PyCrypto-based authenticated encryption using AES-CBC and HMAC-SHA256. This class only supports shared secret encryption. Look elsewhere for public key encryption.
Download
Copy to clipboard1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 | # PyCrypto-based authenticated symetric encryption
import cPickle as pickle
import hashlib
import hmac
import os
from Crypto.Cipher import AES
class AuthenticationError(Exception): pass
class Crypticle(object):
"""Authenticated encryption class
Encryption algorithm: AES-CBC
Signing algorithm: HMAC-SHA256
"""
PICKLE_PAD = "pickle::"
AES_BLOCK_SIZE = 16
SIG_SIZE = hashlib.sha256().digest_size
def __init__(self, key_string, key_size=192):
self.keys = self.extract_keys(key_string, key_size)
self.key_size = key_size
@classmethod
def generate_key_string(cls, key_size=192):
key = os.urandom(key_size / 8 + cls.SIG_SIZE)
return key.encode("base64").replace("\n", "")
@classmethod
def extract_keys(cls, key_string, key_size):
key = key_string.decode("base64")
assert len(key) == key_size / 8 + cls.SIG_SIZE, "invalid key"
return key[:-cls.SIG_SIZE], key[-cls.SIG_SIZE:]
def encrypt(self, data):
"""encrypt data with AES-CBC and sign it with HMAC-SHA256"""
aes_key, hmac_key = self.keys
pad = self.AES_BLOCK_SIZE - len(data) % self.AES_BLOCK_SIZE
data = data + pad * chr(pad)
iv_bytes = os.urandom(self.AES_BLOCK_SIZE)
cypher = AES.new(aes_key, AES.MODE_CBC, iv_bytes)
data = iv_bytes + cypher.encrypt(data)
sig = hmac.new(hmac_key, data, hashlib.sha256).digest()
return data + sig
def decrypt(self, data):
"""verify HMAC-SHA256 signature and decrypt data with AES-CBC"""
aes_key, hmac_key = self.keys
sig = data[-self.SIG_SIZE:]
data = data[:-self.SIG_SIZE]
if hmac.new(hmac_key, data, hashlib.sha256).digest() != sig:
raise AuthenticationError("message authentication failed")
iv_bytes = data[:self.AES_BLOCK_SIZE]
data = data[self.AES_BLOCK_SIZE:]
cypher = AES.new(aes_key, AES.MODE_CBC, iv_bytes)
data = cypher.decrypt(data)
return data[:-ord(data[-1])]
def dumps(self, obj, pickler=pickle):
"""pickle and encrypt a python object"""
return self.encrypt(self.PICKLE_PAD + pickler.dumps(obj))
def loads(self, data, pickler=pickle):
"""decrypt and unpickle a python object"""
data = self.decrypt(data)
# simple integrity check to verify that we got meaningful data
assert data.startswith(self.PICKLE_PAD), "unexpected header"
return pickler.loads(data[len(self.PICKLE_PAD):])
if __name__ == "__main__":
# usage example
key = Crypticle.generate_key_string()
data = {"dict": "full", "of": "secrets"}
crypt = Crypticle(key)
safe = crypt.dumps(data)
assert data == crypt.loads(safe)
print "encrypted data:"
print safe.encode("base64")
|
This code was influenced by Kyle's comment (apparently adapted from Google's keyczar) here: http://www.codekoala.com/blog/2009/aes-encryption-python-using-pycrypto/
I also learned how to do HMAC signing with Python here: http://snipplr.com/view/15262/python-sign-data-via-hmac/
A possible enhancement would be to implement a streaming protocol to allow encryption of data-sets larger than available RAM.
[update] Default to AES-192 instead of AES-256. Switched from PyCrypto's RandomPool (apparently broken) to os.urandom. Moved module-level constants to class level to make them easier to override. Credit for these updates goes to the individuals who commented on this comp.lang.python thread: http://groups.google.com/group/comp.lang.python/browse_thread/thread/26ef2de83c5a0337
I would really recommend against os.urandom, since on it sacrifices randomness for speed by using /dev/urandom on *nixes. I am not aware of any problems with PyCryptos Random and I would expect it to use the appropriate primitives on each OS (like /dev/random or CryptGenRandom)
Also, I would advise to use a constant time string comparison when checking the HMAC rather than == to thwart timing attacks. See some details here: http://rdist.root.org/2010/01/07/timing-independent-array-comparison/
Also, Python 3 contains this in the stdlib (hmac.compare_digest), but it isn't present in Python 2.