[Cryptography-dev] Create Fernet API allowing streaming encryption and decryption from file-like objects.

[Jarret Raim]

Donald's point was that each chunk is authenticated separately. As soon as a single chunk failed, the decryption operation would fail – you wouldn't have to wait until the end of the file.


From: Michael Iverson
Reply-To: "cryptography-dev at python.org<mailto:cryptography-dev at python.org>"
Date: Monday, January 19, 2015 at 10:16 AM
To: "cryptography-dev at python.org<mailto:cryptography-dev at python.org>"
Subject: Re: [Cryptography-dev] Create Fernet API allowing streaming encryption and decryption from file-like objects.


On Mon, Jan 19, 2015 at 10:51 AM, Donald Stufft <donald at stufft.io<mailto:donald at stufft.io>> wrote:
This is a fairly obvious way of handling that. However it’ll write a whole bunch of data to decrypted.txt and only fail after the very last chunk.

That is definitely a concern, and it cannot be readily mitigated, as not keeping everything in memory is exactly what is required.

However, I'm not sure the chunk based approach necessarily mitigates this problem either, as you could write out hundreds of chunks, only to have the final chunk fail. Also, having multiple chunks also requires that we somehow manage to ensure that we can identify missing or out-of-order chunks.

I'd also be concerned about the cryptographic implications of this. I'm not sure if this is entirely correct, but it seems if you set your chunk size = AES block size, you essentially are encrypting in ECB mode.

I would presume there is a block size sufficiently large to mitigate this problem, but I get chills up my spine when I use the word 'presume' in any sentence about cryptography.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20150119/118f9f97/attachment.html>