Difference between revisions of "PyCryptoPlus"
Jump to navigation
Jump to search
m (→TODO) |
|||
(95 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
Back to [[SAGE & cryptology]] |
Back to [[SAGE & cryptology]] |
||
+ | == Info == |
||
+ | === Author & Download === |
||
+ | This is a development done by Christophe Oosterlynck under my supervision during his thesis work & internship at NXP. |
||
+ | |||
+ | The code is available [http://repo.or.cz/w/python-cryptoplus.git on repo.or.cz] and [https://github.com/doegox/python-cryptoplus on github], which may be easier if you wan to submit pull requests. |
||
+ | |||
+ | === Differences with pycrypto === |
||
+ | {|border="1" |
||
+ | |- |
||
+ | | ||CryptoPlus||PyCrypto |
||
+ | |- style="background-color:#dddddd;" |
||
+ | ! align="left" colspan="8"|Block Ciphers |
||
+ | |- style="background-color:#eeeeee;" |
||
+ | | align="left" colspan="8"|Block cipher algorithms |
||
+ | |- |
||
+ | | Serpent || Py || |
||
+ | |- |
||
+ | | Blowfish || Py || C |
||
+ | |- |
||
+ | | Twofish || Py || |
||
+ | |- |
||
+ | | Idea || || C |
||
+ | |- |
||
+ | | DES || Py || C |
||
+ | |- |
||
+ | | 3DES || Py || C |
||
+ | |- |
||
+ | | AES || Py || C |
||
+ | |- |
||
+ | | Rijndael || Py || |
||
+ | |- |
||
+ | | Present || Py || |
||
+ | |- style="background-color:#eeeeee;" |
||
+ | | align="left" colspan="8"|Modes of operation |
||
+ | |- |
||
+ | | CMAC || Py || |
||
+ | |- |
||
+ | | XCBC || || |
||
+ | |- |
||
+ | | CBC-MAC || || |
||
+ | |- |
||
+ | | CCM || || |
||
+ | |- |
||
+ | | GCM || || |
||
+ | |- |
||
+ | | ECB || Py || C |
||
+ | |- |
||
+ | | CBC || Py || C |
||
+ | |- |
||
+ | | CTR || Py || C |
||
+ | |- |
||
+ | | LRW || || |
||
+ | |- |
||
+ | | XTS || Py || |
||
+ | |- |
||
+ | | MDC-2 || || |
||
+ | |- style="background-color:#eeeeee;" |
||
+ | | align="left" colspan="8"|Paddings |
||
+ | |- |
||
+ | | bit padding || Py || |
||
+ | |- |
||
+ | | zeros || Py || |
||
+ | |- |
||
+ | | PKCS7 || Py || |
||
+ | |- |
||
+ | | PKCS12 || Py || |
||
+ | |- |
||
+ | | ISO 10126 || Py || |
||
+ | |- |
||
+ | | ANSI X.923 || Py || |
||
+ | |- style="background-color:#dddddd;" |
||
+ | ! align="left" colspan="8"|One-way Functions |
||
+ | |- |
||
+ | | MD5 || Py || C |
||
+ | |- |
||
+ | | SHA Family || Py (SHA1 & SHA2 family)|| C (SHA-1 & 256) |
||
+ | |- |
||
+ | | Whirlpool || Py || |
||
+ | |- |
||
+ | | RipeMD || Py || Py |
||
+ | |- |
||
+ | | RadioGatun || Py || |
||
+ | |- |
||
+ | | HMAC || Py || Py |
||
+ | |- |
||
+ | | PBKDF2 || Py || |
||
+ | |} |
||
+ | |||
− | ==Differences with pycrypto== |
||
*ciphers from pycrypto are being used with the python chaining modes and not the original pycrypto ones<br>=> plaintext can be supplied in arbitrary sizes instead of multiples of the blocksize like in pycrypto: the new chaining modes keep a cache to encrypt/decrypt data once the cachesize holds at least a blocksize of data |
*ciphers from pycrypto are being used with the python chaining modes and not the original pycrypto ones<br>=> plaintext can be supplied in arbitrary sizes instead of multiples of the blocksize like in pycrypto: the new chaining modes keep a cache to encrypt/decrypt data once the cachesize holds at least a blocksize of data |
||
* new possibilities: |
* new possibilities: |
||
** Rijndael, Serpent, Twofish |
** Rijndael, Serpent, Twofish |
||
+ | *** Rijndael is limited to blocksizes of 128, 192 and 256 bits |
||
− | ** CMAC, XTS, CTR mod |
||
+ | ** CMAC, XTS, CTR |
||
+ | *** XTS is usable for ciphers with blocksizes of 16 bytes => XTS-AES, Serpent, Twofish |
||
+ | *** XTS encrypts the given input at once while all other chain modes encrypt only when a block plaintext is available in the cache |
||
+ | *** CMAC is usable for blocksizes of 8 and 16 bytes |
||
+ | ** OFB,CFB and CTR can be accessed as a stream cipher (you get the encrypted message immediately, you don't have to wait until a complete block of plaintext has been provided to the cipher) |
||
+ | ** new Hash functions: extended SHA family, Whirpool, RadioGatùn, PBKDF2 |
||
+ | * test functions are available via doctests and extensive tests that loop through dictionary of test vectors |
||
+ | ** new pycrypto version will have it's own test bench for ciphers, this is not implemented yet |
||
+ | |||
+ | === source structure === |
||
+ | {|border="1" cellpadding="5" |
||
+ | |-style="background-color:#dddddd;" |
||
+ | ! align="left" colspan="2"| root of CryptoPlus package |
||
+ | |- |
||
+ | |src/Protocol.py |
||
+ | |make all Crypto.Protocol modules available under CryptoPlus.Protocol |
||
+ | |- |
||
+ | |src/PublicKey.py |
||
+ | |make all Crypto.PublicKey modules available under CryptoPlus.PublicKey |
||
+ | |- |
||
+ | |src/__init__.py |
||
+ | |make the following modules available under the CryptoPlus package: |
||
+ | *always: "Cipher","PublicKey","Util","Protocol","Hash","testvectors" |
||
+ | *if pycrypto > 2.0.1: "SelfTest", "Random" |
||
+ | |- |
||
+ | |src/testvectors.py |
||
+ | | |
||
+ | *contains dictionaries with testvectors for: CBC, CFB, OFB and CTR with AES, DES,TDES2/3, Serpent128/192/256, CMAC-AES128/192/256, CMAC-TDES2/3, XTS-AES |
||
+ | *used by test/test.py |
||
+ | |-style="background-color:#dddddd;" |
||
+ | ! align="left" colspan="2"| CryptoPlus.Cipher subpackage |
||
+ | |- |
||
+ | |src/Cipher/__init__.py |
||
+ | |specify all the ciphers in the CryptoPlus.Cipher package + import of the streamcipher ARC4 and XOR |
||
+ | |- |
||
+ | |src/Cipher/blockcipher.py |
||
+ | | |
||
+ | * class BlockCipher: parent class for every cipher you constructs. Holds some variabeles (key, blocksize) and objects (blockcipher, chain mode). |
||
+ | * classes for every chain mode: the BlockCipher uses one of these as the chaining mode object. They are all own python code but sometimes based on non-complete code that was available. |
||
+ | |-style="background-color:#eeeeee;" |
||
+ | ! colspan="2"| Wrappers for pycrypto |
||
+ | |- |
||
+ | |src/Cipher/AES.py |
||
+ | | |
||
+ | *wraps Crypto.Cipher.AES |
||
+ | *doctests for: ECB, CBC, CFB, OFB, CTR, XTS, CMAC |
||
+ | |- |
||
+ | |src/Cipher/ARC2.py |
||
+ | | |
||
+ | *wraps Crypto.Cipher.ARC2 |
||
+ | *doctests for: 1 ECB example |
||
+ | |- |
||
+ | |src/Cipher/Blowfish.py |
||
+ | | |
||
+ | *wraps Crypto.Cipher.Blowfish |
||
+ | *doctests for: ECB, CBC, CFB, OFB |
||
+ | |- |
||
+ | |src/Cipher/CAST.py |
||
+ | | |
||
+ | *wraps Crypto.Cipher.CAST |
||
+ | *doctests for: 2 ECB examples (128 bit and 40 bit key size) |
||
+ | |- |
||
+ | |src/Cipher/DES.py |
||
+ | | |
||
+ | *wraps Crypto.Cipher.DES |
||
+ | *doctests for: ECB |
||
+ | |- |
||
+ | |src/Cipher/DES3.py |
||
+ | | |
||
+ | *wraps Crypto.Cipher.DES3 |
||
+ | *doctests for: CBC, CMAC TDES-EDE3, CMAC TDES-EDE2 |
||
+ | |- |
||
+ | |src/Cipher/IDEA.py |
||
+ | | |
||
+ | *wraps Crypto.Cipher.IDEA |
||
+ | *doctests for: 1 ECB example |
||
+ | |- |
||
+ | |src/Cipher/RC5.py |
||
+ | | |
||
+ | *wraps Crypto.Cipher.RC5 |
||
+ | *doctests for: 1 ECB example |
||
+ | |-style="background-color:#eeeeee;" |
||
+ | ! colspan="2"| Wrappers for pure python implementations |
||
+ | |- |
||
+ | |src/Cipher/python_AES.py |
||
+ | | |
||
+ | * wraps rijndael.py (only for the AES blocksize of 128bits) |
||
+ | * doctests same as in the pycrypto wrapper |
||
+ | |- |
||
+ | |src/Cipher/python_Blowfish.py |
||
+ | | |
||
+ | * wraps pyblowfish.py |
||
+ | * doctests same as in the pycrypto wrapper |
||
+ | |- |
||
+ | |src/Cipher/python_DES.py |
||
+ | | |
||
+ | * wraps pyDes.py (only using "des" class) |
||
+ | * doctests same as in the pycrypto wrapper |
||
+ | |- |
||
+ | |src/Cipher/python_DES3.py |
||
+ | | |
||
+ | * wraps pyDes.py (only using "triple_des" class) |
||
+ | * doctests same as in the pycrypto wrapper |
||
+ | |- |
||
+ | |src/Cipher/python_Rijndael.py |
||
+ | | |
||
+ | * wraps pyrijndael.py |
||
+ | * doctests for ECB, CBC, XTS (CBC and XTS are AES test vectors) |
||
+ | |- |
||
+ | |src/Cipher/python_Serpent.py |
||
+ | | |
||
+ | * wraps pyserpent.py |
||
+ | * doctests for ECB, CBC |
||
+ | |- |
||
+ | |src/Cipher/python_Twofish.py |
||
+ | | |
||
+ | * wraps pytwofish.py |
||
+ | * doctests for ECB |
||
+ | |- |
||
+ | |src/Cipher/python_PRESENT.py |
||
+ | | |
||
+ | * wraps pypresent.py |
||
+ | * doctests for ECB and with varying amount of rounds (verified with reference C implementation) |
||
+ | |-style="background-color:#eeeeee;" |
||
+ | ! colspan="2"| Pure python implementations for blockciphers |
||
+ | |- |
||
+ | |src/Cipher/pyDes.py |
||
+ | | |
||
+ | * originally found here: http://twhiteman.netfirms.com/des.html |
||
+ | |- |
||
+ | |src/Cipher/pyblowfish.py |
||
+ | | |
||
+ | * originally found here: http://www.michaelgilfix.com/files/blowfish.py |
||
+ | |- |
||
+ | |src/Cipher/pyserpent.py |
||
+ | | |
||
+ | * originally found here: http://www.cl.cam.ac.uk/~fms27/serpent/ |
||
+ | * added class to wrap all the functions needed in one class so that the serpent cipher can be accessed like all other pure python ciphers |
||
+ | |- |
||
+ | |src/Cipher/pytwofish.py |
||
+ | | |
||
+ | * originally found here: http://psionicist.online.fr/code/ (python truecrypt) |
||
+ | |- |
||
+ | |src/Cipher/rijndael.py |
||
+ | | |
||
+ | * originally found here: http://bitconjurer.org/rijndael.py but using the modified version of tlslite (compatibility fix with python 2.4) |
||
+ | |- |
||
+ | |src/Cipher/pypresent.py |
||
+ | | |
||
+ | * own implementation |
||
+ | * based on documentation here: http://www.crypto.ruhr-uni-bochum.de/en_publications.html |
||
+ | |-style="background-color:#dddddd;" |
||
+ | ! align="left" colspan="2"| CryptoPlus.Hash subpackage |
||
+ | |- |
||
+ | |src/Hash/__init__.py |
||
+ | |specify all the ciphers in the CryptoPlus.Hash package (new implementations and imports from pycrypto |
||
+ | |- |
||
+ | |src/Hash/python_*.py |
||
+ | | |
||
+ | * wrappers for the pure python (py*.py) implementations of hash functions |
||
+ | * provide "new()" function and some doctests |
||
+ | |- |
||
+ | |src/Hash/py*.py |
||
+ | | |
||
+ | *pure python implementations of hash functions |
||
+ | *pyradiogatun.py is own code, the rest is gathered from other sources |
||
+ | |-style="background-color:#dddddd;" |
||
+ | ! align="left" colspan="2"| CryptoPlus.Random subpackage (only used if pycrypto version > 2.0.1) |
||
+ | |- |
||
+ | |src/Util/__init__.py |
||
+ | | |
||
+ | *import modules from original Crypto.Random: _UserFriendlyRNG, atfork, random |
||
+ | |- |
||
+ | |src/Util/Fortuna.py |
||
+ | | |
||
+ | *imports Crypto.Random.Fortuna.* |
||
+ | |- |
||
+ | |src/Util/OSRNG.py |
||
+ | | |
||
+ | *imports Crypto.Random.OSRNG.* |
||
+ | |-style="background-color:#dddddd;" |
||
+ | ! align="left" colspan="2"| CryptoPlus.Util subpackage |
||
+ | |- |
||
+ | |src/Util/__init__.py |
||
+ | | |
||
+ | *import modules from original Crypto.Util: number, randpool, RFC1751, python_compat |
||
+ | *make new modules available: padding, util |
||
+ | |- |
||
+ | |src/Util/number.py<br>src/Util/randpool.py<br>src/Util/RFC1751.py |
||
+ | | |
||
+ | *wrappers for the respective Crypto.Util modules |
||
+ | |- |
||
+ | |src/Util/python_compat.py |
||
+ | | |
||
+ | *wrapper for Crypto.Util.python_compat if pycrypto > 2.0.1 |
||
+ | |- |
||
+ | |src/Util/padding.py |
||
+ | | |
||
+ | *own code for (un)padding raw strings |
||
+ | *doctest for every padding function |
||
+ | |- |
||
+ | |src/Util/util.py |
||
+ | | |
||
+ | *provides: number2string, roundUp, string2number, xorstring |
||
+ | |-style="background-color:#dddddd;" |
||
+ | ! align="left" colspan="2"| Test scripts |
||
+ | |- |
||
+ | |test/test.py |
||
+ | |runs extensive test with verified test vectors for: CBC, CFB, OFB and CTR with AES, DES,TDES2/3, Serpent128/192/256, CMAC-AES128/192/256, CMAC-TDES2/3, XTS-AES, PRESENT (80 and 128 bit key), Twofish (128/192/256bits keys) |
||
+ | |- |
||
+ | |test/test_doctests.py |
||
+ | |script to run all doctest available in every cipher wrapper (pure python and pycrypto wrapper) |
||
+ | |} |
||
==TODO== |
==TODO== |
||
− | *add chaining modes: <del>CMAC</del>, CTR mod? |
||
− | *further importing of pycrypto |
||
− | *make test vectors available as variables |
||
− | *add tests: |
||
− | **CBC for serpent, twofish, blowfish |
||
− | **XTS <del>is only tested by comparing deciphered ciphertext, not by checking ciphertext</del>: XTS-AES doctest done |
||
*check other implementation of Blowfish |
*check other implementation of Blowfish |
||
+ | * use unittest for test functions |
||
− | *final() method of chains |
||
+ | * check development of pycrypto: |
||
− | **add a cipher.final() method? pycrypto doesn't have it, but it doesn't really conflict with the pycrypto API. It will just extend it |
||
+ | ** Util.Counter & Util._counter |
||
− | **final() method should use padding. Choose padding function at initialization of the cipher => again: extending the API |
||
+ | ** SelfTest: usable to perform the test for python algo's in CryptoPlus if testvectors are in right format? |
||
− | * XTS |
||
− | ** XTS-AES? XTS-AES just denotes XTS using AES cipher? Make only that one available (which is the case for the moment)? |
||
− | ** supply XTS keys by splitting 1 big key or by supplying two keys? |
||
− | * <del>add rijndael instead of only AES</del> |
||
− | * add docstring to every "new" function of every module, explaining what should be passed as arguments (probably the same for every function)<br>Move doctests there so they are easily viewable |
||
==Licenses== |
==Licenses== |
||
+ | http://opensource.org/ |
||
+ | === Used by others === |
||
*used from [http://psionicist.online.fr/code/pytruecrypt/ python truecrypt implementation]<br>all original code is under MIT license (much freedom according to [http://blog.bjrn.se/2008/02/truecrypt-explained-truecrypt-5-update.html]) |
*used from [http://psionicist.online.fr/code/pytruecrypt/ python truecrypt implementation]<br>all original code is under MIT license (much freedom according to [http://blog.bjrn.se/2008/02/truecrypt-explained-truecrypt-5-update.html]) |
||
**pyTwofish (untouched)<br>python truecrypt author isn't the original author = > extra copyright notice that should be left in place |
**pyTwofish (untouched)<br>python truecrypt author isn't the original author = > extra copyright notice that should be left in place |
||
Line 30: | Line 322: | ||
**XTS (modified)<br>python truecrypt author is the original author => only MIT License |
**XTS (modified)<br>python truecrypt author is the original author => only MIT License |
||
**GF2n.py(untouched)<br>python truecrypt author is the original author => only MIT License |
**GF2n.py(untouched)<br>python truecrypt author is the original author => only MIT License |
||
− | *pyblowfish (untouched)<br>gpl or artistic license<br> |
+ | *pyblowfish (untouched)<br>gpl or artistic license<br>To not affect the rest of the distribution we've to redistribute it only under Artistic license terms |
*rijndael.py (untouched)<br>using tls lite (public domain) implementation which uses code from Bram Cohen (public domain) |
*rijndael.py (untouched)<br>using tls lite (public domain) implementation which uses code from Bram Cohen (public domain) |
||
*pyDes (untouched)<br>public domain according to its homepage |
*pyDes (untouched)<br>public domain according to its homepage |
||
*blockciphers CBC, ECB, CTR from [http://www.nightsong.com/phr/crypto/blockcipher.tgz] (modified)<br>keep copyright notice in place? |
*blockciphers CBC, ECB, CTR from [http://www.nightsong.com/phr/crypto/blockcipher.tgz] (modified)<br>keep copyright notice in place? |
||
*CMAC: [http://github.com/jlhutch/jac/tree/master/omac.py omac.py]<br> GPL but not really used it, just used as a starting point |
*CMAC: [http://github.com/jlhutch/jac/tree/master/omac.py omac.py]<br> GPL but not really used it, just used as a starting point |
||
+ | === Used in CryptoPlus === |
||
+ | *pypresent.py |
||
+ | ** MIT license |
||
+ | |||
+ | ==Cipher module== |
||
− | ==Info== |
||
===Test Vectors=== |
===Test Vectors=== |
||
+ | *Collection of test vectors for a broad group of ciphers |
||
− | *AES: http://cryptome.org/bcm/sp800-38a.htm<br> zip file contains a full set of round values for each of the 25 block and key length combinations from 128, 160, 192, 224 and 256 bits for '''one input block''' and one key value |
||
+ | ** http://www.3amsystems.com/monetics/vectors.htm |
||
+ | ** https://www.cosic.esat.kuleuven.be/nessie/testvectors/ |
||
+ | *AES, DES, 3DES: http://csrc.nist.gov/groups/STM/cavp/standards.html |
||
+ | **AES in CBC, CTR, OFB, CFB: [http://cryptome.org/bcm/sp800-38a.htm html version of pdf] |
||
+ | **CMAC test vectors in ''Special Publication 800-38B'' are faulty, use the corrected ones from [http://csrc.nist.gov/publications/nistpubs/800-38B/Updated_CMAC_Examples.pdf here] |
||
*Rijndael: http://fp.gladman.plus.com/cryptography_technology/rijndael/ |
*Rijndael: http://fp.gladman.plus.com/cryptography_technology/rijndael/ |
||
+ | **zip file contains a full set of round values for each of the 25 block and key length combinations from 128, 160, 192, 224 and 256 bits for '''one input block''' and one key value |
||
*DES (enkel ECB): http://www.skepticfiles.org/faq/testdes.htm |
*DES (enkel ECB): http://www.skepticfiles.org/faq/testdes.htm |
||
*Blowfish: http://www.schneier.com/code/vectors.txt |
*Blowfish: http://www.schneier.com/code/vectors.txt |
||
*Serpent: http://www.cs.technion.ac.il/~biham/Reports/Serpent/ |
*Serpent: http://www.cs.technion.ac.il/~biham/Reports/Serpent/ |
||
*Twofish: http://www.schneier.com/code/ecb_ival.txt |
*Twofish: http://www.schneier.com/code/ecb_ival.txt |
||
− | *AES, DES, 3DES: http://csrc.nist.gov/groups/STM/cavp/standards.html<br>-> AES in CBC, CTR, OFB, CFB |
||
*AES, DES: http://svn.python.org/projects/external/openssl-0.9.8a/test/evptests.txt |
*AES, DES: http://svn.python.org/projects/external/openssl-0.9.8a/test/evptests.txt |
||
+ | *CMAC |
||
− | *https://www.cosic.esat.kuleuven.be/nessie/testvectors/ |
||
− | * |
+ | **AES & TDES: http://www.nuee.nagoya-u.ac.jp/labs/tiwata/omac/omac.html |
+ | **AES, TDES2 & TDES3: http://csrc.nist.gov/groups/STM/cavp/documents/mac/cmactestvectors.zip |
||
+ | ***fax folder contains usefull stuff: generation and verification tests with results<br>generation test: generate a correct mac<br>verification test: verify if provided mac for plaintext is correct |
||
*XTS-AES: [http://grouper.ieee.org/groups/1619/email/pdf00086.pdf IEEE P1619TM/D16: Standard for Cryptographic Protection of Data on Block-Oriented Storage Devices] |
*XTS-AES: [http://grouper.ieee.org/groups/1619/email/pdf00086.pdf IEEE P1619TM/D16: Standard for Cryptographic Protection of Data on Block-Oriented Storage Devices] |
||
+ | *ARC2: http://www.ietf.org/rfc/rfc2268.txt |
||
+ | ** will be available in pycrypto >2.0.1 |
||
+ | *CAST: http://www.rfc-editor.org/rfc/rfc2144.txt |
||
===Chaining Modes=== |
===Chaining Modes=== |
||
Line 54: | Line 360: | ||
*[http://csrc.nist.gov/groups/ST/toolkit/BCM/current_modes.html NIST] |
*[http://csrc.nist.gov/groups/ST/toolkit/BCM/current_modes.html NIST] |
||
*XTS: |
*XTS: |
||
+ | **https://siswg.net/index.php?option=com_content&task=view&id=38&Itemid=73 |
||
**http://blog.bjrn.se/2008/02/truecrypt-explained-truecrypt-5-update.html |
**http://blog.bjrn.se/2008/02/truecrypt-explained-truecrypt-5-update.html |
||
**http://en.wikipedia.org/wiki/IEEE_P1619 = [http://grouper.ieee.org/groups/1619/email/pdf00086.pdf XTS-AES] |
**http://en.wikipedia.org/wiki/IEEE_P1619 = [http://grouper.ieee.org/groups/1619/email/pdf00086.pdf XTS-AES] |
||
+ | **XTS-AES: [http://grouper.ieee.org/groups/1619/email/pdf00086.pdf IEEE P1619TM/D16: Standard for Cryptographic Protection of Data on Block-Oriented Storage Devices] |
||
+ | ** Comments: [http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/XTS/XTS_comments-Liskov_Minematsu.pdf] |
||
+ | ***"It should be mentioned explicitly in the description that when enciphering many blocks, successive T values can and should be computed from prior ones via multiplication by alpha (providing that i remains fixed). This optimization, which is one of the best features of XEX, should be explicitly recommended in the standard." |
||
*CMAC = OMAC1: |
*CMAC = OMAC1: |
||
** AES-CMAC: http://tools.ietf.org/html/rfc4493#page-2 |
** AES-CMAC: http://tools.ietf.org/html/rfc4493#page-2 |
||
Line 61: | Line 371: | ||
** OMAC.py: http://github.com/jlhutch/jac/tree/master/omac.py |
** OMAC.py: http://github.com/jlhutch/jac/tree/master/omac.py |
||
** OMAC page: http://www.nuee.nagoya-u.ac.jp/labs/tiwata/omac/omac.html |
** OMAC page: http://www.nuee.nagoya-u.ac.jp/labs/tiwata/omac/omac.html |
||
+ | |||
+ | ===Ciphers=== |
||
+ | *Serpent |
||
+ | ** http://www.cl.cam.ac.uk/~rja14/serpent.html |
||
+ | ** python implementation used <del>at the moment</del> in earlier versions: http://psionicist.online.fr/code/ |
||
+ | ** alternative python implementation (used in current version): http://www.cl.cam.ac.uk/~fms27/serpent/ |
||
+ | *** more info on this python implementation: http://www.cl.cam.ac.uk/~fms27/serpent/serpent-abstract.html |
||
+ | *Present |
||
+ | **Article: [http://www.crypto.ruhr-uni-bochum.de/imperia/md/content/texte/publications/conferences/present_ches2007.pdf PRESENT: An Ultra-Lightweight Block Cipher] |
||
+ | **Test Vector generator + ANSI-C implementation of present: [http://www.crypto.ruhr-uni-bochum.de/imperia/md/content/texte/publications/conferences/slides/present_testvectors.zip] |
||
+ | **[[Present python implementation | own implementation]] |
||
+ | *ARC2 |
||
+ | ** http://www.ietf.org/rfc/rfc2268.txt: publication + testvectors |
||
+ | ** current pycrypto implementation fails all testvectors because of not correctly handling the "effective keylength". Fixed in upcoming release (+2.0.1) [https://bugs.launchpad.net/pycrypto/+bug/269843 bugreport][http://gitweb.pycrypto.org/?p=crypto/pycrypto-2.0.x.git;a=commitdiff;h=4820664350a42ecca81cede53a6cb349fcffacde bugfix] |
||
+ | *CAST |
||
+ | **http://www.rfc-editor.org/rfc/rfc2144.txt |
||
+ | *RC5 |
||
+ | **http://www.users.zetnet.co.uk/hopwood/crypto/scan/cs.html#RC5 |
||
+ | **http://people.csail.mit.edu/rivest/Rivest-rc5.pdf |
||
+ | **ftp://ftp.nordu.net/rfc/rfc2040.txt |
||
+ | |||
+ | == Hash Module == |
||
+ | === Current Situation === |
||
+ | *MD5 |
||
+ | **http://www.rfc-editor.org/rfc/rfc1321.txt |
||
+ | **good implementation in [http://codespeak.net/svn/pypy/dist/pypy/lib/md5.py pypy] (Python License) |
||
+ | *SHA family |
||
+ | **[http://csrc.nist.gov/publications/fips/fips180-2/fips180-2withchangenotice.pdf FIPS 180-2] |
||
+ | **SHA1: http://www.rfc-editor.org/rfc/rfc3174.txt |
||
+ | **SHA-1 available in [http://codespeak.net/svn/pypy/dist/pypy/lib/sha.py pypy] (Python License) |
||
+ | ***can be modified for other SHA's |
||
+ | ***uses standard python hash api |
||
+ | **SHA-256 implementation: https://vcs.slash-me.net/snippets/sha256/sha256.py |
||
+ | ***short code but less readable than the one from pypy |
||
+ | **SHA-224, 256, 384, and 512 at http://reikon.us/sha2/ |
||
+ | ***less readable than pypy implementation (pypy is using same structure for md5 and sha1) |
||
+ | ***uses same API as standard python hashing modules |
||
+ | ***MIT License |
||
+ | *Whirlpool |
||
+ | **[http://paginas.terra.com.br/informatica/paulobarreto/WhirlpoolPage.html Homepage] |
||
+ | **available here: [http://www.bjrn.se/code/whirlpoolpy.txt python truecrypt implementation] |
||
+ | *RipeMD |
||
+ | **http://homes.esat.kuleuven.be/~bosselae/ripemd160.html |
||
+ | **RipeMD-160 available as pure python implementation in current pycrypto development<br>=>RipeMD and python_RipeMD will point to the same pycrypto ripemd implementation |
||
+ | **modify to add RipeMD-128? |
||
+ | *RadioGatun |
||
+ | **http://radiogatun.noekeon.org/ |
||
+ | ***reference C-code |
||
+ | ***testvectors |
||
+ | *HMAC |
||
+ | **available in python and pypy as pure python<br>-> same implementation used in pycrypto: no need to copy it again in cryptoplus? |
||
+ | *PBKDF2 |
||
+ | **implementation from new pycrypto developer: http://www.dlitz.net/software/python-pbkdf2/ |
||
+ | **standard + testvectors: [http://www.ietf.org/rfc/rfc3962.txt RFC 3962] |
||
+ | |||
+ | == Stream Ciphers == |
||
+ | *SNOW2 / SNOW3G |
||
+ | **http://www.it.lth.se/cryptology/snow/ |
||
+ | **Snow 3G |
||
+ | ***www.gsmworld.com/using/algorithms/docs/snow_3g_spec.pdf |
||
+ | ***"The main difference in SNOW 3G is the addition of a second S-box giving higher resistance against possible future advances in algebraic cryptanalysis"[http://www.ecrypt.eu.org/documents/D.SPA.21-1.1.pdf] |
||
+ | **LFSR, FSM, S-Box |
||
+ | *Grain |
||
+ | **http://www.ecrypt.eu.org/stream/grainpf.html |
||
+ | **LFSR, NFSR, output function |
||
+ | *Trivium |
||
+ | **http://www.ecrypt.eu.org/stream/triviumpf.html |
||
+ | *LFSR |
||
+ | *(self)Shrinking Generator |
||
+ | *ARC4 |
||
+ | **http://en.wikipedia.org/wiki/RC4 |
||
+ | *XOR |
||
+ | |||
+ | == Various info == |
||
+ | |||
+ | === [[Python]] === |
Latest revision as of 22:46, 21 March 2014
Back to SAGE & cryptology
Info
Author & Download
This is a development done by Christophe Oosterlynck under my supervision during his thesis work & internship at NXP.
The code is available on repo.or.cz and on github, which may be easier if you wan to submit pull requests.
Differences with pycrypto
CryptoPlus | PyCrypto | ||||||
Block Ciphers | |||||||
---|---|---|---|---|---|---|---|
Block cipher algorithms | |||||||
Serpent | Py | ||||||
Blowfish | Py | C | |||||
Twofish | Py | ||||||
Idea | C | ||||||
DES | Py | C | |||||
3DES | Py | C | |||||
AES | Py | C | |||||
Rijndael | Py | ||||||
Present | Py | ||||||
Modes of operation | |||||||
CMAC | Py | ||||||
XCBC | |||||||
CBC-MAC | |||||||
CCM | |||||||
GCM | |||||||
ECB | Py | C | |||||
CBC | Py | C | |||||
CTR | Py | C | |||||
LRW | |||||||
XTS | Py | ||||||
MDC-2 | |||||||
Paddings | |||||||
bit padding | Py | ||||||
zeros | Py | ||||||
PKCS7 | Py | ||||||
PKCS12 | Py | ||||||
ISO 10126 | Py | ||||||
ANSI X.923 | Py | ||||||
One-way Functions | |||||||
MD5 | Py | C | |||||
SHA Family | Py (SHA1 & SHA2 family) | C (SHA-1 & 256) | |||||
Whirlpool | Py | ||||||
RipeMD | Py | Py | |||||
RadioGatun | Py | ||||||
HMAC | Py | Py | |||||
PBKDF2 | Py |
- ciphers from pycrypto are being used with the python chaining modes and not the original pycrypto ones
=> plaintext can be supplied in arbitrary sizes instead of multiples of the blocksize like in pycrypto: the new chaining modes keep a cache to encrypt/decrypt data once the cachesize holds at least a blocksize of data - new possibilities:
- Rijndael, Serpent, Twofish
- Rijndael is limited to blocksizes of 128, 192 and 256 bits
- CMAC, XTS, CTR
- XTS is usable for ciphers with blocksizes of 16 bytes => XTS-AES, Serpent, Twofish
- XTS encrypts the given input at once while all other chain modes encrypt only when a block plaintext is available in the cache
- CMAC is usable for blocksizes of 8 and 16 bytes
- OFB,CFB and CTR can be accessed as a stream cipher (you get the encrypted message immediately, you don't have to wait until a complete block of plaintext has been provided to the cipher)
- new Hash functions: extended SHA family, Whirpool, RadioGatùn, PBKDF2
- Rijndael, Serpent, Twofish
- test functions are available via doctests and extensive tests that loop through dictionary of test vectors
- new pycrypto version will have it's own test bench for ciphers, this is not implemented yet
source structure
root of CryptoPlus package | |
---|---|
src/Protocol.py | make all Crypto.Protocol modules available under CryptoPlus.Protocol |
src/PublicKey.py | make all Crypto.PublicKey modules available under CryptoPlus.PublicKey |
src/__init__.py | make the following modules available under the CryptoPlus package:
|
src/testvectors.py |
|
CryptoPlus.Cipher subpackage | |
src/Cipher/__init__.py | specify all the ciphers in the CryptoPlus.Cipher package + import of the streamcipher ARC4 and XOR |
src/Cipher/blockcipher.py |
|
Wrappers for pycrypto | |
src/Cipher/AES.py |
|
src/Cipher/ARC2.py |
|
src/Cipher/Blowfish.py |
|
src/Cipher/CAST.py |
|
src/Cipher/DES.py |
|
src/Cipher/DES3.py |
|
src/Cipher/IDEA.py |
|
src/Cipher/RC5.py |
|
Wrappers for pure python implementations | |
src/Cipher/python_AES.py |
|
src/Cipher/python_Blowfish.py |
|
src/Cipher/python_DES.py |
|
src/Cipher/python_DES3.py |
|
src/Cipher/python_Rijndael.py |
|
src/Cipher/python_Serpent.py |
|
src/Cipher/python_Twofish.py |
|
src/Cipher/python_PRESENT.py |
|
Pure python implementations for blockciphers | |
src/Cipher/pyDes.py |
|
src/Cipher/pyblowfish.py |
|
src/Cipher/pyserpent.py |
|
src/Cipher/pytwofish.py |
|
src/Cipher/rijndael.py |
|
src/Cipher/pypresent.py |
|
CryptoPlus.Hash subpackage | |
src/Hash/__init__.py | specify all the ciphers in the CryptoPlus.Hash package (new implementations and imports from pycrypto |
src/Hash/python_*.py |
|
src/Hash/py*.py |
|
CryptoPlus.Random subpackage (only used if pycrypto version > 2.0.1) | |
src/Util/__init__.py |
|
src/Util/Fortuna.py |
|
src/Util/OSRNG.py |
|
CryptoPlus.Util subpackage | |
src/Util/__init__.py |
|
src/Util/number.py src/Util/randpool.py src/Util/RFC1751.py |
|
src/Util/python_compat.py |
|
src/Util/padding.py |
|
src/Util/util.py |
|
Test scripts | |
test/test.py | runs extensive test with verified test vectors for: CBC, CFB, OFB and CTR with AES, DES,TDES2/3, Serpent128/192/256, CMAC-AES128/192/256, CMAC-TDES2/3, XTS-AES, PRESENT (80 and 128 bit key), Twofish (128/192/256bits keys) |
test/test_doctests.py | script to run all doctest available in every cipher wrapper (pure python and pycrypto wrapper) |
TODO
- check other implementation of Blowfish
- use unittest for test functions
- check development of pycrypto:
- Util.Counter & Util._counter
- SelfTest: usable to perform the test for python algo's in CryptoPlus if testvectors are in right format?
Licenses
Used by others
- used from python truecrypt implementation
all original code is under MIT license (much freedom according to [1])- pyTwofish (untouched)
python truecrypt author isn't the original author = > extra copyright notice that should be left in place - pyserpent (untouched)
python truecrypt author isn't the original author = > extra copyright notice that should be left in place - XTS (modified)
python truecrypt author is the original author => only MIT License - GF2n.py(untouched)
python truecrypt author is the original author => only MIT License
- pyTwofish (untouched)
- pyblowfish (untouched)
gpl or artistic license
To not affect the rest of the distribution we've to redistribute it only under Artistic license terms - rijndael.py (untouched)
using tls lite (public domain) implementation which uses code from Bram Cohen (public domain) - pyDes (untouched)
public domain according to its homepage - blockciphers CBC, ECB, CTR from [2] (modified)
keep copyright notice in place? - CMAC: omac.py
GPL but not really used it, just used as a starting point
Used in CryptoPlus
- pypresent.py
- MIT license
Cipher module
Test Vectors
- Collection of test vectors for a broad group of ciphers
- AES, DES, 3DES: http://csrc.nist.gov/groups/STM/cavp/standards.html
- AES in CBC, CTR, OFB, CFB: html version of pdf
- CMAC test vectors in Special Publication 800-38B are faulty, use the corrected ones from here
- Rijndael: http://fp.gladman.plus.com/cryptography_technology/rijndael/
- zip file contains a full set of round values for each of the 25 block and key length combinations from 128, 160, 192, 224 and 256 bits for one input block and one key value
- DES (enkel ECB): http://www.skepticfiles.org/faq/testdes.htm
- Blowfish: http://www.schneier.com/code/vectors.txt
- Serpent: http://www.cs.technion.ac.il/~biham/Reports/Serpent/
- Twofish: http://www.schneier.com/code/ecb_ival.txt
- AES, DES: http://svn.python.org/projects/external/openssl-0.9.8a/test/evptests.txt
- CMAC
- AES & TDES: http://www.nuee.nagoya-u.ac.jp/labs/tiwata/omac/omac.html
- AES, TDES2 & TDES3: http://csrc.nist.gov/groups/STM/cavp/documents/mac/cmactestvectors.zip
- fax folder contains usefull stuff: generation and verification tests with results
generation test: generate a correct mac
verification test: verify if provided mac for plaintext is correct
- fax folder contains usefull stuff: generation and verification tests with results
- XTS-AES: IEEE P1619TM/D16: Standard for Cryptographic Protection of Data on Block-Oriented Storage Devices
- ARC2: http://www.ietf.org/rfc/rfc2268.txt
- will be available in pycrypto >2.0.1
- CAST: http://www.rfc-editor.org/rfc/rfc2144.txt
Chaining Modes
- Wikipedia
- NIST
- XTS:
- https://siswg.net/index.php?option=com_content&task=view&id=38&Itemid=73
- http://blog.bjrn.se/2008/02/truecrypt-explained-truecrypt-5-update.html
- http://en.wikipedia.org/wiki/IEEE_P1619 = XTS-AES
- XTS-AES: IEEE P1619TM/D16: Standard for Cryptographic Protection of Data on Block-Oriented Storage Devices
- Comments: [3]
- "It should be mentioned explicitly in the description that when enciphering many blocks, successive T values can and should be computed from prior ones via multiplication by alpha (providing that i remains fixed). This optimization, which is one of the best features of XEX, should be explicitly recommended in the standard."
- CMAC = OMAC1:
- AES-CMAC: http://tools.ietf.org/html/rfc4493#page-2
- NIST:
Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication:SP 800-38B.pdf
Updated CMAC Examples - OMAC.py: http://github.com/jlhutch/jac/tree/master/omac.py
- OMAC page: http://www.nuee.nagoya-u.ac.jp/labs/tiwata/omac/omac.html
Ciphers
- Serpent
- http://www.cl.cam.ac.uk/~rja14/serpent.html
- python implementation used
at the momentin earlier versions: http://psionicist.online.fr/code/ - alternative python implementation (used in current version): http://www.cl.cam.ac.uk/~fms27/serpent/
- more info on this python implementation: http://www.cl.cam.ac.uk/~fms27/serpent/serpent-abstract.html
- Present
- Article: PRESENT: An Ultra-Lightweight Block Cipher
- Test Vector generator + ANSI-C implementation of present: [4]
- own implementation
- ARC2
- http://www.ietf.org/rfc/rfc2268.txt: publication + testvectors
- current pycrypto implementation fails all testvectors because of not correctly handling the "effective keylength". Fixed in upcoming release (+2.0.1) bugreportbugfix
- CAST
- RC5
Hash Module
Current Situation
- MD5
- http://www.rfc-editor.org/rfc/rfc1321.txt
- good implementation in pypy (Python License)
- SHA family
- FIPS 180-2
- SHA1: http://www.rfc-editor.org/rfc/rfc3174.txt
- SHA-1 available in pypy (Python License)
- can be modified for other SHA's
- uses standard python hash api
- SHA-256 implementation: https://vcs.slash-me.net/snippets/sha256/sha256.py
- short code but less readable than the one from pypy
- SHA-224, 256, 384, and 512 at http://reikon.us/sha2/
- less readable than pypy implementation (pypy is using same structure for md5 and sha1)
- uses same API as standard python hashing modules
- MIT License
- Whirlpool
- Homepage
- available here: python truecrypt implementation
- RipeMD
- http://homes.esat.kuleuven.be/~bosselae/ripemd160.html
- RipeMD-160 available as pure python implementation in current pycrypto development
=>RipeMD and python_RipeMD will point to the same pycrypto ripemd implementation - modify to add RipeMD-128?
- RadioGatun
- http://radiogatun.noekeon.org/
- reference C-code
- testvectors
- http://radiogatun.noekeon.org/
- HMAC
- available in python and pypy as pure python
-> same implementation used in pycrypto: no need to copy it again in cryptoplus?
- available in python and pypy as pure python
- PBKDF2
- implementation from new pycrypto developer: http://www.dlitz.net/software/python-pbkdf2/
- standard + testvectors: RFC 3962
Stream Ciphers
- SNOW2 / SNOW3G
- http://www.it.lth.se/cryptology/snow/
- Snow 3G
- www.gsmworld.com/using/algorithms/docs/snow_3g_spec.pdf
- "The main difference in SNOW 3G is the addition of a second S-box giving higher resistance against possible future advances in algebraic cryptanalysis"[5]
- LFSR, FSM, S-Box
- Grain
- http://www.ecrypt.eu.org/stream/grainpf.html
- LFSR, NFSR, output function
- Trivium
- LFSR
- (self)Shrinking Generator
- ARC4
- XOR