Difference between revisions of "PyCryptoPlus"

Back to SAGE & cryptology

Info

Author & Download

This is a development done by Christophe Oosterlynck under my supervision during his thesis work & internship at NXP.

The code is available on repo.or.cz and on github, which may be easier if you wan to submit pull requests.

Differences with pycrypto

• ciphers from pycrypto are being used with the python chaining modes and not the original pycrypto ones
  => plaintext can be supplied in arbitrary sizes instead of multiples of the blocksize like in pycrypto: the new chaining modes keep a cache to encrypt/decrypt data once the cachesize holds at least a blocksize of data
• new possibilities:
  • Rijndael, Serpent, Twofish
    • Rijndael is limited to blocksizes of 128, 192 and 256 bits
  • CMAC, XTS, CTR
    • XTS is usable for ciphers with blocksizes of 16 bytes => XTS-AES, Serpent, Twofish
    • XTS encrypts the given input at once while all other chain modes encrypt only when a block plaintext is available in the cache
    • CMAC is usable for blocksizes of 8 and 16 bytes
  • OFB,CFB and CTR can be accessed as a stream cipher (you get the encrypted message immediately, you don't have to wait until a complete block of plaintext has been provided to the cipher)
  • new Hash functions: extended SHA family, Whirpool, RadioGatùn, PBKDF2
• test functions are available via doctests and extensive tests that loop through dictionary of test vectors
  • new pycrypto version will have it's own test bench for ciphers, this is not implemented yet

source structure

TODO

• check other implementation of Blowfish
• use unittest for test functions
• check development of pycrypto:
  • Util.Counter & Util._counter
  • SelfTest: usable to perform the test for python algo's in CryptoPlus if testvectors are in right format?

Licenses

http://opensource.org/

Used by others

• used from python truecrypt implementation
  all original code is under MIT license (much freedom according to [1])
  • pyTwofish (untouched)
    python truecrypt author isn't the original author = > extra copyright notice that should be left in place
  • pyserpent (untouched)
    python truecrypt author isn't the original author = > extra copyright notice that should be left in place
  • XTS (modified)
    python truecrypt author is the original author => only MIT License
  • GF2n.py(untouched)
    python truecrypt author is the original author => only MIT License
• pyblowfish (untouched)
  gpl or artistic license
  To not affect the rest of the distribution we've to redistribute it only under Artistic license terms
• rijndael.py (untouched)
  using tls lite (public domain) implementation which uses code from Bram Cohen (public domain)
• pyDes (untouched)
  public domain according to its homepage
• blockciphers CBC, ECB, CTR from [2] (modified)
  keep copyright notice in place?
• CMAC: omac.py
  GPL but not really used it, just used as a starting point

Used in CryptoPlus

• pypresent.py
  • MIT license

Cipher module

Test Vectors

• Collection of test vectors for a broad group of ciphers
  • http://www.3amsystems.com/monetics/vectors.htm
  • https://www.cosic.esat.kuleuven.be/nessie/testvectors/
• AES, DES, 3DES: http://csrc.nist.gov/groups/STM/cavp/standards.html
  • AES in CBC, CTR, OFB, CFB: html version of pdf
  • CMAC test vectors in Special Publication 800-38B are faulty, use the corrected ones from here
• Rijndael: http://fp.gladman.plus.com/cryptography_technology/rijndael/
  • zip file contains a full set of round values for each of the 25 block and key length combinations from 128, 160, 192, 224 and 256 bits for one input block and one key value
• DES (enkel ECB): http://www.skepticfiles.org/faq/testdes.htm
• Blowfish: http://www.schneier.com/code/vectors.txt
• Serpent: http://www.cs.technion.ac.il/~biham/Reports/Serpent/
• Twofish: http://www.schneier.com/code/ecb_ival.txt
• AES, DES: http://svn.python.org/projects/external/openssl-0.9.8a/test/evptests.txt
• CMAC
  • AES & TDES: http://www.nuee.nagoya-u.ac.jp/labs/tiwata/omac/omac.html
  • AES, TDES2 & TDES3: http://csrc.nist.gov/groups/STM/cavp/documents/mac/cmactestvectors.zip
    • fax folder contains usefull stuff: generation and verification tests with results
      generation test: generate a correct mac
      verification test: verify if provided mac for plaintext is correct
• XTS-AES: IEEE P1619TM/D16: Standard for Cryptographic Protection of Data on Block-Oriented Storage Devices
• ARC2: http://www.ietf.org/rfc/rfc2268.txt
  • will be available in pycrypto >2.0.1
• CAST: http://www.rfc-editor.org/rfc/rfc2144.txt

Chaining Modes

• Wikipedia
• NIST
• XTS:
  • https://siswg.net/index.php?option=com_content&task=view&id=38&Itemid=73
  • http://blog.bjrn.se/2008/02/truecrypt-explained-truecrypt-5-update.html
  • http://en.wikipedia.org/wiki/IEEE_P1619 = XTS-AES
  • XTS-AES: IEEE P1619TM/D16: Standard for Cryptographic Protection of Data on Block-Oriented Storage Devices
  • Comments: [3]
    • "It should be mentioned explicitly in the description that when enciphering many blocks, successive T values can and should be computed from prior ones via multiplication by alpha (providing that i remains fixed). This optimization, which is one of the best features of XEX, should be explicitly recommended in the standard."
• CMAC = OMAC1:
  • AES-CMAC: http://tools.ietf.org/html/rfc4493#page-2
  • NIST:
    Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication:SP 800-38B.pdf
    Updated CMAC Examples
  • OMAC.py: http://github.com/jlhutch/jac/tree/master/omac.py
  • OMAC page: http://www.nuee.nagoya-u.ac.jp/labs/tiwata/omac/omac.html

Ciphers

• Serpent
  • http://www.cl.cam.ac.uk/~rja14/serpent.html
  • python implementation used at the moment in earlier versions: http://psionicist.online.fr/code/
  • alternative python implementation (used in current version): http://www.cl.cam.ac.uk/~fms27/serpent/
    • more info on this python implementation: http://www.cl.cam.ac.uk/~fms27/serpent/serpent-abstract.html
• Present
  • Article: PRESENT: An Ultra-Lightweight Block Cipher
  • Test Vector generator + ANSI-C implementation of present: [4]
  • own implementation
• ARC2
  • http://www.ietf.org/rfc/rfc2268.txt: publication + testvectors
  • current pycrypto implementation fails all testvectors because of not correctly handling the "effective keylength". Fixed in upcoming release (+2.0.1) bugreportbugfix
• CAST
  • http://www.rfc-editor.org/rfc/rfc2144.txt
• RC5
  • http://www.users.zetnet.co.uk/hopwood/crypto/scan/cs.html#RC5
  • http://people.csail.mit.edu/rivest/Rivest-rc5.pdf
  • ftp://ftp.nordu.net/rfc/rfc2040.txt

Hash Module

Current Situation

• MD5
  • http://www.rfc-editor.org/rfc/rfc1321.txt
  • good implementation in pypy (Python License)
• SHA family
  • FIPS 180-2
  • SHA1: http://www.rfc-editor.org/rfc/rfc3174.txt
  • SHA-1 available in pypy (Python License)
    • can be modified for other SHA's
    • uses standard python hash api
  • SHA-256 implementation: https://vcs.slash-me.net/snippets/sha256/sha256.py
    • short code but less readable than the one from pypy
  • SHA-224, 256, 384, and 512 at http://reikon.us/sha2/
    • less readable than pypy implementation (pypy is using same structure for md5 and sha1)
    • uses same API as standard python hashing modules
    • MIT License
• Whirlpool
  • Homepage
  • available here: python truecrypt implementation
• RipeMD
  • http://homes.esat.kuleuven.be/~bosselae/ripemd160.html
  • RipeMD-160 available as pure python implementation in current pycrypto development
    =>RipeMD and python_RipeMD will point to the same pycrypto ripemd implementation
  • modify to add RipeMD-128?
• RadioGatun
  • http://radiogatun.noekeon.org/
    • reference C-code
    • testvectors
• HMAC
  • available in python and pypy as pure python
    -> same implementation used in pycrypto: no need to copy it again in cryptoplus?
• PBKDF2
  • implementation from new pycrypto developer: http://www.dlitz.net/software/python-pbkdf2/
  • standard + testvectors: RFC 3962

Stream Ciphers

• SNOW2 / SNOW3G
  • http://www.it.lth.se/cryptology/snow/
  • Snow 3G
    • www.gsmworld.com/using/algorithms/docs/snow_3g_spec.pdf
    • "The main difference in SNOW 3G is the addition of a second S-box giving higher resistance against possible future advances in algebraic cryptanalysis"[5]
  • LFSR, FSM, S-Box
• Grain
  • http://www.ecrypt.eu.org/stream/grainpf.html
  • LFSR, NFSR, output function
• Trivium
  • http://www.ecrypt.eu.org/stream/triviumpf.html
• LFSR
• (self)Shrinking Generator
• ARC4
  • http://en.wikipedia.org/wiki/RC4
• XOR

Various info

Python