[Freeipa-devel] [PATCH 0014] [py3] Replace M2Crypto RC4 with python-cryptography ARC4
Christian Heimes
cheimes at redhat.com
Thu Jul 23 09:16:20 UTC 2015
On 2015-07-23 11:06, Alexander Bokovoy wrote:
> On Thu, 23 Jul 2015, Christian Heimes wrote:
>> This patch removes the dependency on M2Crypto in favor for cryptography.
>> Cryptography is more strict about the key size and doesn't support
>> non-standard key sizes:
>>
>>>>> from M2Crypto import RC4
>>>>> from ipaserver.dcerpc import arcfour_encrypt
>>>>> RC4.RC4(b'key').update(b'data')
>> 'o\r@\x8c'
>>>>> arcfour_encrypt(b'key', b'data')
>> Traceback (most recent call last):
>> ...
>> ValueError: Invalid key size (24) for RC4.
>>
>> Standard key sizes 40, 56, 64, 80, 128, 192 and 256 are supported:
>>
>>>>> arcfour_encrypt(b'key12', b'data')
>> '\xcd\xf80d'
>>>>> RC4.RC4(b'key12').update(b'data')
>> '\xcd\xf80d'
> Note that we are using NTLMv2 or Kerberos user session keys which are
> 128 bit long in this context.
>
> And please rework the spec file change as Honza noted.
Thanks for the feedback regarding the key size, 128bit works.
Is RC4 really the only supported algorithm for session keys? RC4 is
insecure, especially the first few bytes have a high bias. It may not be
much of an issue for short-lived session keys, though.
Christian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150723/9f4c8c80/attachment.sig>
More information about the Freeipa-devel
mailing list