[pycrypto] how to handle known security holes Re: Comments on Elgamal, and a broader question: Whither pycrypto?

Lorenz Quack don at amberfisharts.com
Mon Jan 3 13:43:48 CST 2011 

Hey,

A quick google codesearch for "ElGamal lang:python" revealed three different package types.

The first category use pycrypto:
  * http://www.freenet.org.nz/ezPyCrypto/
  * http://angelapp.missioneternity.org/
    they bundle ezPyCrypto
  * http://dyuri.horak.hu/frenC/
    site is in hungry but they seem to bundle ezPyCrypto in their snapshots
  * http://code.google.com/p/cdna/
  * https://github.com/linuxmint/mint4win
  * github.com/kichkasch/ioids
    via ezPyCrypto
  * various projects include it via googles appengine. However I don't if they actually use it.
  * http://code.google.com/p/inmszhuce/
  * http://codespeak.net/svn/user/arigo/hack/pkcrypto/

The second category simply bundles a version of pycrypto:
  * http://code.google.com/p/gdata-python-client/
    includes pycrypto-2.0.1
  * http://code.google.com/p/jsunpack-n/
    includes pycrypto-2.1
  * http://code.google.com/appengine/docs/python/tools/libraries.html
    seems to be based on pycrypto-2.0.1

The third category implement ElGamal themselves:
  * https://github.com/benadida/jscrypto
    also many other github projects by the same user
  * https://github.com/digitaldragoon/referenda
  * http://code.google.com/p/cryptoworkflow/

Category 1 should be the most important IMHO.
Of course this list comes without warranty.
I hope this is helpful.

Cheers,
Lorenz


On 01/03/2011 05:54 PM, Dwayne C. Litzenberger wrote:
> +1
>
> Could someone volunteer to do a quick survey of publicly available code that uses PyCrypto to see who (if anyone) is actually using Crypto.PublicKey.ElGamal?
>
> "Paul Hoffman"<paul.hoffman at gmail.com>  wrote:
>
>> On Mon, Jan 3, 2011 at 7:15 AM, Zooko O'Whielacronx<zooko at zooko.com>
>> wrote:
>>> Folks:
>>>
>>> We need to decide what to do when we find flaws in PyCrypto which
>>> would expose a user who relies on PyCrypto to harm.
>>>
>>> It wouldn't hurt to send an announcement email in some consistent
>>> format saying something like "security advisory" in the subject line,
>>> and to update the download page or a NEWS page or whatever to warn
>>> about the insecure Elgamal implementation.
>>>
>>> Perhaps also delete, comment-out, or disable the Elgamal
>>> implementation and ship a new release of PyCrypto.
>>>
>>> It really makes me uncomfortable to see the PyCrypto project ship
>>> software to users which claims on the label that they can rely on it
>>> when we know that if they do, they may be exposed to harm.
>>
>> +1 to commenting out or disabling things which anyone has serious
>> security concerns over.

More information about the pycrypto mailing list