[pycrypto] Pycrypto question.

Thu May 6 09:28:41 CST 2010

Hi again.

1) I don't think os.urandom is cryptographically strong either. Of course it depends on the actual OS used but I don't 
know of any OS which comes with a cryptographically strong PRNG by default.

2) General wisdom (I didn't benchmark this myself) is that symmetric en-/decryption is faster than asymmetric 
algorithms. AFAIK that's the main reason a common pattern is to use a symmetric key and only use RSA to distribute that 
key. From a more practical angle: The symmetric cyphers in PyCrypto are set up to encrypt any message as long as it is a 
multiple of the block size (which often corresponds to the key size). The asymmetric cyphers on the other hand only 
en-/decrypt a message which is shorter that the key. So If you really want to use RSA for longer messages you would have 
to chop the messages into blocks yourself and feed those to the encrypt() method.

cheers
//Lorenz

On 05/05/2010 07:05 PM, jd wrote:
> Thanks this helps clarify few things.
>
> Couple od questions.
> 1. I am on older version of pycrypto, can I simply use os.urandom for random # ?
> 2. Do I really need a separate block encryption for the message ?
>
>     I know this may sound strange.. but asymmetric keys gives you ability to encrypt right ? So is there a big problem .. using it in the following manner ?
>
>     x=RSAkey.decrypt("Foo Bar")  # This will use the private key
>
>     pub = RSAkey.publickey()
>     pub.encrypt(x,0)   # This will use the public key and give me "Foo Bar" back.
>
>     Any restriction on the content being encrypted /decrypted ?
>
> Thanks for awesome response.
> /Jd
>
>
> --- On Tue, 5/4/10, Lorenz Quack<don at amberfisharts.com>  wrote:
>
>> From: Lorenz Quack<don at amberfisharts.com>
>> Subject: Re: [pycrypto] Pycrypto question.
>> To: "PyCrypto discussion list"<pycrypto at lists.dlitz.net>
>> Date: Tuesday, May 4, 2010, 12:00 PM
>> Hi jd,
>>
>> some time ago I wrote a small module which provided me with
>> a API that suited me better than that of PyCrypto.
>> I attached a slightly modified version of it. I also added
>> a short example to the end of it. I hope you can find the
>> information you want in there.
>>
>> Concerning the documentation: I agree, it could be
>> improved. I think you were looking for this [1].
>>
>> Concerning the import of externally generated keys: I think
>> this came up before on the list or bug tracker.
>> AFAIK, it is not directly supported by PyCrypto. However,
>> you can create a key pair from a tuple of numbers
>> (for example the public and private exponent and the
>> modulus). This is done with construct function [2].
>> You just have to find a way to get to those numbers of your
>> externally generated keys.
>>
>> I probably should also point out that the usage of
>> RandomPool is strongly discouraged [3] and that there is a
>> Random
>> module in PyCrypto-2.1 that you should use instead.
>>
>> sincerely yours
>> //Lorenz
>>
>> [1] http://www.dlitz.net/software/pycrypto/apidoc/Crypto.PublicKey.pubkey.pubkey-class.html
>> [2] http://www.dlitz.net/software/pycrypto/apidoc/Crypto.PublicKey.RSA-module.html
>> [3] http://lists.dlitz.net/pipermail/pycrypto/2008q3/000000.html
>>
>>
>>
>> On 05/04/2010 07:04 PM, jd wrote:
>>> Thanks for the response.(Sorry ..for late response.
>> Somehow this went in to my spam folder.)
>>>
>>> Yes, I indeed want to use private key to encrypt
>> (oops.. sign) and decrypt (verify) using public/private key
>> pairs.
>>>
>>>
>>> Would anyone point to the example usage/pseudo code
>> that I can try out.
>>>
>>> Didnt find method details over here.
>>> http://www.dlitz.net/software/pycrypto/apidoc/Crypto.PublicKey.RSA-module.html
>>>
>>> I am assuming that the intent is clear from the
>> example.
>>> Some Text ===>   Encrypt (optionally) sign
>> (using private key) ===>   encrypted message
>>> encrypted message ==>   (optionally) Verify and
>> decrypt (using public key) ==>   original message
>> (Some Text)
>>>
>>> Also, would appreciate if instead of generating keys
>> as in sample program, is there a way to use publick/private
>> keys used by ssh-keygen -t rsa.
>>>
>>> Help is much appreciated.
>>> Thanks
>>>
>>>
>>>
>>>
>>> /Jd
>>>
>>>
>>> --- On Sun, 5/2/10, Lorenz Quack<don at amberfisharts.com>
>> wrote:
>>>
>>>> From: Lorenz Quack<don at amberfisharts.com>
>>>> Subject: Re: [pycrypto] Pycrypto question.
>>>> To: "PyCrypto discussion list"<pycrypto at lists.dlitz.net>
>>>> Date: Sunday, May 2, 2010, 1:52 PM
>>>> On 05/02/2010 10:36 PM, Glenn
>>>> Linderman wrote:
>>>>> On 5/2/2010 1:13 PM, Lorenz Quack wrote:
>>>>>> Hi Jd,
>>>>>>
>>>>>> On 05/02/2010 10:02 PM, jd wrote:
>>>>>>
>>>>>>> Hi everyone,
>>>>>>>
>>>>>>> I am trying to implement a simple
>> pub/private
>>>> key scheme. Want to encrypt bunch of things and
>> decrypt it
>>>> using public
>>>>>>> key (which will be distributed).
>>>>>>>
>>>>>> You seem to have some misconceptions about
>> how
>>>> public key cryptography works.
>>>>>> I suggest you (re-)read up on it.
>> Wikipedia will
>>>> probably cover the basics.
>>>>>> For starters, by definition you use the
>> *public*
>>>> key for encrypt and the privat one for
>> decryption.
>>>>>>
>>>>>
>>>>> Indeed, Wikipedia has an article. And in the
>> first
>>>> paragraph [1] they
>>>>> describe one use case for encrypting by public
>> key,
>>>> and decrypting by
>>>>> private key, and another use case for
>> encrypting by
>>>> private key, and
>>>>> decrypting by public key. It might be
>> appropriate to
>>>> figure out what use
>>>>> case the OP has before declaring definitions
>> for a
>>>> particular use case.
>>>>> Now as far as what the APIs are called, that
>> might be
>>>> a different story :)
>>>>>
>>>>> [1] *Public-key cryptography* is a
>> cryptographic
>>>>> <http://en.wikipedia.org/wiki/Cryptography>
>> approach
>>>> which involves the
>>>>> use of asymmetric key algorithms instead of or
>> in
>>>> addition to symmetric
>>>>> key algorithms<http://en.wikipedia.org/wiki/Symmetric_key_algorithm>.
>>>>> Unlike symmetric key algorithms, it does not
>> require a
>>>> secure
>>>>> <http://en.wikipedia.org/wiki/Secure_channel>
>> initial
>>>> exchange
>>>>> <http://en.wikipedia.org/wiki/Key_exchange>   of
>> one or
>>>> more secret keys
>>>>> <http://en.wikipedia.org/wiki/Secret_key>   to
>> both
>>>> sender and receiver.
>>>>> The asymmetric key algorithms are used to
>> create a
>>>> mathematically
>>>>> related key pair: a secret private key and a
>> published
>>>> public key. Use
>>>>> of these keys allows protection of the
>> authenticity
>>>>> <http://en.wikipedia.org/wiki/Authenticity>   of
>> a
>>>> message by creating a
>>>>> digital signature<http://en.wikipedia.org/wiki/Digital_signature>
>> of
>>>> a
>>>>> message using the private key, which can be
>> verified
>>>> using the public
>>>>> key. It also allows protection of the
>> confidentiality
>>>>> <http://en.wikipedia.org/wiki/Confidentiality>
>> and
>>>> integrity
>>>>> <http://en.wikipedia.org/wiki/Integrity>   of a
>>>> message, by public key
>>>>> encryption<http://en.wikipedia.org/wiki/Encryption>,
>> encrypting
>>>> the
>>>>> message using the public key, which can only
>> be
>>>> decrypted using the
>>>>> private key.
>>>>>
>>>>
>>>> Granted "definition" may have been a poor choice
>> of word.
>>>> But AFAIK the use case of "encrypting" via the
>> private key
>>>> is generally called signing.
>>>> So I assumed that the OP had the wrong idea about
>> how the
>>>> scheme is used because he didn't
>>>> use the generally accept terminology. If that was
>>>> presumptuous I hereby apologize.
>>>>
>>>> So, to come back to the OPs question:
>>>> if you use a RSA key to encrypt a message like you
>> did in
>>>> your example internally it uses the public
>>>> part of the key pair for encryption. you would
>> then have to
>>>> use the private part to decypt it.
>>>> If on the other hand you really want to encrypt
>> with the
>>>> private part and decrypt with the public part
>>>> then know that this is usually refered to as
>> signing and
>>>> verifying (verification?).
>>>> There is also and API for this in PyCrypto.
>>>>
>>>> Hope this is clearer and more helpful than my
>> last
>>>> message.
>>>>
>>>> have a nice day
>>>> //Lorenz
>>
>>
>> -----Inline Attachment Follows-----
>>