-
-
Notifications
You must be signed in to change notification settings - Fork 71
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Support for AES Encryption/Decryption with ECB cipher mode. #3
Comments
So is this just a case of needing decryption? ECB seems extremely insecure, so I'd like to avoid exposing it where possible. Perhaps an option could be to have a keyword arg such as Also curious, how did find out about this project? |
For my case I would need support for encryption although having decryption support as well would help with writing test cases. As for how I found this project, I did a Google search for "Python Crypto OS X Windows Linux github" and this project was one of the first results that came up. |
I do agree that by default the APIs should opt for the more secure ciphers and if something calls for ECB the consumer should override the default behavior by adding the |
For what it's worth, I don't think this should be added; it's very dangerous to even call ECB "encryption", and the construction of CBC+ECB sounds like nonsense to me. |
@glyph I agree, unfortunately its I'm dealing with a spec that I have no control over =\ |
@glyph As always, I appreciate your thoughts. So far oscrypto has been about implementing primitives, mostly towards the goal of loading private keys and certs off of disk and using them for signing, verification, revocation checking and path validation. I don't believe that ECB is used anywhere in OpenSSL encrypted private keys, PKCS#5, PKCS#8, PKCS#7, CMS or PKCS#12. @bssayeda Is the spec you are dealing with an in-house spec, or something public/published? |
@wbond The spec should be available publicly: https://developer.apple.com/services-account/download?path=/Developer_Tools/FairPlay_Streaming_SDK/FairPlay_Streaming_Server_SDK.zip The PDF enclosed with the package contains the spec. It is a long read so the area that uses AES ECB is on page 24 related to bytes 16-47. Those bytes are encrypted using AES ECB and then it and the other parts of the payload are encrypted using AES CBC. |
@bssayeda Thanks for providing the link. I ran into some similar bad constructs when dealing with PDF encryption. |
Ah well. @bssayeda - good to know where the requirement comes from, I guess that is widespread enough that it is not going away. I retract my objection, although I would say a function that deals with ECB should not have the word "encrypt" in its name, even if "insecure" is in there :). "encode/decode", maybe. |
Encode/Decode in this case is probably the better choice if the call for it will be separate from the existing API call. |
Well, all cipher/mode/padding combinations are unique function calls in the public API. This was done on purpose for two reasons:
@bssayeda What padding is being used in the spec? (sorry for being too lazy to download the SDK right now) |
@wbond For this case based off the reference implementation Apple includes in the package it looks like AES ECB "Encoding" with no padding. |
Hi, @wbond I hope this lib can add
without second thinking. According to JCA guide
Because in real world, we have to encrypt/decrypt data produced by these programmers, so I recommend providing the infamous btw I encountered |
It would be nice to have support for AES Encryption/Decryption with ECB cipher mode. I know that at least the OS X APIs has support for ECB and so does OpenSSL. While there are great cases that ECB mode should not be used historically, there are some use cases I have run to where data that is encrypted using AES ECB is encrypted (along with other data) a second time with AES in CBC mode. I would rather not have to depend on another encryption library just for that use case.
The text was updated successfully, but these errors were encountered: