[PYTHON-CRYPTO] Doing modes in Python

Andrew Archibald aarchiba at YAHOO.COM
Sat Apr 28 09:57:47 CEST 2001 

On Fri, Apr 27, 2001 at 07:13:10PM -0700, Bram Cohen wrote:
> On Fri, 27 Apr 2001, Andrew Archibald wrote:
>
> > I would say, though, that the standard modes are just that: standard.
> > ECB, CBC (without stealing), n-bit CFB, OFB and Counter mode are all
> > pretty standard, and they cover enough of the bases to be worth
> > implementing in C.
>
> While I agree that having pure C versions of everything done eventually is
> a good idea, it's very tricky to get right, for example -
>
> How do you pad ECB? Do you reject strings of the wrong length? Do you pad
> with all zeros? If so, what do you do about losing information about the
> length of the file?
>
> How do you pad CBC?

You don't pad.  Users can add padding in python --- in fact, a good
policy is leave in python anything that's O(1) in the length of the
message.  This includes ciphertext stealing, padding, arrangement of
MAC/IV.

> With counter mode, do you allow it to start at a counter other than 0? Do
> you make it big- or little-ending, or allow either?

Of course counter mode starts at any IV you provide; endianness can be
selectable, but big-endian seems to be the standard for cyptographic
"long" numbers.

> I don't know OFB and CFB very well, so I can't comment on them, but I
> believe they're quite tricky as well.

CFB is about as standard as CBC, and it has the advantage that it
handles arbitrary-length messages without any hackery.  Representing
the state is a little bit awkward (if you want to be able to stop and
restart the C code in the middle of a block).

OFB is simple and standard and nobody uses it.

> There's also the matter of support stream-style CBC, so a whole file
> doesn't have to be pulled into memory at once, but I don't think that's
> required very often.

Stream-style CBC is easy: just take the last block as your IV next
time. Buffer one block (or two, if you're planning on stealing).

But yes, a preliminary python implementation is worth doing and may
well be fast enough for most people most of the time.  Get one at
http://www.math.mcgill.ca/archibal/crypto/modes.py

Andrew

More information about the python-crypto mailing list