Authenticated encryption with PyCrypto

M.-A. Lemburg mal at egenix.com
Tue Jan 26 18:22:15 EST 2010 

Daniel wrote:
> On Jan 26, 12:37 pm, "M.-A. Lemburg" <m... at egenix.com> wrote:
>> Note that your code has a padding bug: the decoder doesn't
>> undo the padding. You're lucky though, since pickle will only
>> read as much data as it needs and not complain about the extra
>> data it finds.
> 
> Doesn't the last line in decrypt() do it?
> 
>     return data[:-ord(data[-1])]
> 
> Given, it's a bit cryptic... no pun intended :)

That's cryptic indeed... I just found that you're not padding
with zero bytes, but instead with char(pad) where pad is the
number of bytes you add:

        pad = AES_BLOCK_SIZE - len(data) % AES_BLOCK_SIZE
        data = data + pad * chr(pad)

This code will pad with 16 bytes of chr(16) in case len(data)
is in fact on a block size boundary.

When using pickle, you don't need this, since pickle includes
all necessary length information in the serialized data stream.

I'd just pad with \0 and not worry about the extra bytes
at the end when using pickle to serialize the objects.

It's more important to worry about whether you really
want to unpickle the data or not, since pickle opens
up lots of possibilities of executing code on the decoding
side of the communication channel.

>>> Also, slightly related, is there an easy way to get the sha/md5
>>> deprecation warnings emitted by PyCrypto in Python 2.6 to go away?
>>
>> Yes: you silence them via the warnings module. I suppose that the
>> latest version of PyCrypto fixes these warnings.
> 
> The version that gets installed by easy_install or pip (2.0.1) emits
> those warnings. Is there a more recent version?

This is the most recent version:

	http://www.dlitz.net/software/pycrypto/

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Jan 27 2010)
>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________

::: Try our new mxODBC.Connect Python Database Interface for free ! ::::


   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/

More information about the Python-list mailing list