Home | Trees | Indices | Help |
|
---|
|
Classes | |
BlockAlgo Class modelling an abstract block cipher. |
Variables | |
MODE_ECB = 1 Electronic Code Book (ECB). |
|
MODE_CBC = 2 Cipher-Block Chaining (CBC). |
|
MODE_CFB = 3 Cipher FeedBack (CFB). |
|
MODE_PGP = 4 This mode should not be used. |
|
MODE_OFB = 5 Output FeedBack (OFB). |
|
MODE_CTR = 6 CounTeR (CTR). |
|
MODE_OPENPGP = 7 OpenPGP CFB. |
|
MODE_CCM = 8 Counter with CBC-MAC (CCM). |
|
MODE_EAX = 9 EAX. |
|
MODE_SIV = 10 Synthetic Initialization Vector. |
|
MODE_GCM = 11 Galois/Counter Mode (GCM). |
|
__package__ =
|
Variables Details |
MODE_ECBElectronic Code Book (ECB). This is the simplest encryption mode. Each of the plaintext blocks is directly encrypted into a ciphertext block, independently of any other block. This mode exposes frequency of symbols in your plaintext. Other modes (e.g. CBC) should be used instead. See NIST SP800-38A , Section 6.1 .
|
MODE_CBCCipher-Block Chaining (CBC). Each of the ciphertext blocks depends on the current and all previous plaintext blocks. An Initialization Vector (IV) is required. The IV is a data block to be transmitted to the receiver. The IV can be made public, but it must be authenticated by the receiver and it should be picked randomly. See NIST SP800-38A , Section 6.2 .
|
MODE_CFBCipher FeedBack (CFB). This mode is similar to CBC, but it transforms the underlying block cipher into a stream cipher. Plaintext and ciphertext are processed in segments of s bits. The mode is therefore sometimes labelled s-bit CFB. An Initialization Vector (IV) is required. When encrypting, each ciphertext segment contributes to the encryption of the next plaintext segment. This IV is a data block to be transmitted to the receiver. The IV can be made public, but it should be picked randomly. Reusing the same IV for encryptions done with the same key lead to catastrophic cryptographic failures. See NIST SP800-38A , Section 6.3 .
|
MODE_OFBOutput FeedBack (OFB). This mode is very similar to CBC, but it transforms the underlying block cipher into a stream cipher. The keystream is the iterated block encryption of an Initialization Vector (IV). The IV is a data block to be transmitted to the receiver. The IV can be made public, but it should be picked randomly. Reusing the same IV for encryptions done with the same key lead to catastrophic cryptograhic failures. See NIST SP800-38A , Section 6.4 .
|
MODE_CTRCounTeR (CTR). This mode is very similar to ECB, in that encryption of one block is done independently of all other blocks. Unlike ECB, the block position contributes to the encryption and no information leaks about symbol frequency. Each message block is associated to a counter which must be unique across all messages that get encrypted with the same key (not just within the same message). The counter is as big as the block size. Counters can be generated in several ways. The most straightword one is to choose an initial counter block (which can be made public, similarly to the IV for the other modes) and increment its lowest m bits by one (modulo 2^m) for each block. In most cases, m is chosen to be half the block size. Reusing the same initial counter block for encryptions done with the same key lead to catastrophic cryptograhic failures. See NIST SP800-38A , Section 6.5 (for the mode) and Appendix B (for how to manage the initial counter block).
|
MODE_OPENPGPOpenPGP CFB. This mode is a variant of CFB, and it is only used in PGP and OpenPGP applications. An Initialization Vector (IV) is required. Unlike CFB, the IV is not transmitted to the receiver. Instead, the encrypted IV is. The IV is a random data block. Two of its bytes are duplicated to act as a checksum for the correctness of the key. The encrypted IV is therefore 2 bytes longer than the clean IV.
|
MODE_CCMCounter with CBC-MAC (CCM). This is an Authenticated Encryption with Associated Data (AEAD) mode. It provides both confidentiality and authenticity. The header of the message may be left in the clear, if needed, and it will still be subject to authentication. The decryption step tells the receiver if the message comes from a source that really knowns the secret key. Additionally, decryption detects if any part of the message - including the header - has been modified or corrupted. This mode requires a nonce. The nonce shall never repeat for two different messages encrypted with the same key, but it does not need to be random. Note that there is a trade-off between the size of the nonce and the maximum size of a single message you can encrypt. It is important to use a large nonce if the key is reused across several messages and the nonce is chosen randomly. It is acceptable to us a short nonce if the key is only used a few times or if the nonce is taken from a counter. The following table shows the trade-off when the nonce is chosen at random. The column on the left shows how many messages it takes for the keystream to repeat on average. In practice, you will want to stop using the key way before that.
This mode is only available for ciphers that operate on 128 bits blocks (e.g. AES but not TDES). See NIST SP800-38C or RFC3610 .
|
MODE_EAXEAX. This is an Authenticated Encryption with Associated Data (AEAD) mode. It provides both confidentiality and authenticity. The header of the message may be left in the clear, if needed, and it will still be subject to authentication. The decryption step tells the receiver if the message comes from a source that really knowns the secret key. Additionally, decryption detects if any part of the message - including the header - has been modified or corrupted. This mode requires a nonce. The nonce shall never repeat for two different messages encrypted with the same key, but it does not need to be random. This mode is only available for ciphers that operate on 64 or 128 bits blocks. There are no official standards defining EAX. The implementation is based on a proposal that was presented to NIST.
|
MODE_SIVSynthetic Initialization Vector. This is an Authenticated Encryption with Associated Data (AEAD) mode. It provides both confidentiality and authenticity. The header of the message may be left in the clear, if needed, and it will still be subject to authentication. The decryption step tells the receiver if the message comes from a source that really knowns the secret key. Additionally, decryption detects if any part of the message - including the header - has been modified or corrupted. If the data being encrypted is completely unpredictable to an adversary (e.g. a secret key, for key wrapping purposes) a nonce is not strictly required. Otherwise, a nonce has to be provided; the nonce shall never repeat for two different messages encrypted with the same key, but it does not need to be random. Unlike other AEAD modes such as CCM, EAX or GCM, accidental reuse of a nonce is not catastrophic for the confidentiality of the message. The only effect is that an attacker can tell when the same plaintext (and same associated data) is protected with the same key. The length of the MAC is fixed to the block size of the underlying cipher. The key size is twice the length of the key of the underlying cipher. This mode is only available for AES ciphers.
See RFC5297 and the original paper.
|
MODE_GCMGalois/Counter Mode (GCM). This is an Authenticated Encryption with Associated Data (AEAD) mode. It provides both confidentiality and authenticity. The header of the message may be left in the clear, if needed, and it will still be subject to authentication. The decryption step tells the receiver if the message comes from a source that really knowns the secret key. Additionally, decryption detects if any part of the message - including the header - has been modified or corrupted. This mode requires a nonce. The nonce shall never repeat for two different messages encrypted with the same key, but it does not need to be random. This mode is only available for ciphers that operate on 128 bits blocks (e.g. AES but not TDES). See NIST SP800-38D .
|
Home | Trees | Indices | Help |
|
---|
Generated by Epydoc 3.0.1 on Mon Apr 15 04:33:26 2019 | http://epydoc.sourceforge.net |