[PYTHON-CRYPTO] AES in M2Crypto advice

Ng Pheng Siong ngps at POST1.COM
Mon Jun 2 18:06:00 CEST 2003 

On Sat, May 31, 2003 at 01:36:31PM +0700, Jason H. Smith wrote:
> First, a quick question, if I may.  I did not follow the instructions in
> INSTALL saying to modify distutils.  Instead, I simply symlinked swig/ to
> SWIG, and it looks fine.  Did I mess anything up?

Hi,

Yes, it's fine. I should do that for my source, too. ;-)

> But mainly, I want to solicit advice for using AES in CBC mode to send an
> entire hard drive image over TCP.

Let's talk a little higher-level:

Content security: encrypting your disk image so that its content is secure
should the encrypted image fall into the wrong hands.

Communication security, a la SSH or SSL: your content is secure while it is
moving across the wire; at the end points the content is in the clear.

Of course, you can transmit secured content, say, a PGP message, over SSH
or SSL.

What are you attempting to do? What are you protecting against? Must you
write a new program to do the low-level crypto? Can you not compose
existing tools to achieve your objectives?


> Thus far, I am basically using this procedure:
> 1) key = md5 hash of a passphrase
> 2) iv = whatever
> 3) create a BIO.MemoryBuffer object
>   4) read a 10MB chunk
>   5) a) create a BIO.CipherStream object
>      b) set_cipher('aes_128_cbc', key, iv, 1)
>   6) encrypt the block, following demo/bio_ciph_test.py
>   7) write the ciphertext
>   7) set new iv = ciphertext[-16:]
>   8) go back to step 4

Some thoughts:

1. There aren't unit tests for BIO.CipherStream, meaning it may be buggy.  ;-)

2. I think evp_ciph_test.py has an easier model:

    def cipher_filter(cipher, inf, outf):
        while 1:
            buf=inf.read()
            if not buf:
                break
            outf.write(cipher.update(buf))
        outf.write(cipher.final())
        return outf.getvalue()

    def test_cipher(algo):
        otxt='against stupidity the gods themselves contend in vain'
        print 'testing', algo, '...',

        k=EVP.Cipher(algo, 'goethe','12345678', enc, 1, 'sha1', 'salt', 5)
        pbuf=cStringIO.StringIO(otxt)
        cbuf=cStringIO.StringIO()
        ctxt=cipher_filter(k, pbuf, cbuf)
        pbuf.close()
        cbuf.close()

The function cipher_filter, with variation, is what I use in my own code.
Set up the cipher as in test_cipher.  Pass in file objects for inf and
outf. (Remove the last line that says outf.getvalue(). Maybe also remove
the next-to-last line, depending on your calling code.)

But do first consider the high-level issues of what you're doing.

Cheers.

--
Ng Pheng Siong <ngps at netmemetic.com>

http://firewall.rulemaker.net  -+- Manage Your Firewall Rulebase Changes
http://www.post1.com/home/ngps -+- Open Source Python Crypto & SSL

More information about the python-crypto mailing list