There are numerous Python packages for cryptography. The most widespread is maybe pycrypto, which is however unmaintained since 2015, and has

Transcription

1 1

2 There are numerous Python packages for cryptography. The most widespread is maybe pycrypto, which is however unmaintained since 2015, and has unpatched buffer-overflow vulnerabilities. New projects should avoid pycrypto package. pyopenssl is an OpenSSL wrapper focused on SSL/TLS connections. It does not offer cryptography primitives, e.g., AES. The M2Crypto is a complete OpenSSL wrapper, offering SSL/TLS connections as well as cryptographic primitives. It needs to installa Visual Studio 9.0 on Windows platforms. The cryptography package is currently maintained and well-documented, and offers many cryptographic primitives. 2

3 The cryptography package can be installed with pip, as well as with the conda/anaconda package manager. The package offers functions divided into two layers. The recipes layer contains high-level functions which are simple to use but not flexible. This layer includes Fernet, which is a simple encryption and authentication mechanism with symmetric cryptography internally developed by Heroku, and routines for X.509, which is a widely used standard for public key certificates and other public key concepts. The hazardous materials layer contains low-level functions which are highly flexible. This layer includes symmetric encryption (AES, etc.), message digests (SHA-2, etc.), authentication codes (HMAC), and asymmetric cryptography (RSA, etc.). 3

4 The logical representation of an encryption operation is a function which takes a key and a variable-sized plaintext as input, and returns a variable-sized ciphertext as output. Implementing encryption in this way is not efficient neither practical. It is not efficient because if the plaintext is big, we have to maintain in memory a big quantity of data at once. It is not practical because sometimes we do not have the entire plaintext at the time we must encrypt it. This is typical in encrypted communications. The majority of cryptographic libraries use incremental functions, which update an encryption context step-by-step. 4

5 This slide shows the pseudo-code representation of an incremental encryption operation. We must first create the context, giving the various parameters (ciphering algorithm, mode, key, initialization vector). Then we give a series of plaintext fragments to the context (context update). The context gives back a series of ciphertext fragments. Finally, we finalize the context, retrieving the last ciphertext fragment. The decryption operation is done in the same fashion. 5

6 This slide shows how to encrypt and decrypt with the cryptography package. In the context creation, we must specify the ciphering algorithm, the mode, the key, and the initialization vector. Cryptographic primitives are rarely implemented directly with the Python language. They are usually implemented by means of low-level C libraries. A backend is an implementation of a cryptographic primitive. default_backend() represents the default implementation which depends on the operative system (usually the low-level OpenSSL library). The plaintext and the ciphertext fragments are of type bytes. The ciphertext fragments must be concatenated to obtain the complete ciphertext. 6

7 Block-based modes (like ECB and CBC) always return fragments multiple of the block, in encryption as well as in decryption. Thus, if we perform a context update of 2 bytes with AES-CBC, the output ciphertext fragment will be 0 bytes, and the 2 bytes will be temporarily stored inside the context, and used for the successive context updates. In ECB and CBC modes, the final fragment returned by the context finalize is always 0 bytes. However, it is recommended to process the final fragment anyway, for compatibility with other modes. 7

8 The most common ciphering algorithms are available, among which: AES, DES (now obsolete), and 3DES (secure butslow compared to AES). The most common modes are available, among which: ECB (vulnerable to dictionary attacks) and CBC. 8

9 This slide shows functions regarding the block size and the key size of a ciphering algorithm. 9

10 The random module is capable of generating random numbers following various distribution (e.g., Gaussian distribution). However, the generated numbers are not guaranteed to be unpredictable. Therefore, this module should not be used for cryptographic purposes. Modern operative systems generate pseudo-random numbers by gathering inputs from external sources (keyboard, mouse, network), which are considered to be unpredictable, and hashing them. The os.urandom() retrieves pseudo-random numbers generated by the operative system, by means of the /dev/urandom file in Unix, or the CryptGenRandom primitive in Windows. 10

11 Padding is a technique which extends a message to make it multiple of the block size. The most common padding format is PKCS#7, which appends N bytes (with N between 1 and block_size), each of value N. 11

12 In the cryptography package, the PKCS#7 padding and the unpadding operations are implemented with a context, like it is done for encryption. In the padding operation, the context finalization returns the last fragment including the padding. In the unpadding operation, the context finalization checks for the validity of the padding format, and raises an error if theformat is wrong. 12

13 13

14 14

15 15

16 16