"I don't think [insert arbitrary misuse of crypto here] is horrifically
insecure here"
This is wrong-headed thinking. If I had a dollar for every time a
programmer said that and was wrong, I would be rich.
Strong crypto is only strong if you follow the instructions *exactly*.
Everything else is snake oil.
"the key + IV-reuse is minimal"
The same key and IV are reused for every single password, so you get
this:
>>> AES.new("0123456789abcdef", AES.MODE_CFB,
>>> "\0"*16).encrypt("a").encode('hex')
'6a'
>>> AES.new("0123456789abcdef", AES.MODE_CFB,
>>> "\0"*16).encrypt("ab").encode('hex')
'6af9'
>>> AES.new("0123456789abcdef", AES.MODE_CFB,
>>> "\0"*16).encrypt("ab").encode('hex')
'6af9'
>>> AES.new("0123456789abcdef", AES.MODE_CFB,
>>> "\0"*16).encrypt("abc").encode('hex')
'6af9bb'
>>> AES.new("0123456789abcdef", AES.MODE_CFB,
>>> "\0"*16).encrypt("abc").encode('hex')
'6af9bb'
>>> AES.new("0123456789abcdef", AES.MODE_CFB,
>>> "\0"*16).encrypt("abc").encode('hex')
'6af9bb'
>>> AES.new("0123456789abcdef", AES.MODE_CFB,
>>> "\0"*16).encrypt("abc1").encode('hex')
'6af9bb63'
>>> AES.new("0123456789abcdef", AES.MODE_CFB,
>>> "\0"*16).encrypt("abc2").encode('hex')
'6af9bb60'
>>> AES.new("0123456789abcdef", AES.MODE_CFB,
>>> "\0"*16).encrypt("abc3").encode('hex')
'6af9bb61'
>>> AES.new("0123456789abcdef", AES.MODE_CFB,
>>> "\0"*16).encrypt("abc4").encode('hex')
'6af9bb66'
Notice a pattern in the ciphertexts?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1004845
Title:
python-keyring CryptedFileKeyring is insecure (was: doesn't work with
python-crypto 2.6-1 (ValueError: IV must be 16 bytes long))
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-keyring/+bug/1004845/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
