Using Rotor with password file
Colin Meeks
colin at meeks.ca
Sat Feb 1 21:41:14 EST 2003
Paul Rubin <phr-n2003b at NOSPAMnightsong.com> wrote in
news:7x7kcjq05w.fsf at ruckus.brouhaha.com:
> "James Kew" <james.kew at btinternet.com> writes:
>> > Don't use the rotor module, it is insecure.
>>
>> This is the second time I've seen this comment recently.
>>
>> If it's insecure, why is it in the standard library? Should it be
>> removed (as rexec and bastion will be)? Or at least deprecated (and
>> subject to a DeprecationWarning)?
>
> I hadn't heard rexec and bastion will be removed. In my opinion,
> rotor should be deprecated, but I don't get to decide things like
> that.
>
> Here's a module you can use instead of rotor, based on the built-in
> SHA module:
>
> http://www.nightsong.com/phr/crypto/p2.py
>
> Its security should be ok. You'll have to edit out the date check.
> I'll get around to putting up a renamed version with the date check
> removed, but this whole approach is kind of a stopgap--I hope that
> Python's standard library will get some real cryptography soon.
> Apparently one obstacle in the past has been US export restrictions on
> crypto code, but those restrictions have eased up in recent years.
I've tried p2.py also, but get the same problem. Here's an example of
what I'm getting
>>>
>>> print y # where y is a line read from the users.cfg file
['colboy', '\\xcc\\x0f\\xb0t\\xac"\\x87o\\xc8F;\\x90\\xfb\\xbf\\x7f
\\xdf"v\\xe6\\x00\\x16\\xc50%\\x11\\xe9Zc[\\xae_', '1\n']
>>> print y[1] # where y[1] is the actual encoded password
\xcc\x0f\xb0t\xac"\x87o\xc8F;\x90\xfb\xbf\x7f\xdf"v\xe6\x00\x16\xc50%\x11
\xe9Zc[\xae_
Sorry for the formatting
if I try to p2.p2_decrypt(y[1], mykey) I get the following
Traceback (most recent call last):
File "<interactive input>", line 1, in ?
File "p2.py", line 110, in p2_decrypt
raise CryptError, "invalid key or ciphertext"
CryptError: invalid key or ciphertext
If I copy the password from the users,cfg file using a text editor in
place of y[1] it works. It looks like a problem with the decoding of a
string with "\" characters in it
Any further ideas
Colin
More information about the Python-list
mailing list