summaryrefslogtreecommitdiff
path: root/lib/Crypto/Cipher
Commit message (Collapse)AuthorAgeFilesLines
* Make Cipher.galois module privateLegrandin2014-06-221-4/+4
|
* Make GHASH more robust against timing attacks.Legrandin2014-06-221-8/+5
| | | | | | | | | | | | | | | | | | | | | In order to speed up as much as possible the GHASH, the current implementation expands the 16 byte hash key (H) into a table of 64 KBytes. However, that is sensitive to cache-based timing attacks. If we assume that access to data inside the same cache line is constant-time (likely), fitting a table item into a cache line may help against the attacks. This patch reduce the pre-computed table from 64K to 4K and aligns every item to a 32 byte boundary (since most modern CPUs have cache line of that size or larger). This patch will reduce the overall performance. This patch also reverts commit 965871a727 ("GCM mode: Optimize key setup for GCM mode") since I actually got conflicting benchmark results.
* Fixed sentence in CCM exampleLegrandin2014-02-211-2/+3
|
* Rename S2V -> _S2V until we come up with a real PRF APIDwayne Litzenberger2013-10-201-2/+2
|
* Make MODE_OPENPGP accept uppercase 'IV' parameter.Dwayne Litzenberger2013-10-201-1/+8
| | | | | | This is for consistency with the rest of PyCrypto. Closes: https://bugs.launchpad.net/pycrypto/+bug/1132550
* More ValueError -> TypeErrorDwayne Litzenberger2013-10-201-6/+6
|
* _CBCMAC: Rename ignite() -> _ignite()Dwayne Litzenberger2013-10-201-3/+3
| | | | I don't want to make this a public API just yet.
* Add encrypt_and_digest() and decrypt_and_verify()Legrandin2013-10-201-17/+57
| | | | | | | | | | | | | | | | | | | | | | | This patch adds encrypt_and_digest() and decrypt_and_verify() methods to a cipher object. In most cases they are just shortcuts to the existing functions. For SIV mode, decrypt_and_verify() replaces decrypt(). [dlitz@dlitz.net: Squashed with bugfix commit:] Bug in encrypt_and_digest() (all AEAD modes) decrypt() was being called instead of encrypt(). Added also a unit test to validate that composition of encrypt_and_digest() and decrypt_and_verify() is the identity function. [dlitz@dlitz.net: Included changes from the following commit from the author's pull request:] - [9c13f9c] Rename 'IV' parameter to 'nonce' for AEAD modes. [dlitz@dlitz.net: Whitespace fixed with "git rebase --whitespace=fix"] [dlitz@dlitz.net: Replaced MacMismatchError with ValueError] [dlitz@dlitz.net: Replaced ApiUsageError with TypeError]
* GCM mode: Optimize key setup for GCM mode.Legrandin2013-10-201-5/+8
| | | | | | | | | | | | | GCM mode requires GHASH for 2 different operations: one for the data (AD + ciphertext) and one for the IV. Construction of tables to speed-up GHASH is very expensive and it is worth doing only for the data, not for the IV. This patch ensures that the GHASH for the IV does not use tables, with a ~40% faster key setup. [dlitz@dlitz.net: Whitespace fixed with "git rebase --whitespace=fix"]
* GCM mode: Optimize GCM speed with pre-computed tables.Legrandin2013-10-201-4/+5
| | | | | | | | | | | | | | | | | | | Tables take 64KByte per each key. Encryption performance is more than doubled (29 MBps vs 8MBps for AES128). As a drawback, key setup is much slower (1300 key/s on the same machine). [dlitz@dlitz.net: Replaced MacMismatchError with ValueError] [dlitz@dlitz.net: Replaced ApiUsageError with TypeError] [dlitz@dlitz.net: Included changes from the following commits from the author's pull request:] - [9c13f9c] Rename 'IV' parameter to 'nonce' for AEAD modes. - [ca460a7] Made blockalgo.py more PEP-8 compliant; The second parameter of the _GHASH constructor is now the length of the block (block_size) and not the full module. [dlitz@dlitz.net: Whitespace fixed with "git rebase --whitespace=fix"]
* Add support for GCM mode (AES only).Legrandin2013-10-202-121/+238
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | The main change done by this commit is adding support for MODE_GCM (NIST SP 800 38D). Test vectors are included. The mode uses a C extension (Crypto.Util.galois._ghash) to compute the GHASH step. The C implementation is the most basic one and it is still significantly (5x times) slower than CTR. Optimizations can be introduced using tables (CPU/memory trade-off) or even AES NI instructions on newer x86 CPUs. This patch also simplifies Crypto.Cipher.blockalgo.py by: * removing duplicated code previously shared by digest() and verify(). * removing duplicated code previously shared by Crypto.Hash.CMAC and Crypto.Cipher.block_algo (management of internal buffers for MACs that can only operate on block aligned data, like CMAC, CBCMAC, and now also GHASH). [dlitz@dlitz.net: Included changes from the following commits from the author's pull request:] - [9c13f9c] Rename 'IV' parameter to 'nonce' for AEAD modes. - [ca460a7] Made blockalgo.py more PEP-8 compliant; The second parameter of the _GHASH constructor is now the length of the block (block_size) and not the full module. [dlitz@dlitz.net: Replaced MacMismatchError with ValueError] [dlitz@dlitz.net: Replaced ApiUsageError with TypeError] [dlitz@dlitz.net: Replaced renamed variable `ht` with original `h`] [dlitz@dlitz.net: Whitespace fixed with "git rebase --whitespace=fix"]
* Add support for SIV (Synthetic IV) modeLegrandin2013-10-202-20/+154
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch add supports for SIV, an AEAD block cipher mode defined in RFC5297. SIV is only valid for AES. The PRF of SIV (S2V) is factored out in the Protocol.KDF module. See the following example to get a feeling of the API (slightly different than other AEAD mode, during decryption). Encryption (Python 2): >>> from Crypto.Cipher import AES >>> key = b'0'*32 >>> siv = AES.new(key, AES.MODE_SIV) >>> ct = siv.encrypt(b'Message') >>> mac = siv.digest() Decryption (Python 2): >>> from Crypto.Cipher import AES, MacMismatchError >>> key = b'0'*32 >>> siv = AES.new(key, AES.MODE_SIV) >>> pt = siv.decrypt(ct + mac) >>> try: >>> siv.verify(mac) >>> print "Plaintext", pt >>> except MacMismatchError: >>> print "Error" This change also fixes the description/design of AEAD API. With SIV (RFC5297), decryption can only start when the MAC is known. The original AEAD API did not support that. For SIV the MAC is now exceptionally passed together with the ciphertext to the decrypt() method. [dlitz@dlitz.net: Included changes from the following commits from the author's pull request:] - [9c13f9c] Rename 'IV' parameter to 'nonce' for AEAD modes. - [d7727fb] Fix description/design of AEAD API. - [fb62fae] ApiUsageError becomes TypeError [whitespace] - [4ec64d8] Removed last references to ApiUsageError [whitespace] - [ee46922] Removed most 'import *' statements - [ca460a7] Made blockalgo.py more PEP-8 compliant; The second parameter of the _GHASH constructor is now the length of the block (block_size) and not the full module. [dlitz@dlitz.net: A conflict that was not resolved in the previous commit was originally resolved here. Moved the resolution to the previous commit.] [dlitz@dlitz.net: Replaced MacMismatchError with ValueError] [dlitz@dlitz.net: Replaced ApiUsageError with TypeError] [dlitz@dlitz.net: Whitespace fixed with "git rebase --whitespace=fix"]
* Add EAX authenticated encryption modeLegrandin2013-10-207-51/+212
| | | | | | | | | [dlitz@dlitz.net: Included changes from the following commits from the author's pull request:] - [9c13f9c] Rename 'IV' parameter to 'nonce' for AEAD modes. - [ca460a7] Made blockalgo.py more PEP-8 compliant; The second parameter of the _GHASH constructor is now the length of the block (block_size) and not the full module. [dlitz@dlitz.net: Fixed unresolved conflict in lib/Crypto/Cipher/blockalgo.py]
* Add support for CCM mode (AES only).Legrandin2013-10-202-53/+451
| | | | | | | | | | | | | | [dlitz@dlitz.net: Included changes from the following commits from the author's pull request:] - [5306cf3] Added support for CCM mode (AES cipher only) - [9abe301] Added CCM tests - [f0c1395] Add MacMismatchError and ApiUsageError - [fb62fae] ApiUsageError becomes TypeError - [9c13f9c] Rename 'IV' parameter to 'nonce' for AEAD modes. - [4ec64d8] Removed last references to ApiUsageError - [80bfd35] Corrected AES-CCM examples [dlitz@dlitz.net: Removed unrelated documentation change] [dlitz@dlitz.net: Renamed 'targs' back to 'args'] [dlitz@dlitz.net: Whitespace fixed with "git rebase --whitespace=fix"]
* blockalgo: Fix MODE_OPENPGP commentLegrandin2013-10-201-1/+1
| | | | | | | | | [dlitz@dlitz.net: Extracted from the following commit:] commit 5306cf38ba060a70e5397ec48a5cea00c2bf0203 Author: Legrandin <helderijs@gmail.com> Date: Wed Jan 23 22:37:53 2013 +0100 Added support for CCM mode (AES cipher only)
* Made blockalgo.py more PEP-8 compliant (pre-AEAD)Legrandin2013-10-201-17/+22
| | | | | | | | | | | | | | | | | | | [dlitz@dlitz.net: Original commit was:] commit ca460a79aecdbf6e5973e99f8bdbf3888b6d34d2 Author: Legrandin <helderijs@gmail.com> Date: Sun Aug 4 22:46:06 2013 +0200 Made blockalgo.py more PEP-8 compliant The second parameter of the _GHASH constructor is now the length of the block (block_size) and not the full module. [dlitz@dlitz.net: Included only style-related changes that apply cleanly to the master branch (pre-AEAD)] [dlitz@dlitz.net: Omitted functional changes that were made in the author's original commit.] [dlitz@dlitz.net: Omitted some changes that broke exception messages onto multiple lines.] [dlitz@dlitz.net: Omitted some changes that broke arithmetic expressions onto multiple lines.]
* whitespace changes (pre-AEAD)Legrandin2013-10-206-12/+13
| | | | | | | [dlitz@dlitz.net: Whitespace changes extracted from the author's pull request:] - [9c13f9c] Rename 'IV' parameter to 'nonce' for AEAD modes. - [4ec64d8] Removed last references to ApiUsageError - [ee46922] Removed most 'import *' statements
* A set of small changes to documentation.Legrandin2013-07-142-3/+3
| | | | | | | | | | * Add table to Crypto.Util package docs * Clarify that PKCS#1v1.5 encryption only works on byte strings * Clarify that padding is ignored by Cipher classes * Clarify that block encrypt() and decrypt() do not respectively add and remove any padding. * Clarify what the 'overflow' parameter does (that is, nothing) to the Crypto.Util.Counter class.
* FIX #1177614. Clarify that RSA OAEP only works on byte stringsLegrandin2013-07-141-9/+9
| | | | Closes: https://bugs.launchpad.net/pycrypto/+bug/1177614
* Fixed MODE_OFB requiring paddingdev-jjc2013-07-141-6/+6
| | | | | | Closes: https://bugs.launchpad.net/pycrypto/+bug/996193 Closes: https://github.com/dlitz/pycrypto/pull/26 [dlitz: Squashed and fixed whitespace.]
* AES-NI support: Python 2.1 Backward compatibilityDwayne Litzenberger2013-04-211-1/+4
| | | | | - METH_NOARGS was introduced in Python 2.2. - Python 2.1 doesn't have True and False builtins.
* Initial AES-NI supportSebastian Ramacher2013-04-211-1/+24
|
* Hash: Rename SHA->SHA1 and RIPEMD->RIPEMD160 (1/2)Dwayne Litzenberger2013-02-161-4/+4
| | | | | | | | | These algorithm names were confusing, because there are actually algorithms called "SHA" (a.k.a. SHA-0) and "RIPEMD" (the original version). This commit just renames the modules, with no backward-compatibility support.
* Added ARC4-drop[n] cipherLegrandin2012-06-201-0/+21
|
* Examples for DES and DES3 were invertedLegrandin2012-06-112-9/+9
|
* Update docstring. IVs are no longer optionalStefano Rivera2012-05-276-12/+6
|
* Fix typos in docsDwayne C. Litzenberger2012-05-231-1/+1
|
* Fix to make Crypto.Cipher work with Python3 againLegrandin2012-05-171-1/+3
|
* Added example for OPENPGP mode in CAST moduleLegrandin2012-05-171-2/+8
|
* Added OpenPGP modeLegrandin2012-05-177-20/+190
|
* Fixed 2 typos in documentationLegrandin2012-05-172-2/+2
|
* Added example for all symmetric ciphersLegrandin2012-05-147-3/+85
|
* Added cipher type columnLegrandin2012-05-141-20/+20
|
* Add documentation for XOR cipherLegrandin2012-05-142-1/+87
|
* Minor fixes for documentation of ciphersLegrandin2012-05-147-10/+5
| | | | | | Fixed key lengths described with xrange() Removed unnecessary imports. Removed documentation for compiled modules starting with '_'.
* Added documentation for ARC4Legrandin2012-05-141-0/+108
|
* Added documentation for CAST-128Legrandin2012-05-121-0/+97
|
* Added documentation for RC2Legrandin2012-05-121-0/+111
|
* Added documentation for BlowfishLegrandin2012-05-111-0/+96
|
* Fixes to make test suite pass for Python 2.1 and Python 3Legrandin2012-05-112-2/+2
|
* TDES unit tests got broken. Fixed them again.Legrandin2012-05-101-1/+1
|
* Added documentation for Triple DES.Legrandin2012-05-102-0/+112
|
* Added description of what DES is.Legrandin2012-05-101-1/+15
|
* Added documentation for AES and DES.Legrandin2012-05-103-0/+364
| | | | | | | A new module (blockalgo) has been added. It contains a class (BlockAlgo) all ciphers derive from. The only purpose of such base class is to centralize all general documentation applicable to all block ciphers (e.g. modes) into a single file.
* Fix documentation for PKCS#1 modules.Legrandin2012-04-192-2/+2
| | | | | | | | Objects used by PKCS#1 modules were treated as private, and therefore ignored by epydoc. Replaced SHA module with None as PBKDF1 default parameter value, because it was not displayed nicely by epydoc. Default value is assigned in the body.
* Further fixed for python 3Legrandin2011-10-191-4/+1
|
* Merged from upstream (py3k support) and modified so that all unit tests pass.Legrandin2011-10-182-24/+29
|\
* | Restructure both PKCS#1 ciphers as objects, to make them more uniform with ↵Legrandin2011-10-112-279/+335
| | | | | | | | other ciphers in the module.
* | To simplify, no RNG needs to be provided with PKCS1 encryption: the one ↵Legrandin2011-10-023-34/+43
| | | | | | | | | | | | | | belonging to each RSA key is reused. Error detection is internally implemented in a simpler (and safer) way for PKCS1 OAEP decryption. General fixes to documentation for PKCS1.
* | Modify decryption function for PKCS#1 v1.5 so that a sentinel is returned in ↵Legrandin2011-09-281-13/+58
| | | | | | | | case of padding error, as opposed to an exception being raised. Added also more information on how to avoid timing attacks.
View Lorry Controller Status