Skip to content

Latest commit

 

History

History
88 lines (74 loc) · 4.56 KB

readme.md

File metadata and controls

88 lines (74 loc) · 4.56 KB

oscrypto Documentation

oscrypto is a library that exposes cryptography primitives from the host operating system. It is broken down into a few different submodules:

Submodule Functionality
oscrypto Configuration and information about backend
oscrypto.symmetric AES, Triple DES, DES, RC2 and RC4 encryption
oscrypto.asymmetric RSA, DSA and EC-key signing and verification, RSA encryption
oscrypto.kdf PBKDF2, PBKDF1 and PKCS#12 key derivation functions
oscrypto.keys Certificate, public key and private key loading, parsing and normalization
oscrypto.tls TLSv1.x socket wrappers utilizing OS trust store and modern cipher suites
oscrypto.trust_list CA certificate list export from the OS trust store
oscrypto.util Random byte generation, constant time string comparison

Many of the supported ciphers and hashes are not necessarily modern, and should primarily be used for integration with legacy systems. For modern cryptography, please see Modern Cryptography.

Modern Cryptography

A good place to get an overview of the correct tools to use for modern cryptography is (Updated) Cryptographic Right Answers by Thomas Ptacek.

In short, you probably want to be using NaCl by Daniel J. Bernstein (DJB) - he is a very accomplished cryptographer. Using scrypt by Colin Percival for password hashing is a good idea. Here are some libraries for Python that may be useful:

Thomas‘s recommendations are an alternative, slightly-updated version of Cryptographic Right Answers by Colin Percival. Colin‘s contain recommendations that may be a little more accessible, using things like RSA PSS for signing, RSA OAEP for encryption, scrypt or PBKDF2 for password hashing, and AES CTR with HMAC for symmetric encryption.

Learning

Before using oscrypto, you should know a bit about cryptography, and how to safely use the primitives. If you don‘t, you could very likely utilize them in an unsafe way, resulting in exposure of confidential information, including secret keys, encrypted data, and more.

Here are some topics worth learning about:

  • Block ciphers (AES, Triple DES (2-key and 3-key), DES, RC2)
  • Weak block ciphers (Triple DES 2-key, DES, RC2)
  • Block cipher padding (PKCS#7 and PKCS#5)
  • Block cipher padding oracle attacks
  • Block cipher modes of operation (CBC, ECB, CFB, OFB, CTR)
  • Block cipher modes to avoid (ECB)
  • Nonce reuse in CTR-mode
  • Authenticated encryption (AEAD, EtM, MtE, E&M)
  • Authenticated block cipher modes (GCM, CCM)
  • Stream ciphers (RC4)
  • Hashing (MD5, SHA1, SHA-2 (SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA512/256))
  • Weak hashes (MD5, SHA1)
  • Length extension attacks (MD5, SHA1, SHA-256, SHA-512)
  • HMAC
  • Cryptographically random numbers
  • RSA key sizes (1024, 2048, 3072, 4096)
  • DSA key sizes and hash algorithms
    • SHA1/1024
    • SHA1/2048 (non-standard)
    • SHA-2/2048
    • SHA-2/3072
  • Elliptic curve (EC) keys and named curves
    • P-192 / secp192r1 / prime192v1
    • P-224 / secp224r1
    • P-256 / secp256r1 / prime256v1
    • P-384 / secp384r1
    • P-521 / secp521r1
  • RSA signature padding (PKCS#1 v1.5 and PSS)
  • RSA encryption padding (PKCS#1 v1.5 and OAEP)
  • Weak RSA signature/encryption padding (PKCS#1 v1.5)
  • Timing attacks

Some sources to learn more about cryptography: