Pycrypto - active ??

[dirvine]

Does anyone know if pycrypto is active at all. I have been browsing
groups etc. for some info and have found entries from 2003 (latest)
regarding some bits I was looking for in particular reference to
symmetrical encoding (AES) and auto padding and supply or not of iv to
set up method i.e

from Crypto.Cipher import AES
from Crypto.Hash import SHA256
import random
import zlib
s = SHA256.new()
s.update('secret')
key = s.digest()
x = AES.new(key, AES.MODE_CBC) # should be (key,AES.MODE_CBC,iv)

iv should according to docs (which also look very old) should be a
random number equal to the size of data blocks (in CBC or EBC). Does
anyone know if by not supplying iv - is the data secure or not ??

Auto iv and auto padding would help this project a lot but unknown as
to whether they exist. I may be missing an important point here though
- so correct me where you will.

It would appear to be a great shame if pyCrypto has stalled or not
taken on board more seriously, there's great talk of implementing TLS,
SSL etc. in the lists but little support of this visible in code or
docs. The docs examples don't exist in code but getting them from ATTIC
in cvs shows they are not stable, possibly not secure and not
representative of the code now (and that's a couple of years ago)


as an aside I have found a way to pad and remove padding at decrypt is
quite simple, use zlib.compress -> pad -> encrypt
then
decrypt -> zlib.decompress and its just your data minus padding.

 

[wittempj]

Well, the homepage of Pycrypto (http://www.amk.ca/python/code/crypto)
was modified las in December 2005 - quite recent imo. It is used e.g.
in the paramiko package (http://www.lag.net/paramiko/) for the most(?)
used ssh implementation in Python, so my guess it is active.

 

[dirvine]

Yes the homepage says updated, but I think that refers to more than
just pycrypto. The data etc. all seems old. Perhaps it's at it's level
?

I just wonder if the project itself is active and more recent docs
exist to answer some of the questions I have posed.

I certainly hope theres some answers.

 

[Paul Rubin]

I just wonder if the project itself is active and more recent docs
exist to answer some of the questions I have posed.

I certainly hope theres some answers.

You mentioned TLS/SSL, so I hope you do know about <http://trevp.com/tlslite>.
But that doesn't answer your immediate question about Pycrypto.

 

[dirvine]

Thanks Paul

I will check this out. Perhaps theres a case for pycrypto to be
revamped and perhaps a new python cryptographic page to be created
mentioning all these projects. I have foudn it a bit difficult to find
info on this area. Mny thanks for this though.

 

[Frank Millman]

Thanks Paul

I will check this out. Perhaps theres a case for pycrypto to be
revamped and perhaps a new python cryptographic page to be created
mentioning all these projects. I have foudn it a bit difficult to find
info on this area. Mny thanks for this though.

Just as a BTW -

I have recently installed TLSLite on linux and on MSW, and it seems to
work fine

The docs say that if you have any of m2crypto, cryptlib, pycrypto, or
GMPY installed, it will be used for fast cryptographic operations. I
installed M2Crypto on linux, and indeed, after the initial handshake,
there is hardly any noticeable slowdown.

However, I have not found an MSW binary for Python 2.4 for any of the
above packages. TLSLite works ok by itself, but it is noticeably slower
when transferring large amounts of data.

Frank Millman

 

[Alex Martelli]

The docs say that if you have any of m2crypto, cryptlib, pycrypto, or
GMPY installed, it will be used for fast cryptographic operations. I ...
However, I have not found an MSW binary for Python 2.4 for any of the
above packages. TLSLite works ok by itself, but it is noticeably slower
when transferring large amounts of data.

There are several Windows binaries of GMPY for 2.4 on sourceforge.net,
optimized for different intel and AMD processors. Since gmpy.sf.net is
gmpy's home, I don't understand what you mean by "have not found".


Alex

 

[Frank Millman]

There are several Windows binaries of GMPY for 2.4 on sourceforge.net,
optimized for different intel and AMD processors. Since gmpy.sf.net is
gmpy's home, I don't understand what you mean by "have not found".


Alex

Apologies for the misinformation. You are correct, and I am
embarrassed.

I have revisited what I did a week ago, and I now recall that I *did*
successfully install GMPY, but it made no difference to the speed of
TLSLite. I could try to dig deeper by examining the source code of
TLSLite, but it is low priority for me at present. The fact that I got
SSL/TLS working is a big win, and the speed test was a theoretical
exercise. For practical purposes, it is fast enough.

Sorry for causing confusion.

Frank

 

[Paul Rubin]

I have revisited what I did a week ago, and I now recall that I *did*
successfully install GMPY, but it made no difference to the speed of
TLSLite. I could try to dig deeper by examining the source code of
TLSLite, but it is low priority for me at present. The fact that I got
SSL/TLS working is a big win, and the speed test was a theoretical
exercise. For practical purposes, it is fast enough.

TLSLite's main causes of slowness are: 1) time needed compiling and
loading all the modules, especially the first time you run it in a new
installation; 2) very slow speed of the symmetric ciphers implemented
in Python. You need m2crypto, cryptlib, or pycrypto to speed these
symmetric operations up.

GMPY speeds up the public key operations, which otherwise use Python's
native long int arithmetic. But the public key operation is done only
at the start of the session, and Python's arithmetic (though slower
than GMPY) is implemented in C and is not all that bad. On a modern
machine, the difference from GMPY is maybe a few tens of milliseconds
at the start of the TLS session, and none at all (the public key phase
is finished) once the session is established.

TLSLite is so far not really a complete SSL implementation by itself.
It doesn't know how to properly check the signatures on certificate
chains. It has to use an external module like m2crypto for that.

 

[Frank Millman]

TLSLite's main causes of slowness are: 1) time needed compiling and
loading all the modules, especially the first time you run it in a new
installation; 2) very slow speed of the symmetric ciphers implemented
in Python. You need m2crypto, cryptlib, or pycrypto to speed these
symmetric operations up.

Right. These are the ones that I could not find Python 2.4 binaries
for.

GMPY speeds up the public key operations, which otherwise use Python's
native long int arithmetic. But the public key operation is done only
at the start of the session, and Python's arithmetic (though slower
than GMPY) is implemented in C and is not all that bad. On a modern
machine, the difference from GMPY is maybe a few tens of milliseconds
at the start of the TLS session, and none at all (the public key phase
is finished) once the session is established.

Interesting. This explains my results. Thanks for the detailed info.

TLSLite is so far not really a complete SSL implementation by itself.
It doesn't know how to properly check the signatures on certificate
chains. It has to use an external module like m2crypto for that.

When you say "It has to ...", do you mean that TLSLite will do this
automatically if m2crypto is installed, or is it up to me to call the
m2crypto functions to perform this check?

TIA

Frank

 

[Paul Rubin]

When you say "It has to ...", do you mean that TLSLite will do this
automatically if m2crypto is installed, or is it up to me to call the
m2crypto functions to perform this check?

I don't remember exactly; see the TLSLite docs. I have the vague
memory that you have to specify what kind of checking you want, and if
you say you want the cert chain checked, then TLSLite raises an
exception if the external lib isn't there. But I'm not sure.

 

[Frank Millman]

I don't remember exactly; see the TLSLite docs. I have the vague
memory that you have to specify what kind of checking you want, and if
you say you want the cert chain checked, then TLSLite raises an
exception if the external lib isn't there. But I'm not sure.

I seem to have hijacked this thread, which is supposed to be about
pycrypto. Sorry about that. I will stop after this one.

This is what the docs say -

<quote>

X509CertChain.validate(self,x509TrustList)

Check the validity of the certificate chain.

This checks that every certificate in the chain validates with the
subsequent one, until some certificate validates with (or is identical
to) one of the passed-in root certificates.

The cryptlib_py module must be installed in order to use this function.

</quote>

I may start looking into this. If I have more questions, I will start a
new thread.

Thanks for all the assistance.

Frank