Re: Verifying the integrity/lineage of a file
On 2018-09-01, Peter Pearson wrote: > Writing your own crypto software is fraught with peril, and that > includes using existing libraries. Writing your own crypto software isn't a problem, and it can be very educational. Just don't _use_ your own crypto software. Howerver, the set of people who write software without intending to use it is pretty small... -- Grant Edwards grant.b.edwardsYow! ... the MYSTERIANS are at in here with my CORDUROY gmail.comSOAP DISH!! -- https://mail.python.org/mailman/listinfo/python-list
Re: Verifying the integrity/lineage of a file
On 2018-09-04 16:13, Grant Edwards wrote: > On 2018-09-01, Peter Pearson wrote: > >> Writing your own crypto software is fraught with peril, and that >> includes using existing libraries. > > Writing your own crypto software isn't a problem, and it can be very > educational. > > Just don't _use_ your own crypto software. > > Howerver, the set of people who write software without intending to > use it is pretty small... > Apart from all the people writing specialist software that's not relevant to their profession (seeing as they're programmers, not whatever the target audience is) intending to sell it. -- https://mail.python.org/mailman/listinfo/python-list
Re: Verifying the integrity/lineage of a file
i think he was referring to a wrapper for a crypto-software Abdur-Rahmaan Janhangeer https://github.com/Abdur-rahmaanJ Mauritius On Sat, 1 Sep 2018, 21:45 Peter Pearson, wrote: > > Writing your own crypto software is fraught with peril, > -- https://mail.python.org/mailman/listinfo/python-list
Re: Verifying the integrity/lineage of a file
Grant Edwards wrote: Writing your own crypto software isn't a problem, and it can be very educational. Just don't _use_ your own crypto software. Okay, so find a friend who also likes writing crypto software, and use each other's software. Problem solved. :-) -- Greg -- https://mail.python.org/mailman/listinfo/python-list
Re: Verifying the integrity/lineage of a file
On 2018-09-01, Peter Pearson wrote: > Writing your own crypto software is fraught with peril, and that > includes using existing libraries. Writing your own crypto software isn't a problem, and it can be very educational. Just don't _use_ your own crypto software. Howerver, the set of people who write software without intending to use it is pretty small... -- Grant Edwards grant.b.edwardsYow! ... the MYSTERIANS are at in here with my CORDUROY gmail.comSOAP DISH!! -- https://mail.python.org/mailman/listinfo/python-list
Re: Verifying the integrity/lineage of a file
On Fri, 31 Aug 2018 12:51:58 -0600, Malcolm Greene wrote: > Thanks for the replies! I'm going to investigate the use of > python-gnupg which is a Python wrapper for the GPG command line > utility. This library is based on gpg.py written by Andrew Kuchling. > I'm all ears if f anyone has any alternative recommendations or > python-gnupg tips to share. BTW: Target clients are running under > Windows and Linux. Writing your own crypto software is fraught with peril, and that includes using existing libraries. If you don't expect your system to get serious attention from a competent adversary, then fine, go ahead. No ... not even that. If you're _quite_confident_ that your system will never get serious attention ... go ahead. But if you think your system might someday be attacked by an adversary who will exploit insufficiently unguessable nonces, or accidental nonce re-use, or swap-space images of your executing code, or side channels, or any of the other hundreds of issues that have left the history of cryptography so entertainingly littered with the bodies of brilliant aspirants, . . . then use a much-studied, time-tested product. Don't take my word for it (retired cryptologist), ask any reputable cryptologist. Or ask on the sci.crypt newsgroup; they need some traffic. -- To email me, substitute nowhere->runbox, invalid->com. -- https://mail.python.org/mailman/listinfo/python-list
Re: Verifying the integrity/lineage of a file
Thanks for the replies! I'm going to investigate the use of python-gnupg [1] which is a Python wrapper for the GPG command line utility. This library is based on gpg.py written by Andrew Kuchling. I'm all ears if f anyone has any alternative recommendations or python-gnupg tips to share. BTW: Target clients are running under Windows and Linux. [1] https://pythonhosted.org/python-gnupg/ -- https://mail.python.org/mailman/listinfo/python-list
Re: Verifying the integrity/lineage of a file
On Fri, 31 Aug 2018 08:36:52 -0600, Malcolm Greene wrote: > I have use case where I need to distribute binary files to customers and > want to provide a way for our customers to verify the > "integrity/lineage" (I know there's a better description, but can't > think of it) of these files, eg. to give them the confidence that the > files in question are from me and haven't been altered. [snip] This is exactly what digital signatures are for. GPG is free, and will serve as well as anything. Generate a public/private key pair, email the public key to the customer, and phone the customer to compare key "fingerprints" to verify that the key hasn't been altered in transit (very unlikely, but cryptologists are a cautious bunch). Just using HMAC requires sharing a secret with the customer, which means that you have to trust the customer not to forge authentications. A real digital signature avoids this problem by separating the signing key (your private key) from the verifying key (the public key). -- To email me, substitute nowhere->runbox, invalid->com. -- https://mail.python.org/mailman/listinfo/python-list
Re: Verifying the integrity/lineage of a file
On 2018-08-31 16:36, Malcolm Greene wrote: > I have use case where I need to distribute binary files to customers and > want to provide a way for our customers to verify the > "integrity/lineage" (I know there's a better description, but can't > think of it) of these files, eg. to give them the confidence that the > files in question are from me and haven't been altered. > Here's the methods I can think of using Python: > > 1. Use hashlib to hash each file (SHA256)+ and send the hashes >separately for verification2. Use hmac to sign each file > 3. Use a 3rd party crypto library to sign each file and use a set of >public/private SSH keys for verification > Any suggestions on techniques and/or libraries appreciated. > > Thank you, > Malcolm > The two most common methods used in open source projects are checksums (that you could generate with hashlib) and GPG signatures. Often (e.g. [1]) these are combined: provide a signed list of checksums. [1] http://cdimage.ubuntu.com/ubuntu/releases/bionic/release/ What you're describing sounds like a good use of GPG/PGP signatures. Just sending hashes leaves open the question of the integrity of the message containing the hashes, but it's certainly the simplest solution. I'm not qualified to comment on HMAC. -- https://mail.python.org/mailman/listinfo/python-list
Verifying the integrity/lineage of a file
I have use case where I need to distribute binary files to customers and want to provide a way for our customers to verify the "integrity/lineage" (I know there's a better description, but can't think of it) of these files, eg. to give them the confidence that the files in question are from me and haven't been altered. Here's the methods I can think of using Python: 1. Use hashlib to hash each file (SHA256)+ and send the hashes separately for verification2. Use hmac to sign each file 3. Use a 3rd party crypto library to sign each file and use a set of public/private SSH keys for verification Any suggestions on techniques and/or libraries appreciated. Thank you, Malcolm -- https://mail.python.org/mailman/listinfo/python-list