Comments (8)
Thanks a lot for the notice, that's greatly appreciated.
To give some context, I was also planning to use those two functions in an upcoming PR (#4214).
Because we are a networking library, and network is old, we have some use cases where we want to be able to use and access old and obsolete cryptography algorithms that are still used in the real world in legacy applications. Most of those are still present in OpenSSL but not exported/accessible by cryptography, which is why we were using the already pretty great internal cryptography bindings. Do you know if it will still be possible to achieve a similar result after the change?
As an example, DES-CBC, which is of course completely obsolete, is still supported by MIT Kerberos servers, Heimdal (in samba or without) (and Windows) and it is therefore currently still present in OpenSSL (through legacy providers, if not by default). It is useful for us to have access to it, for the sake of testing legacy products or servers and/or for offensive purposes, etc.
I understand cryptography is aiming not to spread the usage of those legacy algorithms, but it would be really nice for our use case if there was some sort of undocumented way to still use cryptography in those use cases. Our alternatives are not great: in addition of using cryptography for most usages, to support those crappy legacy algorithms we would have to either use PyCryptodome (which is in a terrible state compared to cryptography), other OpenSSL bindings (which is far more annoying, and a bit too bad considering the work already put into cryptography's ones) or pack a custom Python implementation of those algorithms (which we already do for MD4 for instance, and is by far the worse option).
Sorry for the long post.
from scapy.
In the specific case of DES, you can do this with cryptography using TripleDES
-- TripleDES behaves the same as single DES for the case of a small key.
For the case here of RC2, I think we'd be willing to add a module for "super bad legacy stuff you should never use" that contains it.
Are there other cases we should consider?
from scapy.
The decrepit
module probably is where we'd eventually move the ciphers we currently have marked as deprecated (CAST5, IDEA, SEED, et al).
from scapy.
I think we'd be willing to add a module for "super bad legacy stuff you should never use" that contains it.
That would work great in our case, thanks a lot. I don't currently have any other case in mind, but having a "bad legacy module" would allow us to PR "easily" if we ever get the case, which sounds good.
The
decrepit
module probably is where we'd eventually move the ciphers we currently have marked as deprecated
That's great to know, it would also work great for us, as long as they remain somewhere.
In the specific case of DES, you can do this with cryptography using TripleDES
I for some reason thought TripleDES
would enforce a 112/168 key length, but it indeed appears 56 is also usable. Tested it and it works great, thanks a lot for the tip.
from scapy.
@gpotter2 I've been looking at this a bit more and RC2 is...quite an algorithm. It looks like you only currently implement/test against RC2-128, although you have an unused RC2_40_CBC class. Would it be enough if we gave you RC2-128 only (no alternate key sizes, no effective key bits support), or do you want/need RC2-40 (or RC2-64 for that matter)? And, if you need those, do you need the concept of effective key bits? If so, can we constrain the set of allowable values to something more than the sum of all possible permutations?
from scapy.
Hi @reaperhulk. I believe that we only use RC2 in context of the TLS/SSL ciphers, in which case only the RC2-128 version is used. When the 40bits-key is used (in 'EXPORT' ciphers), it is first derived into 128 bits with a TLS-specific process (that varies depending on whether RC2 is used with SSLv2, SSLv3 or TLS 1.0) that we implement, so there's no need to add support for the per-RC2-spec effective key bits and/or variable lengths.
This class is poorly named, it would have been much more obvious with its actual per-spec name: SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5
from scapy.
Okay, then I think we'll land something that enables RC2-128-CBC only and then I'll send a PR that tries to import from the new namespace and falls back to your current patch method for older versions of cryptography 😄
from scapy.
Sounds great, thanks a lot ! If you need help with the PR please let me know.
from scapy.
Related Issues (20)
- Failed to build docs HOT 3
- Compressed DNS packets can become malformed if they are edited without calling `clear_cache` first HOT 1
- scapy ARP issues HOT 4
- The conf.iface config will be clear once IP() along with Ether() HOT 1
- Build function for ecdsa in ASN1F_OCSP_BasicResponse faulty HOT 5
- Creating building a HTTP package returns an empty byte object HOT 1
- Setting bytes of OCSP_ResponseData() causes BER_decoding_Error when OCSPResponse status is revoked HOT 2
- Support P4.org In-band Network Telemetry (INT) HOT 1
- Support In-situ Operation Administration and Maintenance (IOAM) HOT 1
- Support Inband Flow Analyzer (IFA) HOT 1
- scapy does not support cryptography modules past cryptography 41.0.7 HOT 1
- PicklingError when saving a session HOT 1
- Adding extensions in TLSClientHello not possible
- Regarding warning Unknown crypto suite from ClientMasterKey HOT 4
- someip-sd layer issue with method_id and service_id HOT 1
- README notes support for python3.9, but release 2.5.0 notes support also for 3.10 HOT 1
- WARNING: No route found for IPv6 destination ff02::1 (no default route?) for Android HOT 1
- The "Ticketer++ - Call show()" test seems to fail with non-UTC timezones HOT 1
- Counter64 missing for ASN1 and BER
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from scapy.