[Baypiggies] Help Aes Implementation

Martin Falatic martin at falatic.com
Sun May 15 22:41:11 EDT 2016


tl;dr - The AES OFB implementation you're working with (pyAES) seems to be
more or less broken... at the very least, the ciphertext it produces is
not consistent with other AES implementations, OFB isn't that great of a
streaming algorithm, and for all that, pyAES is abysmally slow. Use
something else (e.g. PyCrypto).

More detail:

In encryption mode, pyAES hashes the key using SHA256, then uses that key
plus a pseudorandom initialization vector to encode the given data into 16
byte blocks. The IV is written, followed by the encoded blocks, followed
by padding with encoded bytes signifying the unusued length of the final
block (if the final block is full, you'll get a pad of 16 bytes of 0x10,
encoded. If it is not full, the remaining bytes are padded the same way).

Decoding is an inverse of encoding.

Packing the IV like this isn't problematic if you remember to strip that
out before decoding. Likewise, the padding can be stripped out (though to
me that seems risky as you know the final byte must always be in the range
[0x01...0x10]).

I compared PyCrypto, OpenSSL (as shown below), and pyAES. PyCrypto agreed
with OpenSSL and produced the same ciphertext. pyAES does not. The
PyCrypto code I used to test this is as follows:

import hashlib
from Crypto.Cipher import AES

if __name__ == "__main__":
    message = "0123456789ABCDEF"
    password = 'test'
    sha256 = hashlib.sha256()
    sha256.update(password)
    key = sha256.digest()
    IV = '\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0'
    print("key="+''.join("{:02x}".format(ord(c)) for c in key))
    print("iv ="+''.join("{:02x}".format(ord(c)) for c in IV))
    obj = AES.new(key, AES.MODE_OFB, IV)
    ciphertext = obj.encrypt(message)
    print "["+",".join("{:02x}".format(ord(c)) for c in ciphertext)+"]"
    obj2 = AES.new(key, AES.MODE_OFB, IV)
    print obj2.decrypt(ciphertext)

* Note: PyCrypto 2.6.1 has a bug wherein OFB mode incorrectly errors out
if the message length is not one of a few specific size multiples. This
was corrected a couple of years ago but PyCrypto 2.7.x has yet to be
released (!). You can build and install from source to work around this
problem. More discussion here:

https://github.com/dlitz/pycrypto/issues/187

 - Marty


On Sun, May 15, 2016 13:35, Martin Falatic wrote:
> To add to this, from what I can tell this script uses output feedback
> mode. The original source of what you shared as "AES-1" and discussion can
>  be found here:
>
> http://brandon.sternefamily.net/2007/06/aes-tutorial-python-implementatio
> n/
>
> The initialization vector used by the script is random, so I set it to
> [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] for testing purposes (and compared that
> to openssl with the same IV and using OFB mode. Still haven't had any luck
>  reproducing the operating mode of this script in such a way as to be
> able to decrypt the output of one with the other.
>
> The updated reference commands that would appear to match what the script
>  is meaning to do, even if it doesn't (note the password is "test" for
> the purpose of testing):
>
> openssl enc -aes-256-ofb -nosalt -pass pass:test -in a -out enc.bin -iv
> 00 -p
> openssl enc -aes-256-ofb -nosalt -pass pass:test -d -in enc.bin -out b -iv
>  00 -p
>
>
> Again, curious to see what you are comparing outputs against.
>
>
> - Marty
>
>
>
> On Sat, May 14, 2016 21:49, Martin Falatic wrote:
>
>> Do you require Python 2.5 to make these function? Because I just tried
>> them and neither seems to work.
>>
>> openssl enc -aes-256-cbc -in a.pdf -out enc.bin openssl enc
>> -aes-256-cbc
>> -d -in enc.bin -out b.pdf
>> AES-1.py -d enc.bin -o c1.pdf
>> AES-2.py -d enc.bin -o c2.pdf
>> sha256sum a.pdf b.pdf c1.pdf c2.pdf
>>
>> openssl works to encrypt (unsalted) to ciphertext and then decrypt the
>> ciphertext. Neither of the two Python scripts you've provided seem to
>> do that (though yes, their outputs do differ, neither is the original
>> plaintext).
>>
>> So the first question is, what kind of plaintext and AES cipher and
>> implementation are you benchmarking these two scripts against?
>>
>> - Marty
>>
>>
>>
>>
>>
>> On Sat, May 14, 2016 14:18, Pyhack Blog wrote:
>>
>>
>>> Hi,
>>>
>>>
>>>
>>>
>>> I have two AES implementation programs:
>>>
>>>
>>>
>>>
>>> AES-1:    http://pastebin.com/TrQ5iaxc
>>> AES-2: http://pastebin.com/mXRyprKL
>>>
>>>
>>>
>>>
>>> I have one binary file which is encrypted with some other AES program
>>>  and it is getting decrypted with AES-1 but not with AES-2. I have
>>> shared both the programs link with you can someone please help me in
>>> identifying where exactly AES-2 is wrong in implementation.
>>>
>>> Regards
>>> PyHack
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Baypiggies mailing list
>>> Baypiggies at python.org
>>> To change your subscription options or unsubscribe:
>>> https://mail.python.org/mailman/listinfo/baypiggies
>>>
>>>
>>
>>
>> _______________________________________________
>> Baypiggies mailing list
>> Baypiggies at python.org
>> To change your subscription options or unsubscribe:
>> https://mail.python.org/mailman/listinfo/baypiggies
>>
>>
>>
>
>
> _______________________________________________
> Baypiggies mailing list
> Baypiggies at python.org
> To change your subscription options or unsubscribe:
> https://mail.python.org/mailman/listinfo/baypiggies
>
>




More information about the Baypiggies mailing list