13

I am planning on using PyCrypto for a project and I want to know whether PyCrypto is safe and reliable enough to use. How can I ensure that PyCrypto is encrypting data correctly according to the various encryption algorithms such as RSA and AES?

Imran Azad
  • 1,384
  • 1
  • 21
  • 36
  • 5
    (a) have an implementation you trust; (b) compare the results of every possible string/key combination between PyCrypto and this Trusted Implementation. (I'll wait for you here, write "yes" or "no" as an answer when you've checked every combination.) – Chris Morgan Oct 20 '11 at 13:04
  • @ChrisMorgan Thanks for the response. I'm fairly new to encryption so you'll have to bear with me. What do you mean by every possible string/key combination, could you give an example please. Also I don't have access to a trusted implementation. – Imran Azad Oct 20 '11 at 22:52
  • 1
    I was joking. (If English isn't your first language you'll probably find my humour harder to fathom than a native English speaker would.) You *can't* try every possible string/key combination - there are an infinite number of them. If you don't start by trusting some implementation to be accurate to start with, you can't get anywhere. – Chris Morgan Oct 20 '11 at 22:58
  • @ChrisMorgan I had an inkling that you were joking. However I don't think it's a question of being a native English speaker of which I am to fathom your humour, rather it's lack of experience with encryption. You may have misunderstood my question. Let me clarify, one can't blindly trust a particular implementation. Say for example with regard to key generation PyCrpyto has a bug where it fails to choose two distinct prime numbers p and q at random and of similar bit-length. There are a plethora of examples I can give you. Maybe only a native English speaker can fathom what I'm saying. – Imran Azad Oct 21 '11 at 09:12
  • OK. I see what you're asking and I believe I understand it entirely, but I think you're unlikely to be able to get a satisfactory answer. To a certain degree you've got to have faith in it. – Chris Morgan Oct 21 '11 at 12:47
  • @ChrisMorgan Thanks I can appreciate that. – Imran Azad Oct 21 '11 at 14:01

3 Answers3

19

It depends.

Some parts of PyCrypto are really good. For example, the API for Crypto.Random (introduced in PyCrypto 2.1) was designed to be pretty foolproof, and the underlying algorithm it uses (Fortuna) was also designed to be pretty foolproof.

Other parts are just implementations of low-level crypto primitives, so it works, but you have to know what you are doing to use them correctly. For example, Crypto.PublicKey.RSA doesn't implement the full RSA PKCS#1 standard (which is what most people think about when they talk about "RSA"). It only implements the basic RSA primitive (m^e mod n and c^d mod n), and you still have to provide your own PKCS#1 implementation.

The best way to ensure that PyCrypto is encrypting your data correctly (without reading the source code, which I encourage everyone to do) is to use a standard protocol and/or message format, and test that your code interoperates with other implementations. If you're making up your own message format (which you probably shouldn't do anyway), then you need to be very careful to ensure that PyCrypto is actually doing everything that you think it's doing.

Disclaimer: I'm the current PyCrypto maintainer, so my opinions shouldn't be considered an independent review.

Update: PyCrypto v2.5 and later now include proper RSA PKCS#1 encryption and signature implementations. See the API documentation for Crypto.Cipher.PKCS1_OAEP and Crypto.Signature.PKCS1_PSS for details.

dlitz
  • 5,679
  • 3
  • 19
  • 13
  • @dlitz, thank you really appreciate that! I'd just like to clarify when you say 'test that your code interoperates with other implementations' do you mean for example decrypting the encrypted data from PyCrypto in some other cryptographic tool? – Imran Azad Dec 11 '11 at 19:59
  • +1: I like the [new module](https://www.dlitz.net/software/pycrypto/api/current/Crypto.Cipher.PKCS1_OAEP-module.html), and the example given makes it clear how to use it. My only concern is that it is too easy for a new user to assume (like I did) that RSA is already doing this by default. Perhaps a warning in the [docs](https://www.dlitz.net/software/pycrypto/doc/#crypto-publickey-public-key-algorithms)? – Alex May 08 '12 at 03:14
  • 2
    I am not sure if this is on-topic, but PyCrypto is [no longer being maintained](https://github.com/dlitz/pycrypto/issues/173). – Elias Zamaria May 24 '16 at 05:29
5

No. PyCrypto is no longer under active development and the cryptography library should be used instead.

Source: https://github.com/dlitz/pycrypto/issues/173

Dan
  • 242
  • 3
  • 11
4

Note that I am not an expert in crypto either. That said, I took a quick look at the PyCrypto code on github and at their mailing list. One of the things that gives me confidence is that there is good, expert contributions to the code base. The developers acknowledge insecurities and work to correct them.

If you have a specific use case that you need to be implemented securely, look at their code and ask on their list. Since they seem to leverage C/C++ libraries to do the work in many cases, you can check out the reputation of the base libraries directly.

justinzane
  • 1,897
  • 1
  • 26
  • 38