Using Rotor with password file

Colin Meeks colin at meeks.ca
Sun Feb 2 03:41:14 CET 2003


Paul Rubin <phr-n2003b at NOSPAMnightsong.com> wrote in
news:7x7kcjq05w.fsf at ruckus.brouhaha.com: 

> "James Kew" <james.kew at btinternet.com> writes:
>> > Don't use the rotor module, it is insecure.
>> 
>> This is the second time I've seen this comment recently.
>> 
>> If it's insecure, why is it in the standard library? Should it be
>> removed (as rexec and bastion will be)? Or at least deprecated (and
>> subject to a DeprecationWarning)?
> 
> I hadn't heard rexec and bastion will be removed.  In my opinion,
> rotor should be deprecated, but I don't get to decide things like
> that.
> 
> Here's a module you can use instead of rotor, based on the built-in
> SHA module:
> 
>    http://www.nightsong.com/phr/crypto/p2.py
> 
> Its security should be ok.  You'll have to edit out the date check.
> I'll get around to putting up a renamed version with the date check
> removed, but this whole approach is kind of a stopgap--I hope that
> Python's standard library will get some real cryptography soon.
> Apparently one obstacle in the past has been US export restrictions on
> crypto code, but those restrictions have eased up in recent years.

I've tried p2.py also, but get the same problem.  Here's an example of 
what I'm getting

>>> 
>>> print y # where y is a line read from the users.cfg file
['colboy', '\\xcc\\x0f\\xb0t\\xac"\\x87o\\xc8F;\\x90\\xfb\\xbf\\x7f
\\xdf"v\\xe6\\x00\\x16\\xc50%\\x11\\xe9Zc[\\xae_', '1\n']

>>> print y[1] # where y[1] is the actual encoded password
\xcc\x0f\xb0t\xac"\x87o\xc8F;\x90\xfb\xbf\x7f\xdf"v\xe6\x00\x16\xc50%\x11
\xe9Zc[\xae_

Sorry for the formatting

if I try to p2.p2_decrypt(y[1], mykey) I get the following

Traceback (most recent call last):
  File "<interactive input>", line 1, in ?
  File "p2.py", line 110, in p2_decrypt
    raise CryptError, "invalid key or ciphertext"
CryptError: invalid key or ciphertext

If I copy the password from the users,cfg file using a text editor in
place of y[1] it works.  It looks like a problem with the decoding of a 
string with "\" characters in it

Any further ideas

Colin




More information about the Python-list mailing list