SlideShare a Scribd company logo

State of Crypto in Python

J
jarito030506

The document discusses the creation of a new cryptographic library for Python to address issues with existing libraries like lack of maintenance, poor implementations, and insufficient high-level APIs. It outlines the vision of a comprehensive cryptographic standard library with various supported algorithms and multi-backend support, emphasizing the collaboration of numerous contributors. Future work includes enhancements for asymmetric key loading, DSA signing, and support for modern cryptographic standards.

Software
1 of 15
Downloaded 18 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
StateofcryptoinPythonA library created by people who make poor life choices.
WhatDoWeWant Algorithm support Open Source MAINTAINED & Tested Python Support Trust
WHyc? All major cryptographic libraries are currently implemented in a low level language, mostly C or C++. Reviewed Code Several C libraries have been sponsored through the review process for professional crypto review including various compliances that some customers care about. Future possibilities There are some exciting options for future work in the crypto space with languages like Rust / Go. Unfortunately, these aren’t usable from Python right now. Timing / Memory Attacks These attacks relate to exploiting timing differentials or securely wiping memory. They are difficult or impossible to remediate without the low level control exposed by C. Existing Code Writing good crypto code is hard. Most existing libraries have a long history including significant bug-fixing / research.
StateofC OSS X-Platform Maintained Ubiquitous Std. Algorithms FIPS OpenSSL NSS NaCl Botan CommonCrypto MS CSP Libgcrypt
StateOfPython Backend Maintained Python Support Reviewed Completeness m2crypto openssl recently active pypy with patch, no py3 no openssl swig pycrypto bespoke low no pypy no no AEAD (without alpha) pyopenssl openssl* yes yes (with crypto) no Thin openssl bindings python-nss NSS low unknown no exposes most of NSS botan botan yes py3, maybe pypy no exposes most of botan Most of these libraries require / assume the user understands how to use the underlying C library correctly.
Do we need another Python library?
Why a new crypto library for Python? •  Lack of maintenance. •  Use of poor implementations of algorithms (i.e. ones with known side-channel attacks). •  Lack of high level, “Cryptography for humans”, APIs. •  Absence of algorithms such as AES-GCM and HKDF. •  Poor introspectability, and thus poor testability. •  Extremely error prone APIs, and bad defaults. •  Lack of PyPy and Python 3 support. Introducing cryptography Grandiose Vision: A cryptographic standard library for Python.
ourPeople Alex Gaynor (Alex_gaynor) Paul Kehrer (reaperhulk) David Reid (dreid) Alex Stapleton (alexs) Aryx, Jarret Raim (jraim), Donald Stufft (dstufft), cyli, Mohammed Attia (skeuomorf), Jean-Paul Calderone (exarkun), Hynek Schlawack (hynek), Julian Krause (juliankrause), Richard Wall (wallrj), Matt Iverson (lvoz), Chris Glass (chrisglass), Laurens Van Houtven (lvh), Konstantinos Koukopoulos (kouk), koobs, Christian Heimes (tiran), fedor-brunner, Kyle Kelley (rgbkrk), jgiannuzzi, manuels, Wouter Bolsterlee (wbolster), Arturo Filasto (hellais), Stephen Holsapple (sholsapp), Marcin Wielgoszewski (mwielgoszewshi), Jay Parlar (parlarjb)
TheStructure Bindings Hazmat Recipes
Backends OpenSSL Our primary (and only guaranteed) backend. We don’t currently package OpenSSL to allow for flexibility for package maintainers. Common Crypto Available on OS X and iOS, this is the preferred backend on OS X. Apple has decided not to ship newer version of OpenSSL, leaving developers with a old version lacking modern algorithms. Cryptography is designed around the concept of backends. Each backend implements a set of defined interfaces. This allows us to implement a backend for each C library and exchange them transparently. MULTIBACKEND This meta-backend allows composition and prioritization of multiple backends. This creates a superset of operations in Python, isolating the developer from variations in C libraries. Moar! Any C backend can be included. We have spoken with many of the C library maintainers about writing a backend for cryptography.
Tests per run Testify 66,144 500+ Million tests per week 77 Runs per build 5,093,088 Tests per build 15 Builds per day 45 Documentation runs per day
currentSupport Symmetric Currently support a variety of common ciphers such as AES, Camellia, 3DES, CAST5, etc. Most non-patent encumbered block cipher modes are also supported. HMAC HMAC using any supported hash algorithm. Supports constant time verification. Key Derivation Functions PBKDF2HMAC, HKDF One Time Password TOTP, HOTP RSA SIGNING AND VERIFICATION Supports PKCS#1 v1.5 padding and Probabilistic Signature Scheme (using MGF1 with user-definable hash) fernet A high level recipe designed to provide easy to use authenticated encryption. ??? Any C backend can be included. We have had preliminary talks with various maintainers about moving into cryptography and PyOpenSSL 0.14+ depends on our project.
LetsReview Algorithm support Open Source MAINTAINED & Tested Python Support Multi-Backend & Openssl Apache 2 500+ Million Tests 30+ contributors 2.6, 2.7, 3.2, 3.3, 3.4, & pypy
FutureWork DSA signing/verification Defaulting to deterministic k Asymmetric Key loading PKCS1, PKCS8, JWK RSA Encryption/Decryption PKCS1 v1.5, OAEP X509/TLS? Proper hostname validation, TLS 1.2, modern ciphersuites Less Common Symmetric Primitives Chacha20, Salsa20 Github github.com/pyca/cryptography Website cryptography.io Install pip install cryptography
~ fin ~

More Related Content

PDF
State of Crypto in Python (OSCON)
jarito030506
 
PDF
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
RootedCON
 
PDF
Hacking the Gateways
Onur Alanbel
 
PDF
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
inaz2
 
PDF
The Postmodern Binary Analysis
Onur Alanbel
 
PPTX
Hacking Blind
NikitaAndhale
 
ODP
Are you using an opensource library? There's a good chance you are vulnerable...
Codemotion
 
PDF
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
inaz2
 
State of Crypto in Python (OSCON)
jarito030506
 
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
RootedCON
 
Hacking the Gateways
Onur Alanbel
 
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
inaz2
 
The Postmodern Binary Analysis
Onur Alanbel
 
Hacking Blind
NikitaAndhale
 
Are you using an opensource library? There's a good chance you are vulnerable...
Codemotion
 
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
inaz2
 

Similar to State of Crypto in Python (20)

PDF
Unknown features of PHP
squid_zce
 
PDF
OpenSAF Symposium_Python Bindings_9.21.11
OpenSAF Foundation
 
PPTX
How Python Empowers Ethical Hackers by Supriya Kumar Mitra
null - The Open Security Community
 
PDF
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Sysdig
 
PPTX
Blazingly-Fast:Introduction to Apache Fury Serialization
shawnckyang
 
PDF
Zephyr Introduction - Nordic Webinar - Sept. 24.pdf
AswathRangaraj1
 
PPTX
EclipseOMRBuildingBlocks4Polyglot_TURBO18
Xiaoli Liang
 
PPTX
A deep dive into python and it's position in the programming landscape.pptx
Murugan Murugan
 
PDF
Cryptographic Hardware Support for the Linux Kernel - Netconf 2004
James Morris
 
PPTX
Introduction Apache Kafka
Joe Stein
 
PDF
REST in Peace. Long live gRPC!
QAware GmbH
 
PPTX
Return oriented programming (ROP)
Pipat Methavanitpong
 
PPTX
The Veil-Framework
VeilFramework
 
PDF
MPLAB® Harmony Ecosystem
Design World
 
PPTX
Real-Time Distributed and Reactive Systems with Apache Kafka and Apache Accumulo
Joe Stein
 
PPTX
Accumulo Summit 2015: Real-Time Distributed and Reactive Systems with Apache ...
Accumulo Summit
 
PDF
Building a Messaging Solutions for OVHcloud with Apache Pulsar_Pierre Zemb
StreamNative
 
PDF
"Making OpenCV Code Run Fast," a Presentation from Intel
Edge AI and Vision Alliance
 
PDF
AV Evasion with the Veil Framework
VeilFramework
 
PPTX
Rust Hack
Viral Parmar
 
Unknown features of PHP
squid_zce
 
OpenSAF Symposium_Python Bindings_9.21.11
OpenSAF Foundation
 
How Python Empowers Ethical Hackers by Supriya Kumar Mitra
null - The Open Security Community
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Sysdig
 
Blazingly-Fast:Introduction to Apache Fury Serialization
shawnckyang
 
Zephyr Introduction - Nordic Webinar - Sept. 24.pdf
AswathRangaraj1
 
EclipseOMRBuildingBlocks4Polyglot_TURBO18
Xiaoli Liang
 
A deep dive into python and it's position in the programming landscape.pptx
Murugan Murugan
 
Cryptographic Hardware Support for the Linux Kernel - Netconf 2004
James Morris
 
Introduction Apache Kafka
Joe Stein
 
REST in Peace. Long live gRPC!
QAware GmbH
 
Return oriented programming (ROP)
Pipat Methavanitpong
 
The Veil-Framework
VeilFramework
 
MPLAB® Harmony Ecosystem
Design World
 
Real-Time Distributed and Reactive Systems with Apache Kafka and Apache Accumulo
Joe Stein
 
Accumulo Summit 2015: Real-Time Distributed and Reactive Systems with Apache ...
Accumulo Summit
 
Building a Messaging Solutions for OVHcloud with Apache Pulsar_Pierre Zemb
StreamNative
 
"Making OpenCV Code Run Fast," a Presentation from Intel
Edge AI and Vision Alliance
 
AV Evasion with the Veil Framework
VeilFramework
 
Rust Hack
Viral Parmar
 
Ad

Recently uploaded (20)

PDF
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
PPTX
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
PDF
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
PPTX
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
PPTX
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
PPTX
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
PDF
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
PDF
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
PDF
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
PDF
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
PDF
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
PDF
AI in Product Development-omnex systems
omnex systems
 
PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
PDF
Nekopoi APK 2025 free lastest update
umarali35kp
 
PPTX
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
PDF
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
PDF
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
PPTX
history of c programming in notes for students .pptx
Vijayakumari829030
 
PDF
System and Network Administration Chapter 2
jaramharo
 
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
AI in Product Development-omnex systems
omnex systems
 
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
Nekopoi APK 2025 free lastest update
umarali35kp
 
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
history of c programming in notes for students .pptx
Vijayakumari829030
 
System and Network Administration Chapter 2
jaramharo
 
Ad

State of Crypto in Python

  • 1. StateofcryptoinPythonA library created by people who make poor life choices.
  • 2. WhatDoWeWant Algorithm support Open Source MAINTAINED & Tested Python Support Trust
  • 3. WHyc? All major cryptographic libraries are currently implemented in a low level language, mostly C or C++. Reviewed Code Several C libraries have been sponsored through the review process for professional crypto review including various compliances that some customers care about. Future possibilities There are some exciting options for future work in the crypto space with languages like Rust / Go. Unfortunately, these aren’t usable from Python right now. Timing / Memory Attacks These attacks relate to exploiting timing differentials or securely wiping memory. They are difficult or impossible to remediate without the low level control exposed by C. Existing Code Writing good crypto code is hard. Most existing libraries have a long history including significant bug-fixing / research.
  • 4. StateofC OSS X-Platform Maintained Ubiquitous Std. Algorithms FIPS OpenSSL NSS NaCl Botan CommonCrypto MS CSP Libgcrypt
  • 5. StateOfPython Backend Maintained Python Support Reviewed Completeness m2crypto openssl recently active pypy with patch, no py3 no openssl swig pycrypto bespoke low no pypy no no AEAD (without alpha) pyopenssl openssl* yes yes (with crypto) no Thin openssl bindings python-nss NSS low unknown no exposes most of NSS botan botan yes py3, maybe pypy no exposes most of botan Most of these libraries require / assume the user understands how to use the underlying C library correctly.
  • 6. Do we need another Python library?
  • 7. Why a new crypto library for Python? •  Lack of maintenance. •  Use of poor implementations of algorithms (i.e. ones with known side-channel attacks). •  Lack of high level, “Cryptography for humans”, APIs. •  Absence of algorithms such as AES-GCM and HKDF. •  Poor introspectability, and thus poor testability. •  Extremely error prone APIs, and bad defaults. •  Lack of PyPy and Python 3 support. Introducing cryptography Grandiose Vision: A cryptographic standard library for Python.
  • 8. ourPeople Alex Gaynor (Alex_gaynor) Paul Kehrer (reaperhulk) David Reid (dreid) Alex Stapleton (alexs) Aryx, Jarret Raim (jraim), Donald Stufft (dstufft), cyli, Mohammed Attia (skeuomorf), Jean-Paul Calderone (exarkun), Hynek Schlawack (hynek), Julian Krause (juliankrause), Richard Wall (wallrj), Matt Iverson (lvoz), Chris Glass (chrisglass), Laurens Van Houtven (lvh), Konstantinos Koukopoulos (kouk), koobs, Christian Heimes (tiran), fedor-brunner, Kyle Kelley (rgbkrk), jgiannuzzi, manuels, Wouter Bolsterlee (wbolster), Arturo Filasto (hellais), Stephen Holsapple (sholsapp), Marcin Wielgoszewski (mwielgoszewshi), Jay Parlar (parlarjb)
  • 10. Backends OpenSSL Our primary (and only guaranteed) backend. We don’t currently package OpenSSL to allow for flexibility for package maintainers. Common Crypto Available on OS X and iOS, this is the preferred backend on OS X. Apple has decided not to ship newer version of OpenSSL, leaving developers with a old version lacking modern algorithms. Cryptography is designed around the concept of backends. Each backend implements a set of defined interfaces. This allows us to implement a backend for each C library and exchange them transparently. MULTIBACKEND This meta-backend allows composition and prioritization of multiple backends. This creates a superset of operations in Python, isolating the developer from variations in C libraries. Moar! Any C backend can be included. We have spoken with many of the C library maintainers about writing a backend for cryptography.
  • 11. Tests per run Testify 66,144 500+ Million tests per week 77 Runs per build 5,093,088 Tests per build 15 Builds per day 45 Documentation runs per day
  • 12. currentSupport Symmetric Currently support a variety of common ciphers such as AES, Camellia, 3DES, CAST5, etc. Most non-patent encumbered block cipher modes are also supported. HMAC HMAC using any supported hash algorithm. Supports constant time verification. Key Derivation Functions PBKDF2HMAC, HKDF One Time Password TOTP, HOTP RSA SIGNING AND VERIFICATION Supports PKCS#1 v1.5 padding and Probabilistic Signature Scheme (using MGF1 with user-definable hash) fernet A high level recipe designed to provide easy to use authenticated encryption. ??? Any C backend can be included. We have had preliminary talks with various maintainers about moving into cryptography and PyOpenSSL 0.14+ depends on our project.
  • 13. LetsReview Algorithm support Open Source MAINTAINED & Tested Python Support Multi-Backend & Openssl Apache 2 500+ Million Tests 30+ contributors 2.6, 2.7, 3.2, 3.3, 3.4, & pypy
  • 14. FutureWork DSA signing/verification Defaulting to deterministic k Asymmetric Key loading PKCS1, PKCS8, JWK RSA Encryption/Decryption PKCS1 v1.5, OAEP X509/TLS? Proper hostname validation, TLS 1.2, modern ciphersuites Less Common Symmetric Primitives Chacha20, Salsa20 Github github.com/pyca/cryptography Website cryptography.io Install pip install cryptography