[Cryptography-dev] Create Fernet API allowing streaming encryption and decryption from file-like objects.
Michael Iverson
dr.michael.iverson at gmail.com
Mon Jan 19 17:42:41 CET 2015
On Mon, Jan 19, 2015 at 11:27 AM, Donald Stufft <donald at stufft.io> wrote:
>
> I'd also be concerned about the cryptographic implications of this. I'm
> not sure if this is entirely correct, but it seems if you set your chunk
> size = AES block size, you essentially are encrypting in ECB mode.
>
>
> The actual details of what you’d need to do is more involved than just
> calling encrypt() with the same key on chunks. That’s just a high level
> “here’s the general idea thing”. In reality you’d encrypt the stream using
> the streaming encryption APIs (so you’d use something like CBC or CTR) and
> you’d take that output and break it into chunks as well, and you’d
> authenticate each of those chunks.
>
>
>
OK, I see what you're saying now.
You would continue to operate the cipher in CBC mode, and process chunks in
order. You would then HMAC each chunk, so that each could be validated
prior to decryption and writing that chunk to the output. No unvalidated
data would ever be passed downstream. At worst, you would have partial
data.
To handle missing or out of order chunks, you could maintain an hmac digest
of all blocks processed prior to the current block, in addition to the
added block. A missing block would cause the HMAC to fail. There would also
need to be a method to ensure that we only a certain number of chunks.
--
Dr. Michael Iverson
Director of Information Technology
Hatteras Printing
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20150119/7b348ea6/attachment.html>
More information about the Cryptography-dev
mailing list