Encryption and hashing

[Kless]

Since that I'm working to let encrypt/hash data in the data base of my
projects I have been looking for libraries and/or wrappers. So I want
give my feedback about it.

In the first I found PyCrypto [1] but I see any problems:

* I think that isn't been maintained because the last modification of
its web was on 30 Sep 2006
* Since that has not been uploaded to SourceForge [2] we cann't know
when was released the last version
* There algorithms more secure and modern that it hasn't.

Then, I found 2 great C libraries that are being maintained and
updated with many algorithms. They're MCrypt [3] and MHash [4], and
both have released the last version on this year.

For who knows any of criptography I comment that you can use
algorithms as secure as Rijndael, Twofish, or Serpent with the CFB
cipher mode. And for hash you can use RIPEMD, SHA-2 or WHIRLPOOL.

And the best is that there are wrappers for Python [5] [6].
For if anybody is interested on playing with them:

In the first you need the headers. In Debian/Ubuntu:
$ sudo apt-cache install libmcrypt-dev libmhash-dev

$ wget http://labix.org/download/python-mcrypt/python-mcrypt-1.1.tar.gz
$ wget http://labix.org/download/python-mhash/python-mhash-1.4.tar.gz
$ tar xzf python-mcrypt*.tar.gz; tar xzf python-mhash*.tar.gz
$ cd python-mhash*; sudo python setup.py install; cd ..
$ cd python-mcrypt*; sudo python setup.py install; cd..


[1] http://www.amk.ca/python/code/crypto
[2] http://sourceforge.net/projects/pycrypto
[3] http://mcrypt.sourceforge.net/
[4] http://mhash.sourceforge.net/
[5] http://labix.org/python-mcrypt
[6] http://labix.org/python-mhash

 

[Laszlo Nagy]

For who knows any of criptography I comment that you can use
algorithms as secure as Rijndael, Twofish, or Serpent with the CFB
cipher mode. And for hash you can use RIPEMD, SHA-2 or WHIRLPOOL.

As I recall, PyCrypto can also use these, and many others. And it can
also do RSA.

And the best is that there are wrappers for Python [5] [6].

One advantage of PyCrypto is that it works on many platforms. If
standard C extensions are not available, it will fall back to a pure
python implementation. Well yes, sometimes it is slow. But it is also
much easier to use than pyOpenSSL, for example. (BTW you forgot to
mention some other popular ones, like pyOpenSSL, mcrypto2 etc.)

Laszlo

 

[Marshall T. Vandegrift]

For who knows any of criptography I comment that you can use
algorithms as secure as Rijndael, Twofish, or Serpent with the CFB
cipher mode. And for hash you can use RIPEMD, SHA-2 or WHIRLPOOL.

PyCrypto does includes the AES version of Rijndael as Crypto.Cipher.AES
and the 256-bit version of SHA-2 as Crypto.Hash.SHA256.

-Marshall

 

[Kless]

As I recall, PyCrypto can also use these, and many others. And it can
also do RSA.

These are the algorithms supported in the last version of PyCrypto:

$ ls pycrypto-2.0.1/src/
AES.c Blowfish.c DES.c IDEA.c
RIPEMD.c winrand.c
ARC2.c cast5.c _dsa.c MD2.c
_rsa.c XOR.c
ARC4.c CAST.c _fastmath.c MD4.c SHA256.c
block_template.c DES3.c hash_template.c RC5.c
stream_template.c

So it haven't Twofish, Serpent, neither Whirlpool. Neither many others.

 

[Paul Rubin]

So it haven't Twofish, Serpent, neither Whirlpool. Neither many others.

Unless you have an interoperability requirement or some other specific
issue, you should stick with AES and the SHA2 family. Don't make your
own cipher selections unless you know completely what you're doing.
This is especially the case for business applications in the US, since
AES and SHA are US federal standards and if you use them and something
goes wrong with them, you can at least say you followed the standard.
If you use anything else, you will have more to answer for.

 

[Laszlo Nagy]

These are the algorithms supported in the last version of PyCrypto:

$ ls pycrypto-2.0.1/src/
AES.c Blowfish.c DES.c IDEA.c
RIPEMD.c winrand.c
ARC2.c cast5.c _dsa.c MD2.c
_rsa.c XOR.c
ARC4.c CAST.c _fastmath.c MD4.c SHA256.c
block_template.c DES3.c hash_template.c RC5.c
stream_template.c

So it haven't Twofish, Serpent, neither Whirlpool. Neither many others.

OK sorry, I was wrong. Isn't blowfish a better version of twofish anyway?

 

[Paul Rubin]

OK sorry, I was wrong. Isn't blowfish a better version of twofish anyway?

No.

 

[Kless]

Unless you have an interoperability requirement or some other specific
issue, you should stick with AES and the SHA2 family. Don't make your
own cipher selections unless you know completely what you're doing.
This is especially the case for business applications in the US, since
AES and SHA are US federal standards and if you use them and something
goes wrong with them, you can at least say you followed the standard.
If you use anything else, you will have more to answer for.

Well, I only know that I choose the best public cryptographic
algorithms.

SHA-2 has been designed by the National Security Agency (NSA), and I'm
sure that many people trust on the NSA so that every people make its
election.
But I'm sure that many people will avoid use algorithms recommend by
the governement. And I don't know why , they always say the truth
and we must trust on them. I'm sure that having great experts on
cryptography they are not bee able of put a backdoor indetectable or
better to debilitate the algorithm so that it is easier to break it.