SHA-based encryption function in Python

Paul Rubin phr-n2002a at nightsong.com
Wed Apr 24 04:41:34 EDT 2002 

Richard Parker <richard at electrophobia.com> writes:
> I just took a quick look at your Python code.  I'd encourage you to not use
> the secret prefix method to construct a MAC from a hash function, i.e.
> MAC(x) = H(K || x).  This method is generally considered to be insecure.
> Use the HMAC construction instead.

Thanks.  What's the real deal with this?  Is an insecurity known, when
K and X are the output of encryption functions, and not chosen by
attackers?  I know that HMAC tries to be robust under unknown weakness
of the underlying hash function, but since the OFB mode encryption
depends on the hash function being strong, HMAC likely doens't help
that much.  Do you think it matters in practice, given that this is
running in an interpreted language on a general purpose PC?  Practical
attacks probably involve computer viruses peeking at memory rather
than cryptanalysing SHA-1.  Also, I currently chop the MAC to 64 bits
(maybe I should make it 80 bits or so) to cut down on plaintext
expansion.  I'd rather avoid HMAC because implementing HMAC in Python
will make the function even slower than it already is.  

> The ciphertext and key passed to the decryption function could be used as
> additional sources of entropy for your "_state" variable.

I guess that's not likely to hurt, though it would probably be
deterministic in many applications.

> Perhaps you could add a function to your API that would allow the
> programmer using your API to provide additional an source of
> entropy.  This would enable the hypothetical programmer of the CGI
> using your library to fix the problem by using information from the
> HTTP requests as a source of entropy.

I guess I could do that, though what I really want is a CPRNG with
good entropy, and a web server is likely to have that.  Asking the
programmer to supply entropy is against the spirit of this supposedly
easy-to-use module.

This module is a stopgap anyway--once there's an AES module, this
thing won't be needed any more.  But I've been using it for a while
(in slightly different form) so I thought I'd release it.

More information about the Python-list mailing list