people, this may
just be an issue of terminology (although I think an important one), but I think
it demonstrates the ignorance of the OP and the need for Irmen's clarification.

--
Robert Kern

"I have come to believe that the whole world is an enigma, a harmless enigma
that is made terrible by our own mad attempt to interpret it as though it had
an underlying truth."
-- Umberto Eco
 
G

geremy condra

You can *build* an encryption algorithm out of hash functions as a
primitive, yes. Paul Rubin's p3.py is an example of using SHA-1 to build an
encryption algorithm:

 http://www.nightsong.com/phr/crypto/p3.py

However, a hash function is not an encryption algorithm itself. One does not
"encrypt with md5" as the OP asked. For crypto-knowledgeable people, this
may just be an issue of terminology (although I think an important one), but
I think it demonstrates the ignorance of the OP and the need for Irmen's
clarification.

I don't mean to disrespect Paul Rubin, but p3.py comes up in every discussion
of cryptography in python on this list and, AFAICT, has yet to come under
significant cryptanalytic scrutiny. That doesn't make it a bad example in this
case, but I would caution the OP that it probably doesn't make it a good
candidate for your encryption needs.

Geremy Condra
 
R

Robert Kern

I don't mean to disrespect Paul Rubin, but p3.py comes up in every discussion
of cryptography in python on this list and, AFAICT, has yet to come under
significant cryptanalytic scrutiny. That doesn't make it a bad example in this
case, but I would caution the OP that it probably doesn't make it a good
candidate for your encryption needs.

For people looking for standardized cryptography, Google works fine to find
PyCrypto or M2Crypto. p3 comes up so often in this group because people that
need to ask here are looking for reasonably performant, pure-Python crypto, and
p3 is the best-of-breed given those constraints (it happens to be mentioned here
as an example, not a recommendation). Its security derives from its use of
standardized, well-scrutinized components (and no, the recent attacks on SHA-1
do not affect the security properties that p3 relies on). It will probably never
receive the kind of attention that AES or the rest get because it will never be
fast enough to even be considered a peer of those algorithms.

--
Robert Kern

"I have come to believe that the whole world is an enigma, a harmless enigma
that is made terrible by our own mad attempt to interpret it as though it had
an underlying truth."
-- Umberto Eco
 
G

geremy condra

For people looking for standardized cryptography, Google works fine to find
PyCrypto or M2Crypto. p3 comes up so often in this group because people that
need to ask here are looking for reasonably performant, pure-Python crypto,
and p3 is the best-of-breed given those constraints (it happens to be
mentioned here as an example, not a recommendation). Its security derives
from its use of standardized, well-scrutinized components (and no, the
recent attacks on SHA-1 do not affect the security properties that p3 relies
on). It will probably never receive the kind of attention that AES or the
rest get because it will never be fast enough to even be considered a peer
of those algorithms.

I have no comment on why it hasn't received substantial attention; my point
is simply that it hasn't, and that without that scrutiny it probably isn't wise
to depend on its security. There are plenty of tried-and-true cryptosystems
to use; people without an extensive knowledge of what they're getting into
should be encouraged to use them. Apologies if it sounded like I was
claiming more.

Geremy Condra
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,743
Messages
2,569,478
Members
44,899
Latest member
RodneyMcAu

Latest Threads

Top