[pycrypto] Pycrypto question.

jd jdsw2002 at yahoo.com
Thu May 6 10:51:15 CST 2010


Thanks for the explanation.
Makes sense.

So the flow looks like.

Plain text --> encrypt using Symmetric Key --> sign using private key -->Signed encrypted message

On the other hand
Signed encrypted message--> verify using public key --> decrypt using Symmetric key --> Plain message.

one thing that is not clear.. is if using symmetric key for encryption.. then on the other side.. we will need that value along with public key to get the message back. Is symmetric key also made part of the payload ?

( May be I will take another look at the example. )

Thanks
/Jd


--- On Thu, 5/6/10, Lorenz Quack <don at amberfisharts.com> wrote:

> From: Lorenz Quack <don at amberfisharts.com>
> Subject: Re: [pycrypto] Pycrypto question.
> To: "PyCrypto discussion list" <pycrypto at lists.dlitz.net>
> Date: Thursday, May 6, 2010, 8:28 AM
> Hi again.
> 
> 1) I don't think os.urandom is cryptographically strong
> either. Of course it depends on the actual OS used but I
> don't 
> know of any OS which comes with a cryptographically strong
> PRNG by default.
> 
> 2) General wisdom (I didn't benchmark this myself) is that
> symmetric en-/decryption is faster than asymmetric 
> algorithms. AFAIK that's the main reason a common pattern
> is to use a symmetric key and only use RSA to distribute
> that 
> key. From a more practical angle: The symmetric cyphers in
> PyCrypto are set up to encrypt any message as long as it is
> a 
> multiple of the block size (which often corresponds to the
> key size). The asymmetric cyphers on the other hand only 
> en-/decrypt a message which is shorter that the key. So If
> you really want to use RSA for longer messages you would
> have 
> to chop the messages into blocks yourself and feed those to
> the encrypt() method.
> 
> cheers
> //Lorenz
> 
> 
> 
> On 05/05/2010 07:05 PM, jd wrote:
> > Thanks this helps clarify few things.
> >
> > Couple od questions.
> > 1. I am on older version of pycrypto, can I simply use
> os.urandom for random # ?
> > 2. Do I really need a separate block encryption for
> the message ?
> >
> >     I know this may sound
> strange.. but asymmetric keys gives you ability to encrypt
> right ? So is there a big problem .. using it in the
> following manner ?
> >
> >     x=RSAkey.decrypt("Foo
> Bar")  # This will use the private key
> >
> >     pub = RSAkey.publickey()
>>    pub.encrypt(x,0)   # This
> will use the public key and give me "Foo Bar" back.
> >
> >     Any restriction on the content
> being encrypted /decrypted ?
> >
> > Thanks for awesome response.
> > /Jd
> >
> >
> > --- On Tue, 5/4/10, Lorenz Quack<don at amberfisharts.com> wrote:
> >
> >> From: Lorenz Quack<don at amberfisharts.com>
> >> Subject: Re: [pycrypto] Pycrypto question.
> >> To: "PyCrypto discussion list"<pycrypto at lists.dlitz.net>
> >> Date: Tuesday, May 4, 2010, 12:00 PM
> >> Hi jd,
> >>
> >> some time ago I wrote a small module which
> provided me with
> >> a API that suited me better than that of
> PyCrypto.
> >> I attached a slightly modified version of it. I
> also added
> >> a short example to the end of it. I hope you can
> find the
> >> information you want in there.
> >>
> >> Concerning the documentation: I agree, it could
> be
> >> improved. I think you were looking for this [1].
> >>
> >> Concerning the import of externally generated
> keys: I think
> >> this came up before on the list or bug tracker.
> >> AFAIK, it is not directly supported by PyCrypto.
> However,
> >> you can create a key pair from a tuple of numbers
> >> (for example the public and private exponent and
> the
> >> modulus). This is done with construct function
> [2].
> >> You just have to find a way to get to those
> numbers of your
> >> externally generated keys.
> >>
> >> I probably should also point out that the usage
> of
> >> RandomPool is strongly discouraged [3] and that
> there is a
> >> Random
> >> module in PyCrypto-2.1 that you should use
> instead.
> >>
> >> sincerely yours
> >> //Lorenz
> >>
> >> [1] http://www.dlitz.net/software/pycrypto/apidoc/Crypto.PublicKey.pubkey.pubkey-class.html
> >> [2] http://www.dlitz.net/software/pycrypto/apidoc/Crypto.PublicKey.RSA-module.html
> >> [3] http://lists.dlitz.net/pipermail/pycrypto/2008q3/000000.html
> >>
> >>
> >>
> >> On 05/04/2010 07:04 PM, jd wrote:
> >>> Thanks for the response.(Sorry ..for late
> response.
> >> Somehow this went in to my spam folder.)
> >>>
> >>> Yes, I indeed want to use private key to
> encrypt
> >> (oops.. sign) and decrypt (verify) using
> public/private key
> >> pairs.
> >>>
> >>>
> >>> Would anyone point to the example usage/pseudo
> code
> >> that I can try out.
> >>>
> >>> Didnt find method details over here.
> >>> http://www.dlitz.net/software/pycrypto/apidoc/Crypto.PublicKey.RSA-module.html
> >>>
> >>> I am assuming that the intent is clear from
> the
> >> example.
> >>> Some Text ===>   Encrypt
> (optionally) sign
> >> (using private key)
> ===>   encrypted message
> >>> encrypted message
> ==>   (optionally) Verify and
> >> decrypt (using public key)
> ==>   original message
> >> (Some Text)
> >>>
> >>> Also, would appreciate if instead of
> generating keys
> >> as in sample program, is there a way to use
> publick/private
> >> keys used by ssh-keygen -t rsa.
> >>>
> >>> Help is much appreciated.
> >>> Thanks
> >>>
> >>>
> >>>
> >>>
> >>> /Jd
> >>>
> >>>
> >>> --- On Sun, 5/2/10, Lorenz Quack<don at amberfisharts.com>
> >> wrote:
> >>>
> >>>> From: Lorenz Quack<don at amberfisharts.com>
> >>>> Subject: Re: [pycrypto] Pycrypto
> question.
> >>>> To: "PyCrypto discussion list"<pycrypto at lists.dlitz.net>
> >>>> Date: Sunday, May 2, 2010, 1:52 PM
> >>>> On 05/02/2010 10:36 PM, Glenn
> >>>> Linderman wrote:
> >>>>> On 5/2/2010 1:13 PM, Lorenz Quack
> wrote:
> >>>>>> Hi Jd,
> >>>>>>
> >>>>>> On 05/02/2010 10:02 PM, jd wrote:
> >>>>>>
> >>>>>>> Hi everyone,
> >>>>>>>
> >>>>>>> I am trying to implement a
> simple
> >> pub/private
> >>>> key scheme. Want to encrypt bunch of
> things and
> >> decrypt it
> >>>> using public
> >>>>>>> key (which will be
> distributed).
> >>>>>>>
> >>>>>> You seem to have some
> misconceptions about
> >> how
> >>>> public key cryptography works.
> >>>>>> I suggest you (re-)read up on it.
> >> Wikipedia will
> >>>> probably cover the basics.
> >>>>>> For starters, by definition you
> use the
> >> *public*
> >>>> key for encrypt and the privat one for
> >> decryption.
> >>>>>>
> >>>>>
> >>>>> Indeed, Wikipedia has an article. And
> in the
> >> first
> >>>> paragraph [1] they
> >>>>> describe one use case for encrypting
> by public
> >> key,
> >>>> and decrypting by
> >>>>> private key, and another use case for
> >> encrypting by
> >>>> private key, and
> >>>>> decrypting by public key. It might be
> >> appropriate to
> >>>> figure out what use
> >>>>> case the OP has before declaring
> definitions
> >> for a
> >>>> particular use case.
> >>>>> Now as far as what the APIs are
> called, that
> >> might be
> >>>> a different story :)
> >>>>>
> >>>>> [1] *Public-key cryptography* is a
> >> cryptographic
> >>>>> <http://en.wikipedia.org/wiki/Cryptography>
> >> approach
> >>>> which involves the
> >>>>> use of asymmetric key algorithms
> instead of or
> >> in
> >>>> addition to symmetric
> >>>>> key algorithms<http://en.wikipedia.org/wiki/Symmetric_key_algorithm>.
> >>>>> Unlike symmetric key algorithms, it
> does not
> >> require a
> >>>> secure
> >>>>> <http://en.wikipedia.org/wiki/Secure_channel>
> >> initial
> >>>> exchange
> >>>>> <http://en.wikipedia.org/wiki/Key_exchange>   of
> >> one or
> >>>> more secret keys
> >>>>> <http://en.wikipedia.org/wiki/Secret_key>   to
> >> both
> >>>> sender and receiver.
> >>>>> The asymmetric key algorithms are used
> to
> >> create a
> >>>> mathematically
> >>>>> related key pair: a secret private key
> and a
> >> published
> >>>> public key. Use
> >>>>> of these keys allows protection of
> the
> >> authenticity
> >>>>> <http://en.wikipedia.org/wiki/Authenticity>   of
> >> a
> >>>> message by creating a
> >>>>> digital signature<http://en.wikipedia.org/wiki/Digital_signature>
> >> of
> >>>> a
> >>>>> message using the private key, which
> can be
> >> verified
> >>>> using the public
> >>>>> key. It also allows protection of the
> >> confidentiality
> >>>>> <http://en.wikipedia.org/wiki/Confidentiality>
> >> and
> >>>> integrity
> >>>>> <http://en.wikipedia.org/wiki/Integrity>   of
> a
> >>>> message, by public key
> >>>>> encryption<http://en.wikipedia.org/wiki/Encryption>,
> >> encrypting
> >>>> the
> >>>>> message using the public key, which
> can only
> >> be
> >>>> decrypted using the
> >>>>> private key.
> >>>>>
> >>>>
> >>>> Granted "definition" may have been a poor
> choice
> >> of word.
> >>>> But AFAIK the use case of "encrypting" via
> the
> >> private key
> >>>> is generally called signing.
> >>>> So I assumed that the OP had the wrong
> idea about
> >> how the
> >>>> scheme is used because he didn't
> >>>> use the generally accept terminology. If
> that was
> >>>> presumptuous I hereby apologize.
> >>>>
> >>>> So, to come back to the OPs question:
> >>>> if you use a RSA key to encrypt a message
> like you
> >> did in
> >>>> your example internally it uses the
> public
> >>>> part of the key pair for encryption. you
> would
> >> then have to
> >>>> use the private part to decypt it.
> >>>> If on the other hand you really want to
> encrypt
> >> with the
> >>>> private part and decrypt with the public
> part
> >>>> then know that this is usually refered to
> as
> >> signing and
> >>>> verifying (verification?).
> >>>> There is also and API for this in
> PyCrypto.
> >>>>
> >>>> Hope this is clearer and more helpful than
> my
> >> last
> >>>> message.
> >>>>
> >>>> have a nice day
> >>>> //Lorenz
> >>
> >>
> >> -----Inline Attachment Follows-----
> >>
> _______________________________________________
> pycrypto mailing list
> pycrypto at lists.dlitz.net
> http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto
> 


      


More information about the pycrypto mailing list