[pycrypto] Pickling AES cipher objects - any reasons not to support this?
helderijs at gmail.com
Mon Jan 14 10:14:19 PST 2013
> >>> import pickle
> >>> from Crypto.Cipher import AES
> >>> cipher = AES.new('mysecret'*2)
> >>> dump=pickle.dumps(cipher)
> PicklingError: Can't pickle '_AES' object: <_AES object at 0x1fe0bd0>
> I wonder if there are any fundamental reasons why pickling cipher objects
> be pickled? Otherwise I would look into implementing pickling support for
> cipher objects.
> I would presume that storing cipher object is safer (would it be?)
> than storing an encryption key used to create the cipher object.
Pickling a cipher object is actually less secure.
First, it cannot be more secure because anybody can easily find back the
key from the pickled blob.
Second - and with the only exception of ECB mode - a cipher object is
always stateful: it depends on the key, but also on the IV/nonce, and on
the data you have processed so far. Pickling will make only sense if the
encryption process has to be paused half-way so tat it can be resumed at a
later moment. Not really a common use case.
Pickling a cipher and reusing later for a totally different encryption will
lead to IV/nonce reuse, which is definitely bad, especially for stream
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the pycrypto