From paul.l.kehrer at gmail.com Sun Nov 6 00:22:18 2016 From: paul.l.kehrer at gmail.com (Paul Kehrer) Date: Sun, 6 Nov 2016 00:22:18 -0400 Subject: [Cryptography-dev] PyCA cryptography 1.5.3 released Message-ID: PyCA cryptography 1.5.3 has been released to PyPI. cryptography is a package which provides cryptographic recipes and primitives to Python developers. Our goal is for it to be your "cryptographic standard library". We support Python 2.6-2.7, Python 3.3+, and PyPy. Changelog: SECURITY ISSUE: Fixed a bug where HKDF would return an empty byte-string if used with a length less than algorithm.digest_size. Credit to Markus D?ring for reporting the issue. -Paul Kehrer (reaperhulk) -------------- next part -------------- An HTML attachment was scrubbed... URL: From vs at it.uu.se Sun Nov 13 09:33:05 2016 From: vs at it.uu.se (Virgil Stokes) Date: Sun, 13 Nov 2016 15:33:05 +0100 Subject: [Cryptography-dev] How to encrypt-decrypt a file? Message-ID: I have looked at all the documentation and postings that I could find on cryptography and still have been unable to find how to use it with file(s). Anyone's help on this would be greatly appreciated. --V From paul.l.kehrer at gmail.com Sun Nov 13 14:30:30 2016 From: paul.l.kehrer at gmail.com (Paul Kehrer) Date: Sun, 13 Nov 2016 14:30:30 -0500 Subject: [Cryptography-dev] How to encrypt-decrypt a file? In-Reply-To: References: Message-ID: Hi Virgil, If you're dealing with a small file (where small is defined as "amount you're willing to buffer in memory") then you can just read the file, encrypt it using Fernet, and then write the results to disk. If the file is bigger then you'll want to read the file in chunks, pass those chunks to a cipher context (see the symmetric encryption docs), and write the results from "update" to a separate file incrementally. Note that finalize can also yield bytes so don't forget to write those as well. If you need to do the latter option you should either use an authenticated encryption mode (like GCM) or do an HMAC of the encrypted bytes as well. When decrypting you'll then either pass the GCM tag to the decrypt context or verify the HMAC yourself. This prevents tampering with the ciphertext, but bear in mind you don't have verification that the data has not been modified until you process the entire file. Fernet does all this for you, which is why it's preferable if your files are small. -Paul Kehrer (reaperhulk) On November 13, 2016 at 7:03:49 AM, Virgil Stokes (vs at it.uu.se) wrote: I have looked at all the documentation and postings that I could find on cryptography and still have been unable to find how to use it with file(s). Anyone's help on this would be greatly appreciated. --V _______________________________________________ Cryptography-dev mailing list Cryptography-dev at python.org https://mail.python.org/mailman/listinfo/cryptography-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: From readthedocs at readthedocs.org Sat Nov 19 09:02:21 2016 From: readthedocs at readthedocs.org (Read the Docs) Date: Sat, 19 Nov 2016 14:02:21 -0000 Subject: [Cryptography-dev] Failed: Cryptography (latest) Message-ID: <20161119140221.20798.97365@web04.servers.readthedocs.org> Build Failed for Cryptography (latest) Error: Version locked, retrying in 5 minutes. You can find out more about this failure here: https://readthedocs.org/projects/cryptography/builds/4691963/ If you have questions, a good place to start is the FAQ: https://docs.readthedocs.org/en/latest/faq.html Keep documenting, Read the Docs -- http://readthedocs.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From phatbuckett at gmail.com Sun Nov 20 05:07:33 2016 From: phatbuckett at gmail.com (Darren S.) Date: Sun, 20 Nov 2016 03:07:33 -0700 Subject: [Cryptography-dev] Message authentication and integrity Message-ID: Hi, Working on part of a project where there's no requirement for confidentiality, but do need to verify message authentication and integrity. The case is a simple multi-node system where a client component makes a request of another component using an HTTP request. The transport does not currently implement SSL/TLS. The request recipient simply needs to be certain that an authorized/known client issued the request. Each node is under the same administrative control/owner and a secure channel such as SSH may be used for setting up pre-shared keys. What python cryptography recipe is suitable for this? Fernet appears to be geared around symmetric encryption although shared secrets also work for authentication and this seems to be stated when discussing cryptography.fernet.InvalidToken if the token "does not have a valid signature." I'd like to avoid any PKI for the time being, so in addition to cryptography's support we also note PyNaCl digital signatures [1] and the standard library's hmac [2] module. Asymmetric keys as implemented in [1] seem suited. And the native availability and relative simplicity of [2] are also attractive. For this sort of thing, does the cryptography library provide anything that using pre-shared keys and transmitting the computed HMAC with the message wouldn't solve? Do either of these approaches have any significant issues that using public-key message signing would solve? [1] https://pynacl.readthedocs.io/en/latest/signing/ [2] https://docs.python.org/3/library/hmac.html Thanks, -- Darren Spruell phatbuckett at gmail.com From paul.l.kehrer at gmail.com Mon Nov 21 22:34:40 2016 From: paul.l.kehrer at gmail.com (Paul Kehrer) Date: Mon, 21 Nov 2016 19:34:40 -0800 Subject: [Cryptography-dev] PyCA cryptography 1.6 released Message-ID: PyCA cryptography 1.6 has been released to PyPI. cryptography is a package which provides cryptographic recipes and primitives to Python developers. Our goal is for it to be your "cryptographic standard library". We support Python 2.6-2.7, Python 3.3+, and PyPy. Changelog (https://cryptography.io/en/latest/changelog/): * Deprecated support for OpenSSL 1.0.0. Support will be removed in cryptography 1.7. * Replaced the Python-based OpenSSL locking callbacks with a C version to fix a potential deadlock that could occur if a garbage collection cycle occurred while inside the lock. * Added support for BLAKE2b and BLAKE2s when using OpenSSL 1.1.0. * Added signature_algorithm_oid support to Certificate. * Added signature_algorithm_oid support to CertificateSigningRequest. * Added signature_algorithm_oid support to CertificateRevocationList. * Added support for Scrypt when using OpenSSL 1.1.0. * Added a workaround to improve compatibility with Python application bundling tools like PyInstaller and cx_freeze. * Added support for generating a random_serial_number(). * Added support for encoding IPv4Network and IPv6Network in X.509 certificates for use with NameConstraints. * Added public_bytes() to Name. * Added RelativeDistinguishedName * DistributionPoint now accepts RelativeDistinguishedName for relative_name. Deprecated use of Name as relative_name. * Name now accepts an iterable of RelativeDistinguishedName. RDNs can be accessed via the rdns attribute. When constructed with an iterable of NameAttribute, each attribute becomes a single-valued RDN. * Added derive_private_key(). * Added support for signing and verifying RSA, DSA, and ECDSA signatures with Prehashed digests. Due to the volume of changes in this release the switch to bundling OpenSSL 1.1.0 in the macOS and Windows wheels has been pushed back to version 1.8. 1.7 is tentatively planned to be out in the next 2-3 weeks with some large features that didn't make the cut for this release. -Paul Kehrer (reaperhulk) -------------- next part -------------- An HTML attachment was scrubbed... URL: From chhong at gmail.com Fri Nov 25 13:35:34 2016 From: chhong at gmail.com (Chris H) Date: Fri, 25 Nov 2016 10:35:34 -0800 Subject: [Cryptography-dev] fail to pip install cryptography on redhat 6.5 Message-ID: Hi pyhton team, I have problem to install cryptography and paramiko as following errors. any hints/help are appreciated. system : Host-osver: rhel6.0 OpenSSL 1.0.2d 9 Jul 2015 gcc (GCC) 4.4.7 20120313 (Red Hat 4.4.7-4) > pip install cryptography Collecting cryptography .... build/temp.linux-x86_64-3.4/_openssl.c:62987: error: expected ')' before 'datasize' build/temp.linux-x86_64-3.4/_openssl.c:62987: error: too many arguments to function 'memset' build/temp.linux-x86_64-3.4/_openssl.c:62997: error: expected ')' before 'datasize' build/temp.linux-x86_64-3.4/_openssl.c:62998: error: expected ')' before 'datasize' build/temp.linux-x86_64-3.4/_openssl.c:62998: error: too many arguments to function 'memset' build/temp.linux-x86_64-3.4/_openssl.c:55555: error: expected ')' before 'datasize' build/temp.linux-x86_64-3.4/_openssl.c:55556: error: expected ')' before 'datasize' build/temp.linux-x86_64-3.4/_openssl.c:55556: error: too many arguments to function 'memset' build/temp.linux-x86_64-3.4/_openssl.c: In function '_cffi_f_X509_NAME_ENTRY_create_by_OBJ': build/temp.linux-x86_64-3.4/_openssl.c:55603: error: expected ')' before 'datasize' build/temp.linux-x86_64-3.4/_openssl.c:55604: error: expected ')' before 'datasize' build/temp.linux-x86_64-3.4/_openssl.c:55604: error: too many arguments to function 'memset' build/temp.linux-x86_64-3.4/_openssl.c:55614: error: expected ')' before 'datasize' build/temp.linux-x86_64-3.4/_openssl.c:55615: error: expected ')' before 'datasize' build/temp.linux-x86_64-3.4/_openssl.c:55615: error: too many arguments to function 'memset' build/temp.linux-x86_64-3.4/_openssl.c:55629: error: expected ')' before 'datasize' build/temp.linux-x86_64-3.4/_openssl.c:55630: error: expected ')' before 'datasize' build/temp.linux-x86_64-3.4/_openssl.c:71920: warning: excess elements in struct initializer build/temp.linux-x86_64-3.4/_openssl.c:71920: warning: (near initialization for '_cffi_struct_unions[135]') build/temp.linux-x86_64-3.4/_openssl.c:71920: warning: excess elements in struct initializer build/temp.linux-x86_64-3.4/_openssl.c:71920: warning: (near initialization for '_cffi_struct_unions[135]') error: command 'gcc' failed with exit status 1 ---------------------------------------- Command "/auto/iconatest/users/chhong/ats5.3.0/pyats3.1.1-cel6.50/bin/python3.4 -u -c "import setuptools, tokenize;__file__='/users/chhong/tmp/pip-build-x8ette2c/cryptography/setup.py';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" install --record /users/chhong/tmp/pip-ebuv28m8-record/install-record.txt --single-version-externally-managed --compile --install-headers /auto/iconatest/users/chhong/ats5.3.0/pyats3.1.1-cel6.50/include/site/python3.4/cryptography" failed with error code 1 in /users/chhong/tmp/pip-build-x8ette2c/cryptography/ thanks Chris -------------- next part -------------- An HTML attachment was scrubbed... URL: