diff options
author | Thorsten Behrens <sbehrens@gmx.li> | 2011-01-03 22:30:23 -0500 |
---|---|---|
committer | Thorsten Behrens <sbehrens@gmx.li> | 2011-01-03 22:30:23 -0500 |
commit | 83cd648f8a125f788fd6afdf781775840455a317 (patch) | |
tree | cabe6731e83464d5fc0bae722563c96b193a18aa /Doc | |
parent | 560874f4b8711897ea644b8f5817113e7221dbec (diff) | |
download | pycrypto-83cd648f8a125f788fd6afdf781775840455a317.tar.gz |
Add unit test for AllOrNothing
Note that AllOrNothing fails occasionally. This has always been the case;
the unit test merely forces the flaw to be exposed.
Diffstat (limited to 'Doc')
-rw-r--r-- | Doc/pycrypt.rst | 57 |
1 files changed, 48 insertions, 9 deletions
diff --git a/Doc/pycrypt.rst b/Doc/pycrypt.rst index 9005ee3..660d29b 100644 --- a/Doc/pycrypt.rst +++ b/Doc/pycrypt.rst @@ -321,7 +321,7 @@ CAST Variable/8 bytes DES 8 bytes/8 bytes DES3 (Triple DES) 16 bytes/8 bytes IDEA 16 bytes/8 bytes -RC5 Variable/8 bytes +[RC5 Variable/8 bytes] ================= ============================ @@ -438,9 +438,15 @@ encrypt() will return a bytes object. Algorithm-specific Notes for Encryption Algorithms ======================================================= +[RC5 is not currently implemented in pycrypto] + RC5 has a bunch of parameters; see Ronald Rivest's paper at <http://theory.lcs.mit.edu/~rivest/rc5rev.ps> for the -implementation details. The keyword parameters are: +implementation details. RC5 is patented by RSA Laboratories. +RC5 supports 32-bit, 64-bit and 128-bit block sizes. RSA suggests a block size +of 64-bit, a 128-bit key and 18-20 rounds. + +The keyword parameters are: * ``version``: The version of the RC5 algorithm to use; currently the only legal value is ``0x10`` for RC5 1.0. @@ -451,7 +457,9 @@ implementation details. The keyword parameters are: * ``rounds``: The number of rounds to apply, the larger the more secure: this can be any value from 0 to 255, so you will have to - choose a value balanced between speed and security. + choose a value balanced between speed and security. 12-round RC5 + is susceptible to a differential attack. 18-20 rounds are suggested + as sufficient protection. Security Notes @@ -467,6 +475,10 @@ encrypted and forwarded to someone else. This is a possible to choose plaintexts that reveal something about the key when encrypted. +Stream ciphers are only secure if any given key is never used twice. +If two (or more) messages are encrypted using the same key in a stream +cipher, the cipher can be broken fairly easily. + DES (5100 K/sec) has a 56-bit key; this is starting to become too small for safety. It has been shown in 2009 that a ~$10,000 machine can break DES in under a day on average. NIST has withdrawn FIPS 46-3 in 2005. @@ -479,14 +491,21 @@ study applied against it. It is, however, slow. There are no publicly known attacks against the full-round IDEA (3050 K/sec), and it's been around long enough to have been examined. IDEA is patented but free for non-commercial use. Patents are expected to expire in 2011/2012. -There are no known attacks against ARC2 (2160 K/sec), ARC4 (8830 K/sec), -Blowfish (9250 K/sec), CAST (2960 K/sec), or RC5 (2060 K/sec), but they're all -relatively new algorithms and there hasn't been time for much analysis -to be performed; use them for serious applications only after careful -research. +IDEA is one of the strongest symmetric ciphers available to the public, alongside +AES and AES candidates. + +There are no known attacks against Blowfish (9250 K/sec), CAST (2960 K/sec), +or RC5 (2060 K/sec), but they're all relatively new algorithms and there hasn't +been time for much analysis to be performed; use them for serious applications +only after careful research. + +pycrypto implements CAST with up to 128 bits key length (CAST-128). This +algorithm is considered obsoleted by CAST-256. CAST is patented by Entrust +Technologies and free for non-commercial use. + Bruce Schneier recommends his newer Twofish algorithm over Blowfish where a fast, secure symmetric cipher is desired. Twofish was an AES candidate. It -is slightly slower than Rijndael (the chose algorithm for AES) for 128-bit +is slightly slower than Rijndael (the chosen algorithm for AES) for 128-bit keys, and slightly faster for 256-bit keys. AES, the Advanced Encryption Standard, was chosen by the US National @@ -494,6 +513,26 @@ Institute of Standards and Technology from among 6 competitors, and is probably your best choice. It runs at 7060 K/sec, so it's among the faster algorithms around. +ARC4 ("Alleged" RC4) (8830 K/sec) has been weakened. Specifically, it has been +shown that the first few bytes of the ARC4 keystream are strongly non-random, +leaking information about the key. When the long-term key and nonce are merely +concatenated to form the ARC4 key, such as is done in WEP, this weakness can be +used to discover the long-term key by observing a large number of messages +encrypted with this key. +Because of these possible related-key attacks, ARC4 should only be used with +keys generated by a strong RNG, or from a source of sufficiently uncorrelated +bits, such as the output of a hash function. +A further possible defense is to discard the initial portion of the keystream. +This altered algorithm is called RC4-drop(n). +While ARC4 is in wide-spread use in several protocols, its use in new protocols +or applications is discouraged. +RC4 is patented by RSA Laboratories. + +ARC2 ("Alleged" RC2) is vulnerable to a related-key attack, 2^34 chosen +plaintexts are needed. +Because of these possible related-key attacks, ARC2 should only be used with +keys generated by a strong RNG, or from a source of sufficiently uncorrelated +bits, such as the output of a hash function. Credits ============= |