From paul.l.kehrer at gmail.com Wed Jul 18 08:19:27 2018 From: paul.l.kehrer at gmail.com (Paul Kehrer) Date: Wed, 18 Jul 2018 05:19:27 -0700 Subject: [Cryptography-dev] PyCA cryptography 2.3 released Message-ID: PyCA cryptography 2.2.2 has been released to PyPI. cryptography includes both high level recipes and low level interfaces to common cryptographic algorithms such as symmetric ciphers, message digests, and key derivation functions. We support Python 2.7, Python 3.4+, and PyPy. Changelog (https://cryptography.io/en/latest/changelog/#v2-3): * SECURITY ISSUE: finalize_with_tag() allowed tag truncation by default which can allow tag forgery in some cases. The method now enforces the min_tag_length provided to the GCM constructor. * Added support for Python 3.7. * Added extract_timestamp() to get the authenticated timestamp of a Fernet token. * Support for Python 2.7.x without hmac.compare_digest has been deprecated. We will require Python 2.7.7 or higher (or 2.7.6 on Ubuntu) in the next cryptography release. * Fixed multiple issues preventing cryptography from compiling against LibreSSL 2.7.x. * Added get_revoked_certificate_by_serial_number for quick serial number searches in CRLs. * The RelativeDistinguishedName class now preserves the order of attributes. Duplicate attributes now raise an error instead of silently discarding duplicates. * aes_key_unwrap() and aes_key_unwrap_with_padding() now raise InvalidUnwrap if the wrapped key is an invalid length, instead of ValueError. -Paul Kehrer (reaperhulk) -------------- next part -------------- An HTML attachment was scrubbed... URL: From peng.lu at cienet.com.cn Thu Jul 19 04:55:24 2018 From: peng.lu at cienet.com.cn (Peng Lu) Date: Thu, 19 Jul 2018 16:55:24 +0800 Subject: [Cryptography-dev] an question about bcrypt 3.1.0 Message-ID: <008b01d41f3e$3bc0ee00$b342ca00$@cienet.com.cn> Hi, I am from China and work in Ericsson. I have an question about bcrypt module and hope that you can give me a solution. I want to install bcrypt 3.1.0 in SunOS system. But it failed. [selix508] out: [?25hCollecting bcrypt>=3.1.3 (from paramiko<=2.4.1,>=2.4.1->ufte-toolkit==1.10.40) [selix508] out: [31m Could not find a version that satisfies the requirement bcrypt>=3.1.3 (from paramiko<=2.4.1,>=2.4.1->ufte-toolkit==1.10.40) (from versions: )[0m [selix508] out: [31mNo matching distribution found for bcrypt>=3.1.3 (from paramiko<=2.4.1,>=2.4.1->ufte-toolkit==1.10.40)[0m [selix508] out: Fatal error: run() received nonzero return code 1 while executing! Can bcrypt module be installed in SunOS system? If it can, how can we fix the issue? Thank you in advance. BRs//Peng -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul.l.kehrer at gmail.com Thu Jul 19 09:51:24 2018 From: paul.l.kehrer at gmail.com (Paul Kehrer) Date: Thu, 19 Jul 2018 06:51:24 -0700 Subject: [Cryptography-dev] an question about bcrypt 3.1.0 In-Reply-To: <008b01d41f3e$3bc0ee00$b342ca00$@cienet.com.cn> References: <008b01d41f3e$3bc0ee00$b342ca00$@cienet.com.cn> Message-ID: This error message looks like it isn't even finding the bcrypt sdist. Are you using pip to install? What happens if you run "python setup.py install"? -Paul Kehrer (reaperhulk) On July 19, 2018 at 7:51:32 PM, Peng Lu (peng.lu at cienet.com.cn) wrote: Hi, I am from China and work in Ericsson. I have an question about bcrypt module and hope that you can give me a solution. I want to install bcrypt 3.1.0 in SunOS system. But it failed. [selix508] out: [?25hCollecting bcrypt>=3.1.3 (from paramiko<=2.4.1,>=2.4.1->ufte-toolkit==1.10.40) [selix508] out: [31m Could not find a version that satisfies the requirement bcrypt>=3.1.3 (from paramiko<=2.4.1,>=2.4.1->ufte-toolkit==1.10.40) (from versions: )[0m [selix508] out: [31mNo matching distribution found for bcrypt>=3.1.3 (from paramiko<=2.4.1,>=2.4.1->ufte-toolkit==1.10.40)[0m [selix508] out: Fatal error: run() received nonzero return code 1 while executing! Can bcrypt module be installed in SunOS system? If it can, how can we fix the issue? Thank you in advance. BRs//Peng _______________________________________________ Cryptography-dev mailing list Cryptography-dev at python.org https://mail.python.org/mailman/listinfo/cryptography-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: From roland at catalogix.se Mon Jul 23 12:06:22 2018 From: roland at catalogix.se (Roland Hedberg) Date: Mon, 23 Jul 2018 18:06:22 +0200 Subject: [Cryptography-dev] The ECDH vulnerability Message-ID: <231F8E4F-1BA5-41B4-94E9-A914BDA029D7@catalogix.se> In https://blogs.adobe.com/security/2017/03/critical-vulnerability-uncovered-in-json-encryption.html Antonio Sanso discusses a vulnerability when doing Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES). Can cryptography help me with this ? Basically, can I use cryptography to check whether public key is on the private key's curve. ? Roland The higher up you go, the more mistakes you are allowed. Right at the top, if you make enough of them, it's considered to be your style. -Fred Astaire, dancer, actor, singer, musician, and choreographer (10 May 1899-1987) From alex.gaynor at gmail.com Mon Jul 23 17:04:12 2018 From: alex.gaynor at gmail.com (Alex Gaynor) Date: Mon, 23 Jul 2018 17:04:12 -0400 Subject: [Cryptography-dev] The ECDH vulnerability In-Reply-To: <231F8E4F-1BA5-41B4-94E9-A914BDA029D7@catalogix.se> References: <231F8E4F-1BA5-41B4-94E9-A914BDA029D7@catalogix.se> Message-ID: When you load an object into an EllipticCurvePublicKey instance, we verify that the point is on the curve. EllipticCurvePrivateKey.exchange(ECDH(), public_key) will also refuse to perform an excahgen where the public and private keys aren't on the same curve. Alex On Mon, Jul 23, 2018 at 4:53 PM Roland Hedberg wrote: > In > https://blogs.adobe.com/security/2017/03/critical-vulnerability-uncovered-in-json-encryption.html > Antonio Sanso discusses a vulnerability when doing Key Agreement with > Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES). > > Can cryptography help me with this ? > > Basically, can I use cryptography to check whether public key is on the > private key's curve. > > ? Roland > > The higher up you go, the more mistakes you are allowed. Right at the top, > if you make enough of them, it's considered to be your style. > -Fred Astaire, dancer, actor, singer, musician, and choreographer (10 May > 1899-1987) > > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev > -- All that is necessary for evil to succeed is for good people to do nothing. -------------- next part -------------- An HTML attachment was scrubbed... URL: From roland at catalogix.se Tue Jul 31 03:26:53 2018 From: roland at catalogix.se (Roland Hedberg) Date: Tue, 31 Jul 2018 09:26:53 +0200 Subject: [Cryptography-dev] The ECDH vulnerability Message-ID: Excellent news, thanks ! ? Roland The higher up you go, the more mistakes you are allowed. Right at the top, if you make enough of them, it's considered to be your style. -Fred Astaire, dancer, actor, singer, musician, and choreographer (10 May 1899-1987) -------------- next part -------------- An HTML attachment was scrubbed... URL: