[python-crypto] Add AES to amkCrypto?

Bryan Olson bolson at certicom.com
Thu Feb 1 20:47:03 CET 2001 

Marc-Andre Lemburg wrote:
> Bryan Olson wrote:
> > I mean that in the API by Andrew Kuchling, the modes are
> > hard-coded for each cipher.  The same code got repeated around
> > each cipher to produce the various modes.  Andrew had a code
> > template to put around a cipher to generate the modes.  I
> > understand most of these are now imported from OpenSSL, but
> > that makes them even less flexible.
>
> Ok, now I understand: you want to play with new algorithms
> at an even lower level. I don't think that this is common usage
> though.

Yet here we are with a new cipher we want to put in the
library, and your answer is to wait until OpenSSL implements
it.  Python is a terrific language for reference
implementations. Actually one of the AES finalists, Serpent,
was first implemented in Python.

> Andrew's and the OpenSSL implementation have separate APIs
> for each mode because they can be optimized in different
> ways. The only way to get the compiler to optimize the code
> is by writing it down once for each mode. That way you get
> the best possible performance. In addition to this step, the
> algorithm state can usually be optimized w/r to the mode too.

And that makes sense for OpenSSL where the goal is to
implement one predefined protocol.  The modes are fixed so no
great flexibility is required.

What I want is a Python crypto library that takes advantage of
Python's strengths.  We're getting a new cipher and new modes,
and we have the ideal language for a reference implementation.
It makes no sense for us to wait for the C version.


> > Not exposing it doesn't make it better.  How does one add a
> > new mode or a new cipher under the current API?
>
> By writing the cipher in Python or C and then adding it to the
> package. I don't get your point here. The API defines how Python
> will interact with the implementation, it does not define
> what goes on underneath.

The API should allow us to put new implementations
"underneath".  I have my new block cipher and the new OID's
for it. I'll implemented it, say in Python, and I want to pass
it to the library to use with the higher level protocols.

[...]
> > It has the many things needed to implement TLS, and usually
> > only has them to the extent needed to implement TLS.  It's
> > very hard to use as a general crypto library for Python.
>
> Why ? mxCrypto has proven that all includes ciphers and hashes
> can be made available to Python.

Here's a real-world example.  I wrote a pure-Python RSA class
that generates keys, signs as per PKCS#1, encodes and decodes
keys, reports the OID's for algorithm and key and such.  I use
this class in creating certificates, and I have analogous
classes for DSA and ECDSA.

My production root keys reside on Luna CA^3 tokens, which use
an extended PKCS#11 interface.  So I wrote an extension to
bring the PKCS#11 interface into Python.

I wrote a class that inherits from the RSA class and uses RSA
keys on the hardware token.  I re-implemented key generation
and signing to call through PKCS#11. I can pass this class to
my certificate generator the same way as the all-soft version.

Python's strength is this kind of flexibility.  If the RSA
implementation is in C and buried inside OpenSSL, I have no
idea how to make it use my PKCS#11 Python extension.  (As I
understand things, the amkCrypto RSA class is currently in
Python, but the stated plan is to replace it with OpenSSL).


> > > The goal of mxCrypto was to expose the lower-level parts of
> > > OpenSSL to be able to implement other cryptographic protocols.
> >
> > What Python cannot do well is the low level primitives, such
> > as block ciphers and hash functions.  Things like encoding and
> > decoding certificates is easier in Python than in C.
>
> Sure, but where does the API in amkCrypto restrict you to using
> C as implementation language ?

My point is that I want to use Python.  Only a few things need
to be in C.


--Bryan



------------------------ Yahoo! Groups Sponsor ---------------------~-~>
eGroups is now Yahoo! Groups
Click here for more details
http://click.egroups.com/1/11231/1/_/22498/_/981057507/
---------------------------------------------------------------------_->

More information about the python-crypto mailing list