[Botan-devel] Caching derived keys

Jack Lloyd lloyd at randombit.net
Tue Feb 17 14:29:05 EST 2009


On Tue, Feb 17, 2009 at 08:14:21AM +0000, Magnus Therning wrote:
> As you can guess I am now caching the *clear-text password* rather than
> the derived key/iv.  The na??ve approach of caching the
> SecureVector<Byte> instances failed on what I presume basically is a
> double-free since the Pipe takes ownership.

There should not be a double-free for that since the Pipe will make a
copy of those arguments (it does take ownership of Filter*s that are
passed to it, but that is all). (Actually it does not even copy the
key vector, rather the AES object turns it from 16 or 32 bytes into an
AES key schedule).

I've attached a modified version of your code, with these differences

- Split into two objects Encryptor and Decryptor (this makes some of
  the other changes easier). Encryptor's constructor just takes the
  pass, while Decryptor takes the pass plus the salt that was
  generated by the Encryptor (so it can regen the key). So the PBKDF2
  routines, AES key schedule, etc are only done once

- The PBKDF2 derived key is cached, as are the Pipe/Filter datastructures
  and the AES key schedule.

- EAX mode (http://en.wikipedia.org/wiki/EAX_mode) is used instead of
  plain CBC. EAX mode does not require any padding, and adds a tag for
  message verification. I set it to use 80 bit tags.

- The IV is randomly generated and included at the beginning of each
  message. I set this to 128 bits, however if you are worried about
  message expansion this can be reduced. Also, EAX has the nice
  property that any string can be used as the IV (arbitrary length,
  doesn't have to be random) - the only requirement is that it never
  duplicate. So if you have some convenient way of associating each
  message with a unique identifier in your application, you could
  modifiy encrypt and decrypt to take these identifiers along with the
  message and use them as the IV.

- Instead of returning a tuple, encrypt just returns a single string,
  similarly decrypt accepts just a single string.

Calling the module pycrypto was probably not the best choice but it is
easily renamed of course.

Hope this helps,
 Jack
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pycrypto.h
Type: text/x-chdr
Size: 1198 bytes
Desc: not available
URL: <http://lists.randombit.net/pipermail/botan-devel/attachments/20090217/abbf3d19/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pycrypto.cpp
Type: text/x-c++src
Size: 2553 bytes
Desc: not available
URL: <http://lists.randombit.net/pipermail/botan-devel/attachments/20090217/abbf3d19/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test.py
Type: text/x-python
Size: 261 bytes
Desc: not available
URL: <http://lists.randombit.net/pipermail/botan-devel/attachments/20090217/abbf3d19/attachment.py>


More information about the botan-devel mailing list