Python SHA-based encryption function, new version
Richard Parker
richard at electrophobia.com
Sat May 11 16:46:48 EDT 2002
Paul Rubin at phr-n2002a at nightsong.com wrote on 5/6/02 3:10 AM:
> Revision 1.15 is now up and has the correct fix. It also portably
> incorporates the process ID into the nonce, on systems that support
> os.getpid; Unix and Windows are among these. Thanks to Alex Martelli
> for this suggestion. There are probably still bizarre conditions
> under which you can re-use a nonce even on those systems, but you'll
> have to work pretty hard at it now.
>
> The URL again is <http://www.nightsong.com/phr/crypto/p2.py>.
Revision 1.15 appears to have a bug in p2_encrypt - the call to _hmac
appears to be using the ciphertext as the HMAC key and the authentication
key as the message. This can't have been what you intended, right? As it
stands it is insecure.
-Richard
More information about the Python-list
mailing list