def symmetric_key_gen(key, text, mode, algorithm=None): backend = default_backend() cipher = None block_size = 0 if mode == 'AES': block_size = algorithms.AES(key).block_size cipher = Cipher(algorithms.AES(key), modes.ECB(), backend=backend) elif mode == '3DES': block_size = algorithms.TripleDES(key).block_size cipher = Cipher(algorithms.TripleDES(key), modes.ECB(), backend=backend) elif mode == 'ChaCha20': pass # block_size=algorithms.ChaCha20(key).block_size # cipher=Cipher(algorithms.ChaCha20(key),modes.ECB(),backend=backend) else: raise Exception("Mode not found") encryptor = cipher.encryptor() padding = block_size - len(text) % block_size padding = 16 if padding == 0 else padding text += bytes([padding] * padding) ct = encryptor.update(text) return ct
def DESL(key, digest): """DESL encrypts a response key and digest and returns a challenge response Args: key (bytes): a NT or LM response key digest (bytes): a Server, Client or Server+Client challenge Returns: bytes: a NT or LM ChallengeResponse """ des_key = _create_des_key(key[0:7]) cipher = Cipher( algorithms.TripleDES(des_key), modes.ECB(), backend=default_backend() ) encryptor = cipher.encryptor() res = encryptor.update(digest) + encryptor.finalize() des_key = _create_des_key(key[7:14]) cipher = Cipher( algorithms.TripleDES(des_key), modes.ECB(), backend=default_backend() ) encryptor = cipher.encryptor() res += encryptor.update(digest) + encryptor.finalize() des_key = _create_des_key(key[14:16] + b"\0" * 5) cipher = Cipher( algorithms.TripleDES(des_key), modes.ECB(), backend=default_backend() ) encryptor = cipher.encryptor() res += encryptor.update(digest) + encryptor.finalize() return res
def decryption(self, data,iv=None,tag=None,nonce=None): backend = default_backend() cipher = None block_size = 0 if self.symmetric_cipher!='ChaCha20': if self.cipher_mode == 'ECB': mode = modes.ECB() elif self.cipher_mode == 'GCM': mode = modes.GCM(iv,tag) elif self.cipher_mode == 'CBC': if iv is not None: mode = modes.CBC(iv) if self.symmetric_cipher == 'AES': block_size = algorithms.AES(self.symmetric_key).block_size cipher = Cipher(algorithms.AES(self.symmetric_key), mode, backend=backend) elif self.symmetric_cipher == '3DES': block_size = algorithms.TripleDES(self.symmetric_key).block_size cipher = Cipher(algorithms.TripleDES(self.symmetric_key), mode, backend=backend) elif self.symmetric_cipher == 'ChaCha20': algorithm = algorithms.ChaCha20(self.symmetric_key, nonce) cipher = Cipher(algorithm, mode=None, backend=default_backend()) else: raise Exception("Mode not found") decryptor = cipher.decryptor() ct = decryptor.update(data)+decryptor.finalize() if self.cipher_mode=='GCM' or self.symmetric_cipher=='ChaCha20': return ct return ct[:-ct[-1]]
class TestTripleDESModeCBC(object): test_kat = generate_encrypt_test( load_nist_vectors, os.path.join("ciphers", "3DES", "CBC"), [ "TCBCinvperm.rsp", "TCBCpermop.rsp", "TCBCsubtab.rsp", "TCBCvarkey.rsp", "TCBCvartext.rsp", ], lambda keys, **kwargs: algorithms.TripleDES(binascii.unhexlify(keys)), lambda iv, **kwargs: modes.CBC(binascii.unhexlify(iv)), ) test_mmt = generate_encrypt_test( load_nist_vectors, os.path.join("ciphers", "3DES", "CBC"), [ "TCBCMMT1.rsp", "TCBCMMT2.rsp", "TCBCMMT3.rsp", ], lambda key1, key2, key3, **kwargs: algorithms.TripleDES( binascii.unhexlify(key1 + key2 + key3)), lambda iv, **kwargs: modes.CBC(binascii.unhexlify(iv)), )
def calc_des(data, key, ifenc=True, mode='ECB', iv=None): if isinstance(data, str): data = bytes.fromhex(data) if isinstance(key, str): key = bytes.fromhex(key) if isinstance(iv, str): iv = bytes.fromhex(iv) backend = default_backend() if mode == 'ECB': cipher = Cipher(algorithms.TripleDES(key), modes.ECB(), backend=backend) else: cipher = Cipher(algorithms.TripleDES(key), modes.CBC(iv), backend=backend) if ifenc: encryptor = cipher.encryptor() ct = encryptor.update(data) + encryptor.finalize() return ct else: decryptor = cipher.decryptor() ct = decryptor.update(data) + decryptor.finalize() return ct
class TestTripleDESModeOFB(object): test_KAT = generate_encrypt_test( load_nist_vectors, os.path.join("ciphers", "3DES", "OFB"), [ "TOFBpermop.rsp", "TOFBsubtab.rsp", "TOFBvarkey.rsp", "TOFBvartext.rsp", "TOFBinvperm.rsp", ], lambda keys, **kwargs: algorithms.TripleDES(binascii.unhexlify(keys)), lambda iv, **kwargs: modes.OFB(binascii.unhexlify(iv)), ) test_MMT = generate_encrypt_test( load_nist_vectors, os.path.join("ciphers", "3DES", "OFB"), [ "TOFBMMT1.rsp", "TOFBMMT2.rsp", "TOFBMMT3.rsp", ], lambda key1, key2, key3, **kwargs: algorithms.TripleDES( binascii.unhexlify(key1 + key2 + key3) ), lambda iv, **kwargs: modes.OFB(binascii.unhexlify(iv)), )
def file_encryption(self, data): backend = default_backend() cipher = None block_size = 0 mode = None if self.symmetric_cipher != 'ChaCha20': if self.cipher_mode == 'ECB': mode = modes.ECB() elif self.cipher_mode == 'GCM': self.iv = os.urandom(16) mode = modes.GCM(self.iv) elif self.cipher_mode == 'CBC': if self.symmetric_cipher == '3DES': self.iv = os.urandom(8) elif self.symmetric_cipher == 'AES': self.iv = os.urandom(16) mode = modes.CBC(self.iv) if self.symmetric_cipher == 'AES': block_size = algorithms.AES(self.symmetric_key).block_size cipher = Cipher(algorithms.AES(self.symmetric_key), mode, backend=backend) elif self.symmetric_cipher == '3DES': block_size = algorithms.TripleDES(self.symmetric_key).block_size cipher = Cipher(algorithms.TripleDES(self.symmetric_key), mode, backend=backend) elif self.symmetric_cipher == 'ChaCha20': nonce = os.urandom(16) algorithm = algorithms.ChaCha20(self.symmetric_key, nonce) cipher = Cipher(algorithm, mode=None, backend=default_backend()) else: raise Exception("Symmetric cipher not found") encryptor = cipher.encryptor() if self.cipher_mode != 'GCM' and self.symmetric_cipher != 'ChaCha20': padding = block_size - len(data) % block_size padding = 16 if padding and self.symmetric_cipher == 'AES' == 0 else padding padding = 8 if padding and self.symmetric_cipher == '3DES' == 0 else padding data += bytes([padding] * padding) criptogram = encryptor.update(data) elif self.symmetric_cipher == 'ChaCha20': criptogram = encryptor.update(data) self.nonce = nonce else: criptogram = encryptor.update(data) + encryptor.finalize() self.gcm_tag = encryptor.tag return criptogram
def auth_ultralight_c(self, key=DEFAULT_KEY): self.reader.mfrc522_request(self.reader.PICC_REQA) uid1 = self.reader.mfrc522_anticol1() self.reader.mfrc522_select_tag1(uid1) uid2 = self.reader.mfrc522_anticol2() self.reader.mfrc522_select_tag2(uid2) uid = bytes(uid1[1:4] + uid2[:4]) (backData, backLen) = self.reader.mfrc522_transeive_helper([0x1A, 0x00]) print(backData) if backData[0] != 0xAF: raise AuthError("invalid auth response") ct = bytes(backData[1:9]) cipher = Cipher( algorithms.TripleDES(key), mode=modes.CBC(INITIAL_IV), backend=default_backend(), ) decryptor = cipher.decryptor() rand_b = decryptor.update(ct) + decryptor.finalize() rand_a = token_bytes(8) cipher2 = Cipher(algorithms.TripleDES(key), mode=modes.CBC(ct), backend=default_backend()) encryptor = cipher2.encryptor() response = (encryptor.update(rand_a + rand_b[1:] + rand_b[:1]) + encryptor.finalize()) assert len(response) == 16, "Response should be 16 bytes" (backData, backLen) = self.reader.mfrc522_transeive_helper([0xAF, *response]) print(backData) if backData[0] != 0x00: raise AuthError("invalid auth response") ct2 = bytes(backData[1:9]) cipher3 = Cipher( algorithms.TripleDES(key), mode=modes.CBC(response[8:]), backend=default_backend(), ) decryptor2 = cipher3.decryptor() rand_a_prime = decryptor2.update(ct2) + decryptor2.finalize() if rand_a_prime[-1:] + rand_a_prime[:-1] != rand_a: raise AuthError("randA did not match") return uid
def test_cmac(self): backend = MultiBackend([DummyCMACBackend([algorithms.AES])]) fake_key = b"\x00" * 16 assert backend.cmac_algorithm_supported(algorithms.AES(fake_key)) assert not backend.cmac_algorithm_supported( algorithms.TripleDES(fake_key)) cmac.CMAC(algorithms.AES(fake_key), backend) with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_CIPHER): cmac.CMAC(algorithms.TripleDES(fake_key), backend)
def basic_decrypt(cls, key, ciphertext): assert len(ciphertext) % 8 == 0 algo = ciphers.TripleDES(key.contents) cbc = modes.CBC(bytes(8)) decryptor = Cipher(algo, cbc, default_backend()).decryptor() plaintext = decryptor.update(ciphertext) return plaintext
def basic_encrypt(cls, key, plaintext): assert len(plaintext) % 8 == 0 algo = ciphers.TripleDES(key.contents) cbc = modes.CBC(bytes(8)) encryptor = Cipher(algo, cbc, default_backend()).encryptor() ciphertext = encryptor.update(plaintext) return ciphertext
def decrypt_message(self, cryptogram, iv, key): """Decrypts messages with a symmetric key""" cipher = None algorithm = None mode = None enc_shared_key = key[len(key) // 2:] if self.cipher == 'AES': algorithm = algorithms.AES(enc_shared_key) elif self.cipher == '3DES': algorithm = algorithms.TripleDES(enc_shared_key) elif self.cipher == 'ChaCha20': # in this case the nonce is the iv if iv != None: algorithm = algorithms.ChaCha20(enc_shared_key, iv) else: logger.debug('Algorithm not suported') # with ChaCha20 we do not pad the data if self.ciphermode == 'CBC': mode = modes.CBC(iv) elif self.ciphermode == 'CTR': mode = modes.CTR(iv) cipher = Cipher(algorithm, mode=mode) decryptor = cipher.decryptor() if self.cipher == 'ChaCha20': return decryptor.update(cryptogram) + decryptor.finalize() else: padded_data = decryptor.update(cryptogram) + decryptor.finalize() unpadder = padding.PKCS7(algorithm.block_size).unpadder() text = unpadder.update(padded_data) text += unpadder.finalize() return text
def encrypt_message(self, text, key): """Encrypts message with a symmetric key""" iv = os.urandom(16) cipher = None algorithm, iv = None, None mode = None enc_shared_key = key[len(key) // 2:] if self.cipher == 'AES': algorithm = algorithms.AES(enc_shared_key) elif self.cipher == '3DES': algorithm = algorithms.TripleDES(enc_shared_key) else: iv = os.urandom(16) algorithm = algorithms.ChaCha20(enc_shared_key, iv) logger.error('Algorithm not suported') if self.cipher != 'ChaCha20': # with ChaCha20 we do not pad the data iv = os.urandom(algorithm.block_size // 8) if self.ciphermode == 'CBC': mode = modes.CBC(iv) elif self.ciphermode == 'CTR': mode = modes.CTR(iv) padder = padding.PKCS7(algorithm.block_size).padder() padded_data = padder.update(text) padded_data += padder.finalize() text = padded_data cipher = Cipher(algorithm, mode=mode) encryptor = cipher.encryptor() cryptogram = encryptor.update(text) + encryptor.finalize() return cryptogram, iv
def update(self, chunk): if self._cipher is None: if len(chunk) < 16: raise Exception('Invalid first chunk (Size < 16).') if chunk[0:8] != b"Salted__": raise Exception('Invalid first chunk (expected: Salted__') [key, iv] = self._get_key_iv(self._password, chunk[8:16]) if HAS_M2CRYPTO: self._cipher = EVP.Cipher('des_cbc', key, iv, 0) elif HAS_CRYPTOGRAPHY: self._cipher = Cipher(algorithms.TripleDES(key), modes.CBC(iv), backend=default_backend()).decryptor() else: self._cipher = DES.new(key, DES.MODE_CBC, iv) chunk = chunk[16:] if len(chunk) > 0: if HAS_M2CRYPTO: return self._cipher.update(chunk) elif HAS_CRYPTOGRAPHY: return self._cipher.update(chunk) else: return self._cipher.decrypt(chunk) else: return b""
def decrypt_simple(self, username): """Decrypt a credential using the simple approach. It only handles 3DES. Tries to parse the decrypted object into a plain credential object type. If it fails, probably due to an invalid username use to decrypt it, raises an exception. :param username: Username to use when decrypting :type username: string :return: decrypted object :rtype: SAPCredv2_Cred_Plain """ blob = self.cipher.val_readable # Construct the key using the key format and the username key = (cred_key_fmt % username)[:24] # Set empty IV iv = "\x00" * 8 # Decrypt the cipher text with the derived key and IV decryptor = Cipher(algorithms.TripleDES(key), modes.CBC(iv), backend=default_backend()).decryptor() plain = decryptor.update(blob) + decryptor.finalize() return SAPCredv2_Cred_Plain(plain)
def authenticate(self, key, touch_callback=None): ct1 = self.send_cmd(INS.AUTHENTICATE, ALGO.TDES, SLOT.CARD_MANAGEMENT, Tlv(TAG.DYN_AUTH, Tlv(0x80)))[4:12] backend = default_backend() cipher = Cipher(algorithms.TripleDES(key), modes.ECB(), backend) decryptor = cipher.decryptor() pt1 = decryptor.update(ct1) + decryptor.finalize() ct2 = os.urandom(8) if touch_callback is not None: touch_timer = Timer(0.500, touch_callback) touch_timer.start() try: pt2 = self.send_cmd( INS.AUTHENTICATE, ALGO.TDES, SLOT.CARD_MANAGEMENT, Tlv(TAG.DYN_AUTH, Tlv(0x80, pt1) + Tlv(0x81, ct2)) )[4:12] finally: if touch_callback is not None: touch_timer.cancel() encryptor = cipher.encryptor() pt2_cmp = encryptor.update(ct2) + encryptor.finalize() if not bytes_eq(pt2, pt2_cmp): raise ValueError('Device challenge did not match!') self._authenticated = True
def __init__(self, cipher_mode=None, initialization_vector=None, key=None, **kwargs): """Initializes a decrypter. Args: cipher_mode (Optional[str]): cipher mode. initialization_vector (Optional[bytes]): initialization vector. key (Optional[bytes]): key. kwargs (dict): keyword arguments depending on the decrypter. Raises: ValueError: when key is not set or the cipher mode is not supported. """ if not key: raise ValueError('Missing key.') if cipher_mode not in self._ENCRYPTION_MODES: raise ValueError( 'Unsupported cipher mode: {0!s}'.format(cipher_mode)) algorithm = algorithms.TripleDES(key) super(DES3Decrypter, self).__init__(algorithm=algorithm, cipher_mode=cipher_mode, initialization_vector=initialization_vector, **kwargs)
def _new_cipher(key): skey = key[0: crypto_algo["key_size"]] # Use first n bytes as crypto key iv = key[-crypto_algo["iv_size"]:] # Use last m bytes as IV return Cipher(algorithms.TripleDES(skey), modes.CBC(iv), backend=default_backend())
def TripleDES(): backend = default_backend() key = os.urandom(16) iv = os.urandom(8) user_input = input('Please enter a message: ') cipher = Cipher(algorithms.TripleDES(key), modes.OFB(iv), backend=default_backend()) encryptor = cipher.encryptor() user_input_byt = str.encode(user_input) ct = encryptor.update(user_input_byt) + encryptor.finalize() print('The 3DES key is {}'.format(ct)) decryptor = cipher.decryptor() answer = decryptor.update(ct) + decryptor.finalize() print('The decrypted message: {}'.format(answer)) a = input('Would you like to know more about 3DES? (yes/no) ') if a == 'yes': print('Triple DES (Data Encryption Standard), sometimes referred to as 3DES, is a block cipher standardized by NIST. Triple DES has known crypto-analytic flaws, however none of them currently enable a practical attack. Nonetheless, Triple DES is not recommended for new applications because it is incredibly slow; old applications should consider moving away from it.') print(' ') print('For this 3DES implenebtation, it uses OFB Mode. OFB (Output Feedback) is a mode of operation for block ciphers. It transforms a block cipher into a stream cipher.') print(' ') print('Becase it is a stream cipher, it does not need padding.') print(' ') print('iv = initialization_vector (bytes) – Must be random bytes. They do not need to be kept secret and they can be included in a transmitted message. Must be the same number of bytes as the block_size of the cipher. Do not reuse an initialization_vector with a given key.') print(' ') print('key (bytes) – The secret key. This must be kept secret.') elif a == 'no': print('That\'s great.')
def testInitialize(self): """Tests the __init__ method.""" algorithm = algorithms.TripleDES(self._DES3_KEY) test_decrypter = decrypter.CryptographyBlockCipherDecrypter( algorithm=algorithm, cipher_mode=definitions.ENCRYPTION_MODE_CBC, initialization_vector=self._DES3_INITIALIZATION_VECTOR) self.assertIsNotNone(test_decrypter) test_decrypter = decrypter.CryptographyBlockCipherDecrypter( algorithm=algorithm, cipher_mode=definitions.ENCRYPTION_MODE_CFB, initialization_vector=self._DES3_INITIALIZATION_VECTOR) self.assertIsNotNone(test_decrypter) test_decrypter = decrypter.CryptographyBlockCipherDecrypter( algorithm=algorithm, cipher_mode=definitions.ENCRYPTION_MODE_ECB) self.assertIsNotNone(test_decrypter) test_decrypter = decrypter.CryptographyBlockCipherDecrypter( algorithm=algorithm, cipher_mode=definitions.ENCRYPTION_MODE_OFB, initialization_vector=self._DES3_INITIALIZATION_VECTOR) self.assertIsNotNone(test_decrypter) with self.assertRaises(ValueError): decrypter.CryptographyBlockCipherDecrypter( algorithm=algorithm, cipher_mode=definitions.ENCRYPTION_MODE_CBC)
def setup_cipher(self): algorithm = algorithms.TripleDES(self.key) self._cipher = Cipher(algorithm, mode=self.IV, backend=default_backend()) self.encryptor = self._cipher.encryptor() self.decryptor = self._cipher.decryptor()
def encode_text(text: AnyStr, key: AnyStr) -> bytes: """Encode text using triple DES and ECB mode. .. code-block:: python # output: b'OdiOLVWUv7f8OzfNsuB5Fg==' encode_text("secret text", "a" * 24) :params text: Plain text (``str`` or ``bytes``) need to be encoded. :params key: Key used for encoding salt. :returns: Encoded ``bytes`` text. """ with contextlib.suppress(AttributeError): # ``key`` must be a ``bytes`` key = key.encode() with contextlib.suppress(AttributeError): # ``text`` must be a ``bytes`` text = text.encode() cipher = Cipher( algorithms.TripleDES(key), modes.ECB(), backend=default_backend(), ) encryptor = cipher.encryptor() padder = padding.PKCS7(algorithms.TripleDES.block_size).padder() padded_data = padder.update(text) + padder.finalize() encrypted_text = encryptor.update(padded_data) + encryptor.finalize() return base64.b64encode(encrypted_text)
def encrypt_tdes_cbc(key: bytes, iv: bytes, data: bytes) -> bytes: r"""Encrypt data using Triple DES CBC algorithm. Parameters ---------- key : bytes Binary Triple DES key. Has to be a valid DES key. iv : bytes Binary initial initialization vector for CBC. data : bytes Binary data to be encrypted. Returns ------- encrypted_data : bytes Binary encrypted data. Examples -------- >>> from pyemv.tools import encrypt_tdes_cbc >>> key = bytes.fromhex("0123456789ABCDEFFEDCBA9876543210") >>> iv = bytes.fromhex("0000000000000000") >>> encrypt_tdes_cbc(key, iv, b"12345678").hex().upper() '41D2FFBA3CDC15FE' """ cipher = _Cipher( _algorithms.TripleDES(key), _modes.CBC(iv), backend=_default_backend(), ) return cipher.encryptor().update(data)
def key_check_digits(key: bytes, length: int = 2) -> bytes: r"""Calculate Triple DES key check digits. Parameters ---------- key : bytes Binary key to provide check digits for. Has to be a valid DES key. length : int, optional Number of key check digits bytes provided in the response (default 2). Returns ------- check_digits : bytes Binary check digits (`length` bytes) Examples -------- >>> from pyemv import tools >>> key = bytes.fromhex("0123456789ABCDEFFEDCBA9876543210") >>> tools.key_check_digits(key).hex().upper() '08D7' """ cipher = _Cipher(_algorithms.TripleDES(key), _modes.ECB(), backend=_default_backend()) encryptor = cipher.encryptor() return encryptor.update(b"\x00\x00\x00\x00\x00\x00\x00\x00")[:length]
def decode_text(text: AnyStr, key: AnyStr) -> bytes: """Decode text using triple DES and ECB mode. .. code-block:: python # output: b'secret text' decode_text(b'OdiOLVWUv7f8OzfNsuB5Fg==', "a" * 24) :params text: Encoded text (``str`` or ``bytes``) need to be decoded. :params key: Key used for decoding salt. :returns: Decoded ``bytes`` text. """ encoded_text = base64.b64decode(text) with contextlib.suppress(AttributeError): # ``key`` must be a ``bytes`` key = key.encode() cipher = Cipher( algorithms.TripleDES(key), modes.ECB(), backend=default_backend(), ) decryptor = cipher.decryptor() unpadder = padding.PKCS7(algorithms.TripleDES.block_size).unpadder() padded_data = decryptor.update(encoded_text) + decryptor.finalize() # decrypt the encrypted text return unpadder.update(padded_data) + unpadder.finalize()
def generate_kcv(key: bytes, length: int = 2) -> bytes: r"""Generate DES key checksum value (KCV). Parameters ---------- key : bytes Binary key to provide check digits for. Has to be a valid DES key. length : int, optional Number of KCV bytes returned (default 2). Returns ------- kcv : bytes Binary KCV (`length` bytes) Examples -------- >>> import psec >>> key = bytes.fromhex("0123456789ABCDEFFEDCBA9876543210") >>> psec.des.generate_kcv(key).hex().upper() '08D7' """ cipher = _Cipher(_algorithms.TripleDES(key), _modes.ECB(), backend=_default_backend()) encryptor = cipher.encryptor() return encryptor.update(b"\x00\x00\x00\x00\x00\x00\x00\x00")[:length]
def encrypt_tdes_ecb(key: bytes, data: bytes) -> bytes: r"""Encrypt data using Triple DES ECB algorithm. Parameters ---------- key : bytes Binary Triple DES key. Has to be a valid DES key. data : bytes Binary data to be encrypted. Returns ------- encrypted_data : bytes Binary encrypted data. Examples -------- >>> from pyemv.tools import encrypt_tdes_ecb >>> key = bytes.fromhex("0123456789ABCDEFFEDCBA9876543210") >>> encrypt_tdes_ecb(key, b"12345678").hex().upper() '41D2FFBA3CDC15FE' """ cipher = _Cipher(_algorithms.TripleDES(key), _modes.ECB(), backend=_default_backend()) return cipher.encryptor().update(data)
def pyca_tests(): from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes from cryptography.hazmat.primitives.asymmetric import rsa, padding Cipher( algorithms.TripleDES(key), modes.CBC(iv)) # Noncompliant {{Use secure mode and padding scheme.}} # ^^^^^^^^^^^^^ Cipher(algorithms.Blowfish(key), modes.GCM(iv)) # Compliant Cipher() # Compliant args = [] Cipher(algorithms.Blowfish(key), *args) # Compliant Cipher(algorithms.Blowfish(key), modes.ECB()) # Noncompliant Cipher(algorithms.AES(key), modes.CBC(iv)) # Noncompliant Cipher(mode=modes.CBC(iv), algorithm=algorithms.AES(key)) # Noncompliant Cipher(algorithms.AES(key), modes.OFB(iv)) # Compliant Cipher(algorithms.AES(key), modes.ECB()) # Noncompliant private_key = rsa.generate_private_key() public_key = private_key.public_key() ciphertext = public_key.encrypt(message, padding.OAEP()) private_key.decrypt(ciphertext, padding.OAEP()) # Compliant public_key.encrypt(message, padding.PKCS1v15()) # Noncompliant # ^^^^^^^^^^^^^^^^^^ public_key.encrypt(padding=padding.PKCS1v15(), plaintext=message) # Noncompliant private_key.decrypt(ciphertext, padding.PKCS1v15()) # Noncompliant private_key.decrypt(padding=padding.PKCS1v15(), ciphertext=ciphertext) # Noncompliant print(padding.PKCS1v15()) # OK
def get_cipher(ciphername, derived_key): info = _cipher_info.get(ciphername) if info is None: raise ValueError(f'Unsupported cipher: {ciphername}') ivlen, keylen = info assert( len(derived_key) == sum(info) ) key = derived_key[:keylen] iv = derived_key[keylen:] LOG.debug('Decryptiong Key (%d): %s', len(key), key.hex().upper()) LOG.debug('IV (%d): %s', len(iv), iv.hex().upper()) backend = default_backend() if ciphername in (b"aes128-ctr", b"aes192-ctr", b"aes256-ctr"): return Cipher(algorithms.AES(key), modes.CTR(iv), backend=backend) # if ciphername == b"blowfish-cbc": # return Cipher(algorithms.Blowfish(key), modes.CBC(iv), backend=backend) if ciphername in (b"aes128-cbc", b"aes192-cbc", b"aes256-cbc"): return Cipher(algorithms.AES(key), modes.CBC(iv), backend=backend) if ciphername == b"3des-cbc": return Cipher(algorithms.TripleDES(key), modes.CBC(iv), backend=backend) # Should not come here raise ValueError(f'Unsupported cipher: {ciphername}')
def test_ciphers(self): backend = MultiBackend([ DummyHashBackend([]), DummyCipherBackend([ (algorithms.AES, modes.CBC), ]) ]) assert backend.cipher_supported( algorithms.AES(b"\x00" * 16), modes.CBC(b"\x00" * 16) ) assert not backend.cipher_supported( algorithms.TripleDES(b"\x00" * 16), modes.CBC(b"\x00" * 16) ) cipher = Cipher( algorithms.AES(b"\x00" * 16), modes.CBC(b"\x00" * 16), backend=backend ) cipher.encryptor() cipher.decryptor() cipher = Cipher( algorithms.Camellia(b"\x00" * 16), modes.CBC(b"\x00" * 16), backend=backend ) with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_CIPHER): cipher.encryptor() with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_CIPHER): cipher.decryptor()