Add unit test for AllOrNothing

Note that AllOrNothing fails occasionally. This has always been the case;
the unit test merely forces the flaw to be exposed.

1 files changed, 48 insertions, 9 deletions

diff --git a/Doc/pycrypt.rst b/Doc/pycrypt.rst
index 9005ee3..660d29b 100644
--- a/Doc/pycrypt.rst
+++ b/Doc/pycrypt.rst
@@ -321,7 +321,7 @@ CAST              Variable/8 bytes
 DES               8 bytes/8 bytes
 DES3 (Triple DES) 16 bytes/8 bytes
 IDEA              16 bytes/8 bytes
-RC5               Variable/8 bytes
+[RC5               Variable/8 bytes]
 ================= ============================
 
 
@@ -438,9 +438,15 @@ encrypt() will return a bytes object.
 Algorithm-specific Notes for Encryption Algorithms
 =======================================================
 
+[RC5 is not currently implemented in pycrypto]
+
 RC5 has a bunch of parameters; see Ronald Rivest's paper at
 <http://theory.lcs.mit.edu/~rivest/rc5rev.ps> for the
-implementation details.  The keyword parameters are:
+implementation details.  RC5 is patented by RSA Laboratories.
+RC5 supports 32-bit, 64-bit and 128-bit block sizes. RSA suggests a block size
+of 64-bit, a 128-bit key and 18-20 rounds.
+
+The keyword parameters are:
 
 * ``version``: The version of the RC5 algorithm to use; currently
   the only legal value is ``0x10`` for RC5 1.0.
@@ -451,7 +457,9 @@ implementation details.  The keyword parameters are:
 
 * ``rounds``: The number of rounds to apply, the larger the more
   secure: this can be any value from 0 to 255, so you will have to
-  choose a value balanced between speed and security.
+  choose a value balanced between speed and security. 12-round RC5
+  is susceptible to a differential attack. 18-20 rounds are suggested
+  as sufficient protection.
 
 
 Security Notes
@@ -467,6 +475,10 @@ encrypted and forwarded to someone else.  This is a
 possible to choose plaintexts that reveal something about the key when
 encrypted.
 
+Stream ciphers are only secure if any given key is never used twice.
+If two (or more) messages are encrypted using the same key in a stream
+cipher, the cipher can be broken fairly easily.
+
 DES (5100 K/sec) has a 56-bit key; this is starting to become too small
 for safety.  It has been shown in 2009 that a ~$10,000 machine can break
 DES in under a day on average. NIST has withdrawn FIPS 46-3 in 2005.  
@@ -479,14 +491,21 @@ study applied against it. It is, however, slow.
 There are no publicly known attacks against the full-round IDEA (3050 K/sec),
 and it's been around long enough to have been examined. IDEA is patented but
 free for non-commercial use. Patents are expected to expire in 2011/2012.
-There are no known attacks against ARC2 (2160 K/sec), ARC4 (8830 K/sec),
-Blowfish (9250 K/sec), CAST (2960 K/sec), or RC5 (2060 K/sec), but they're all
-relatively new algorithms and there hasn't been time for much analysis
-to be performed; use them for serious applications only after careful
-research.
+IDEA is one of the strongest symmetric ciphers available to the public, alongside
+AES and AES candidates.
+
+There are no known attacks against Blowfish (9250 K/sec), CAST (2960 K/sec),
+or RC5 (2060 K/sec), but they're all relatively new algorithms and there hasn't
+been time for much analysis to be performed; use them for serious applications
+only after careful research.
+
+pycrypto implements CAST with up to 128 bits key length (CAST-128). This
+algorithm is considered obsoleted by CAST-256. CAST is patented by Entrust
+Technologies and free for non-commercial use.
+
 Bruce Schneier recommends his newer Twofish algorithm over Blowfish where
 a fast, secure symmetric cipher is desired. Twofish was an AES candidate. It
-is slightly slower than Rijndael (the chose algorithm for AES) for 128-bit
+is slightly slower than Rijndael (the chosen algorithm for AES) for 128-bit
 keys, and slightly faster for 256-bit keys.
 
 AES, the Advanced Encryption Standard, was chosen by the US National
@@ -494,6 +513,26 @@ Institute of Standards and Technology from among 6 competitors, and is
 probably your best choice.  It runs at 7060 K/sec, so it's among the
 faster algorithms around.
 
+ARC4 ("Alleged" RC4) (8830 K/sec) has been weakened. Specifically, it has been
+shown that the first few bytes of the ARC4 keystream are strongly non-random,
+leaking information about the key. When the long-term key and nonce are merely
+concatenated to form the ARC4 key, such as is done in WEP, this weakness can be
+used to discover the long-term key by observing a large number of messages
+encrypted with this key.
+Because of these possible related-key attacks, ARC4 should only be used with
+keys generated by a strong RNG, or from a source of sufficiently uncorrelated
+bits, such as the output of a hash function.
+A further possible defense is to discard the initial portion of the keystream.
+This altered algorithm is called RC4-drop(n).
+While ARC4 is in wide-spread use in several protocols, its use in new protocols
+or applications is discouraged.
+RC4 is patented by RSA Laboratories. 
+
+ARC2 ("Alleged" RC2) is vulnerable to a related-key attack, 2^34 chosen
+plaintexts are needed.
+Because of these possible related-key attacks, ARC2 should only be used with
+keys generated by a strong RNG, or from a source of sufficiently uncorrelated
+bits, such as the output of a hash function.
 
 Credits
 =============