replace PyCrypto usage with PyCA's Cryptography #2
Comments
|
I'm just curious, is there something wrong with PyCrypto or is there just more development with Cryptography or is that where everyone is going to these days? |
|
Cryptography has a lot to recommend it, but one major reason is that pyOpenSSL requires Cryptography, so using it for this as well is just fewer dependencies :-). |
|
Reasons to prefer PyCA cryptography (bearing in mind I'm one of the authors):
|
|
ldaptor seems to use only DES (for the crappy LanManager Password Hashes). cryptography does not provide that cipher. So guess this cannot be fixed, unless cryptography provides DES or LanManager hashes are extinct. |
|
3DES uses an "encrypt decrypt encrypt" model (EDE) so you can do single DES encryption and decryption with pyca/cryptography by doing the following: from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.backends import default_backend
tdes_key = des_key * 3 # just concat the key 3x
cipher = Cipher(algorithms.3DES(tdes_key), modes.ECB(), backend=default_backend())
encryptor = cipher.encryptor()
# not using padding here so you'll need to make sure your input is a multiple of block size or else add padding
ct = encryptor.update(b"encrypt!") + encryptor.finalize()This will work (albeit 3x as slow as single DES). Ideally you'd just drop LM support though as it's beyond ancient. |
|
Beyond ancient and completely insecure; this is an interoperability measure, not a security measure. If it is at all avoidable it would be better just to drop it. |
|
If you need this just for LanManager hashes, just forget about it, LanManager hashes are comepltely useless for compatibility unless you are catering for 25 year old machines. |
|
@glyph any update on this? |
|
It should still happen, for sure! I don’t really work on ldaptor, though. |
|
@graingert thanks! |
No description provided.
The text was updated successfully, but these errors were encountered: