Can anyone suggest a good crypto package?

[Fett]

I need a crypto package that works on windows with python 2.5. Can
anyone suggest one for me?

I have been searching for a couple days for a good cryptography
package to use for public/private key encryption, at this point I
would settle for symmetric even.

Every encryption package I have found for python was either operating
system specific (read *nix only):
http://www.freenet.org.nz/ezPyCrypto/
http://www.keyczar.org/

There was one exception, this version was specifically built to run on
any platform (yay), but the compiler for windows complained that I
wasn't using python2.2 (though the package was said to only need 2.2
or newer).

Is there any crypto package that is actually written in python? I
seriously don't care how slow it is.

 

[Mike Driscoll]

I need a crypto package that works on windows with python 2.5. Can
anyone suggest one for me?

I have been searching for a couple days for a good cryptography
package to use for public/private key encryption, at this point I
would settle for symmetric even.

Every encryption package I have found for python was either operating
system specific (read *nix only):http://www.freenet.org.nz/ezPyCrypto/http://www.keyczar.org/

There was one exception, this version was specifically built to run on
any platform (yay), but the compiler for windows complained that I
wasn't using python2.2 (though the package was said to only need 2.2
or newer).

Is there any crypto package that is actually written in python? I
seriously don't care how slow it is.

How about M2Crypto: http://chandlerproject.org/Projects/MeTooCrypto#Downloads

Mike

 

[Fett]

How about M2Crypto:http://chandlerproject.org/Projects/MeTooCrypto#Downloads

Mike

Seems that this is intended more for webapps or something, I intend to
use this for a client application. This means that I can't require
outside dependencies, or I risk annoying the clients (if you have
installed many open-source projects with dependencies that aren't
handled by portage/apt-get, you know what I would be doing to them).

I seriously can't believe that there isn't a single python native
crypto package. Why do they all need to have outside dependencies?

 

[Mike Driscoll]

Seems that this is intended more for webapps or something, I intend to
use this for a client application. This means that I can't require
outside dependencies, or I risk annoying the clients (if you have
installed many open-source projects with dependencies that aren't
handled by portage/apt-get, you know what I would be doing to them).

I seriously can't believe that there isn't a single python native
crypto package. Why do they all need to have outside dependencies?

If you are distributing your application on Windows (which is what
your original post implied), then you can easily roll up dependencies
with py2exe / Gui2Exe and something like Inno Setup or NSIS. I'm going
to try to compile the crypto package (http://www.amk.ca/python/code/
crypto) into an installer for 2.5, but no promises.

Mike

 

[Paul Rubin]

Is there any crypto package that is actually written in python? I
seriously don't care how slow it is.

I wrote a simple symmetric encryption function in python:

http://nightsong.com/phr/crypto/p3.py

I wrote a somewhat fancier package that did public key a while back,
that is unreleased because of insufficient testing and some features
I'd like to have done differently, but I ought to get around to
cleaning it up sometime.

There is also tlslite, which you might be able to extract
some public key functions from: http://trevp.net/tlslite

 

[Trent Nelson]

I need a crypto package that works on windows with python 2.5. Can
anyone suggest one for me?

You could always rely on the the APIs Windows provides to do this
sort out stuff, either via pywin32 or ctypes.

Trent.

 

[Fett]

I wrote a simple symmetric encryption function in python:

 http://nightsong.com/phr/crypto/p3.py

I wrote a somewhat fancier package that did public key a while back,
that is unreleased because of insufficient testing and some features
I'd like to have done differently, but I ought to get around to
cleaning it up sometime.

There is also tlslite, which you might be able to extract
some public key functions from:  http://trevp.net/tlslite

Wow, I have no idea how that works, but I think it will do nicely. The
main goal is simply to ensure that data coming in (from a website), is
valid (ie. posted by me). The site is supposedly secure, and the code
only accepts data of the type I expect, so the only security risk was
someone posting bad data. This simple method should stop anyone from
bothering to do even that.

Kudos for writing the code in a way that I can see how it is used,
even without documentation this is small enough to dissect.

Thank you, I think we have a winner. (BTW, I have no idea how this
whole encrypting gives many strings, decrypting all gives the correct
one works, but it sure seems to work just fine, more fully featured
than I even felt I needed.)

 

[Michael Ströder]

Seems that this is intended more for webapps or something,

Why do you think so? It's a C wrapper module around the
OpenSSL crypto libs.

Ciao, Michael.

 

[M.-A. Lemburg]

I need a crypto package that works on windows with python 2.5. Can
anyone suggest one for me?

I have been searching for a couple days for a good cryptography
package to use for public/private key encryption, at this point I
would settle for symmetric even.

I'm not really sure what you're after, but if it's about end-to-end
encryption and authentication, then OpenSSL is the way to go, e.g.
using pyOpenSSL:

http://www.egenix.com/products/python/pyOpenSSL/

Every encryption package I have found for python was either operating
system specific (read *nix only):
http://www.freenet.org.nz/ezPyCrypto/
http://www.keyczar.org/

There was one exception, this version was specifically built to run on
any platform (yay), but the compiler for windows complained that I
wasn't using python2.2 (though the package was said to only need 2.2
or newer).

Is there any crypto package that is actually written in python? I
seriously don't care how slow it is.

--
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source (#1, Sep 05 2008)________________________________________________________________________

:::: Try mxODBC.Zope.DA for Windows,Linux,Solaris,MacOSX for free ! ::::


eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611

 

[Paul Rubin]

Wow, I have no idea how that works, but I think it will do nicely. The
main goal is simply to ensure that data coming in (from a website), is
valid (ie. posted by me).

If you just want to authenticate the strings without confidentiality,
use the built-in HMAC module. But beware of replay attacks.

Thank you, I think we have a winner. (BTW, I have no idea how this
whole encrypting gives many strings, decrypting all gives the correct
one works,

The plaintext gets a random string attached at encryption time, and
the random string gets removed at decryption. Of course there are
many possible random strings, so many possible ciphertexts for each
plaintext. That means the ciphertext is a necessarily somewhat longer
than the plaintext, so you have to be willing to deal with that.

Note there's possibly a lot of other subtle issues you have to be
careful of, like if you're authenticating a series of messages, how do
you detect if one has been repeated or dropped from the middle?
Until you've got all that figured out, you are leaving attacks possible.

 

[Fett]

If you just want to authenticate the strings without confidentiality,
use the built-in HMAC module. But beware of replay attacks.

I looked into this and it looks like I might be able to get by with
this. I didn't find this function before, I am asking my primary
customer if the signature would be sufficient.

I am having trouble seeing how I would post the encrypted data to a
website and get it back without it changing some. So this option might
work better for me (at least quicker), if he's ok with that option.

By replay attack I assume you mean posting old data with the signature
that is valid for that data? Thanks for the warning, I suppose I could
include a date/timestamp in the data.

Thanks again, this has been very helpful.

 

[Paul Rubin]

I am having trouble seeing how I would post the encrypted data to a
website and get it back without it changing some.

I don't understand why it would change. I'm a little confused though,
I didn't realize you wanted to post the data to a web site. What
exactly are you trying to do?

By replay attack I assume you mean posting old data with the signature
that is valid for that data?

Yes, the usual case is injecting an old message into a sequence of
messages that is part of a protocol.

Thanks for the warning, I suppose I could include a date/timestamp
in the data.

Be aware in general that security is a messy and difficult subject and
there are a lot of subtle errors you can make. You might look at some
of the articles at www.dwheeler.com or the book "Security Engineering"
(http://www.cl.cam.ac.uk/~rja14/book.html) to see some of the issues.

 

[Ricardo Aráoz]

Seems that this is intended more for webapps or something, I intend to
use this for a client application. This means that I can't require
outside dependencies, or I risk annoying the clients (if you have
installed many open-source projects with dependencies that aren't
handled by portage/apt-get, you know what I would be doing to them).

I seriously can't believe that there isn't a single python native
crypto package. Why do they all need to have outside dependencies?

Hi, maybe I'm a little late but today scanning through "The daily
Python-URL" I came through something that might be pertinent.

The link is http://www.keyczar.org/
And here is the intro to the site :
"""
Keyczar is an open source cryptographic toolkit designed to make it
easier and safer for developers to use cryptography in their
applications. Keyczar supports authentication and encryption with both
symmetric and asymmetric keys. Some features of Keyczar include:

* A simple API
* Key rotation and versioning
* Safe default algorithms, modes, and key lengths
* Automated generation of initialization vectors and ciphertext
signatures
* Java and Python implementations (C++ coming soon)
* International support in Java (Python coming soon)

Keyczar was originally developed by members of the Google Security Team
and is released under an Apache 2.0 license.
"""

HTH