Comments (3)
AES has always been one of the worst encryption options available in EJTP, because there is no good fit in terms of cipher algorithm. The reason is that the EJTP frame model is extremely stateless. Frames can arrive in any order, at any time, and under bad network conditions some frames will drop. It's like encrypted UDP. You can use EJForward to handle retransmission, but you still have the order problem, and the fact that we don't track cipher stream state for anything.
Every frame is distinctly encrypted and has to be able to stand alone.
This is a bitch for getting stream encryption advantages, but I don't think it's impossible. There should theoretically be some efficient way to include ephemeral IV data at the head of every encrypted string. If you have any advice on how we would do this, given the constraints of the frame model's UDP-like nature, please let me know. It's something that's kind of been sitting stagnant, waiting for someone to come along who knows what he's doing.
from ejtp-lib-python.
Well, the usual method is this:
- Generate a random IV for each message from
os.urandom()
- Encrypt the plaintext with the encryption key and IV in CBC mode.
- Append a timestamp and the IV to the ciphertext. (You can check this timestamp later to mitigate replay attacks.)
- Compute the HMAC of the ciphertext, IV, and timestamp with the hashing key.
- Append the HMAC to the message. Send it out!
- When the receiver gets the message, it first checks the HMAC, then the timestamp, then decrypts the message, then parses the JSON. Be sure to use a constant-time string comparison for the HMAC check.
The alternate method, which I would highly recommend, is to use PyNaCl. It does everything I just said, but better, and the API is super-easy.
from ejtp-lib-python.
Thank you very much for the rundown! It looks like PyNaCl is somewhat picky about what algorithms are currently available, so no AES, but this doesn't seem too onerous to do manually, especially thanks to the hmac module (which is arguably the most complex part of the dance).
The only part that worries me, of course, is timestamp persistence. Where that data is stored, how long, etc. On its own, EJTP intentionally only uses volatile memory (RAM), except to load identity data from cache files (which are not good candidates for storing hundreds or thousands of timestamps per identity). If we can solve that issue, we can finally move forward and make AES worth using.
from ejtp-lib-python.
Related Issues (20)
- Get pip builds to support testing HOT 2
- ejtp-benchmark script ($100) HOT 6
- SQLite Jack ($100) HOT 1
- ejtp-identity Identity Management Script ($100) HOT 15
- GPG import ($50) HOT 6
- GPG export ($50) HOT 1
- Add 'rm' subcommand to ejtp-identity ($25) HOT 3
- New options for ejtp-identity details ($50) HOT 1
- v0.9.5 Release HOT 1
- Exchange ejtp.util.py2and3 for Persei ($50) HOT 4
- v0.9.6 Release
- Make addresses a class instead of a list ($50) HOT 3
- Identity comparison
- Identity hashability HOT 1
- IdentityCache.filter_by_name() HOT 1
- Interactive identity creator HOT 1
- Unit tests for ejtp-identity new-interactive wizard HOT 1
- Improvements to ejtp-identity new-interactive
- 0.9.7 Release
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ejtp-lib-python.