-
Notifications
You must be signed in to change notification settings - Fork 42
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
shared key for symetric encryption #3
Comments
It's inherent to the math underlying the SRP algorithm. If you haven't On Fri, Sep 27, 2013 at 12:33 AM, Olivier Chaussavoine <
|
You are right, I found the method get_session_key() that solved the problem. I was wondering which kind of symmetric cipher could be used when this key is set, I chose Crypto.Cipher.AES and initialized it like this: from Crypto.Cipher import AES
from Crypto.Hash import SHA256
def getAES(pwd,iv):
_hash = SHA256.new()
_hash.update(pwd)
return AES.new(_hash.digest(),AES.MODE_CBC,iv[:16]) where iv is returned by the method get_session_key(). The password is hashed in order to obtain a key with 32 bytes. I just use the methods encrypt() and decrypt() of the object returned by getAES(pwd,iv). Have you an opinion on this implementation? |
AES is a good choice for the encryption algorithm. It's pretty standard and A word of caution here though. The likelihood that you'll make a mistake Good luck. Tom On Fri, Sep 27, 2013 at 3:34 AM, Olivier Chaussavoine <
|
I beleived the result obtained by get_session_key() was random and only Your second argument is very wise and respectfull, but I do very simple
2013/10/1 cocagne [email protected]
Olivier Chaussavoine |
Oh, ok. I think I follow you now. You're intentionally using a derivative
The last point there is a little fuzzy but crypto is so easy to get wrong Tom On Tue, Oct 1, 2013 at 11:53 AM, Olivier Chaussavoine <
|
You got it! You let me think it could be possible to avoid storing a clear Olivier 2013/10/2 cocagne [email protected]
Olivier Chaussavoine |
You only need to calculate the verifier once and it may be used for all As for storing the passwords directly in the database, please try to Cheers, Tom On Wed, Oct 2, 2013 at 1:25 AM, Olivier Chaussavoine <
|
To be clear to anyone reading this the correct approach is to:
End. |
I did not see how could be obtained a large key that was known at the end of exchanges and known only by both sides. We cannot perform symmetric encryption without it. Could you explain that?
The text was updated successfully, but these errors were encountered: