[PYTHON-CRYPTO] AES in M2Crypto advice
Ng Pheng Siong
ngps at POST1.COM
Mon Jun 2 18:06:00 CEST 2003
On Sat, May 31, 2003 at 01:36:31PM +0700, Jason H. Smith wrote:
> First, a quick question, if I may. I did not follow the instructions in
> INSTALL saying to modify distutils. Instead, I simply symlinked swig/ to
> SWIG, and it looks fine. Did I mess anything up?
Hi,
Yes, it's fine. I should do that for my source, too. ;-)
> But mainly, I want to solicit advice for using AES in CBC mode to send an
> entire hard drive image over TCP.
Let's talk a little higher-level:
Content security: encrypting your disk image so that its content is secure
should the encrypted image fall into the wrong hands.
Communication security, a la SSH or SSL: your content is secure while it is
moving across the wire; at the end points the content is in the clear.
Of course, you can transmit secured content, say, a PGP message, over SSH
or SSL.
What are you attempting to do? What are you protecting against? Must you
write a new program to do the low-level crypto? Can you not compose
existing tools to achieve your objectives?
> Thus far, I am basically using this procedure:
> 1) key = md5 hash of a passphrase
> 2) iv = whatever
> 3) create a BIO.MemoryBuffer object
> 4) read a 10MB chunk
> 5) a) create a BIO.CipherStream object
> b) set_cipher('aes_128_cbc', key, iv, 1)
> 6) encrypt the block, following demo/bio_ciph_test.py
> 7) write the ciphertext
> 7) set new iv = ciphertext[-16:]
> 8) go back to step 4
Some thoughts:
1. There aren't unit tests for BIO.CipherStream, meaning it may be buggy. ;-)
2. I think evp_ciph_test.py has an easier model:
def cipher_filter(cipher, inf, outf):
while 1:
buf=inf.read()
if not buf:
break
outf.write(cipher.update(buf))
outf.write(cipher.final())
return outf.getvalue()
def test_cipher(algo):
otxt='against stupidity the gods themselves contend in vain'
print 'testing', algo, '...',
k=EVP.Cipher(algo, 'goethe','12345678', enc, 1, 'sha1', 'salt', 5)
pbuf=cStringIO.StringIO(otxt)
cbuf=cStringIO.StringIO()
ctxt=cipher_filter(k, pbuf, cbuf)
pbuf.close()
cbuf.close()
The function cipher_filter, with variation, is what I use in my own code.
Set up the cipher as in test_cipher. Pass in file objects for inf and
outf. (Remove the last line that says outf.getvalue(). Maybe also remove
the next-to-last line, depending on your calling code.)
But do first consider the high-level issues of what you're doing.
Cheers.
--
Ng Pheng Siong <ngps at netmemetic.com>
http://firewall.rulemaker.net -+- Manage Your Firewall Rulebase Changes
http://www.post1.com/home/ngps -+- Open Source Python Crypto & SSL
More information about the python-crypto
mailing list