Re: Looking for a security/encryption programmer for small contract
Lets say I use pycrypto with AES, like this.
obj = AES.new('mykey', AES.MODE_CFB)
mytext = "Big secret"
cipher = obj.encrypt(mytext)
Can I use the same key or I have to change it everytime?
Would this be sufficiently secure?
Francis
On 23 jan, 11:25, Francis <[EMAIL PROTECTED]> wrote:
> Hi,
>
> I'm building a web application for one of my clients with django. But
> I need to do something that I have never did before and I am somehow
> really short on time to learn it.
>
> So I am looking for someone who has experience withencryption/
> security in python. It is to be incorporated into my django app.
>
> What's need to be done :
> - Take a message, encrypt it using a secure method (should be better
> or equal than OTP), return the encrypted message.
>
> What should be considered:
> - The user who receives the encrypted message, should be able to
> uncrypt it into his Windows workstation. I'm looking for a existing
> software that can do the job.
>
> If you're are up to the task and want to make extra money just let me
> know.
> What I want from you is :
> Your experience in the matter at hand
> If you want to make a package (fixe price) just let me know when you
> can finish it and your price.
> If you want to be paid per hour, give me a time estimate and your
> hourly rate. Plus when you can finish it.
>
> Thank you
>
> Francis
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~--~~~~--~~--~--~---
Re: Looking for a security/encryption programmer for small contract
> Emanuele, your said : As for safety, nothing is safer than OTP, but > are we sure that your customer > is able to go to great lengths to distribute long key streams over a > perfectly safe channel to the sales representatives? > > Isn't the encrypted string secure? > > The method to send the string can't be secure. It is sent by email. > The point is to encrypt it on the server, send it over an unsecure > network. Then, when the sales rep. receive it, he will decrypt it. The problem is not sending the encrypted string, but getting the decryption-key into the hands of the sales-rep so he can decrypt the encrypted string. And if you've solved that problem, you've solved the "how do I get a secret to the sales rep over the public internet?" problem. The aforementioned problems with one-time-pads is that *key* distribution and maint. becomes the problem. The only thing it does is allow you to defer transmission of an unknown secret. Useful Scenario: Alice and Bob are physically in the same room. Alice gives Bob a pad of OTPs and keeps a copy for herself. Bob goes to Supersekretistan where he uses the OTP to encrypt data and send it back to Alice, then destroys the generating OTP. Not So Useful Scenario: Alice is at home, Bob is in Supersekretistan. Alice uses $METHOD to securely send Bob a pad of OTPs, keeping a copy for herself. As above, Bob uses the OTP to send data back to Alice, destroying the OTP. In the NSUS, if you've solved $METHOD, then Bob can just use $METHOD to send the data back to Alice, and has no need for OTP[1]. $METHOD usually consists of something like public-key cryptography. -tim [1] The one caveat that occurs to me here is that it might be illegal in Supersekretistan to possess encryption software, but it might not be illegal to possess large volumes of random data and an XOR operator :) --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: Looking for a security/encryption programmer for small contract
Hi, Thank you for all the information, it seems like you think it easy to do, as everyone accept to help me for free :-) The solution used before was to send to encrypted string in clear in a email. It used a perl impletation of the one-time pad. Emanuele, your said : As for safety, nothing is safer than OTP, but are we sure that your customer is able to go to great lengths to distribute long key streams over a perfectly safe channel to the sales representatives? Isn't the encrypted string secure? The method to send the string can't be secure. It is sent by email. The point is to encrypt it on the server, send it over an unsecure network. Then, when the sales rep. receive it, he will decrypt it. I tried tonight the gnupg. It works fine on my mac with thunderbird, but my client use outlook (gpg plugin is quite old), so I think I'll have to try with python-crypto. But pycrypto need to be compiled, I don't know if I can host it where I want. I'll check this out. Thank you Francis On 23 jan, 11:25, Francis <[EMAIL PROTECTED]> wrote: > Hi, > > I'm building a web application for one of my clients with django. But > I need to do something that I have never did before and I am somehow > really short on time to learn it. > > So I am looking for someone who has experience withencryption/ > security in python. It is to be incorporated into my django app. > > What's need to be done : > - Take a message, encrypt it using a secure method (should be better > or equal than OTP), return the encrypted message. > > What should be considered: > - The user who receives the encrypted message, should be able to > uncrypt it into his Windows workstation. I'm looking for a existing > software that can do the job. > > If you're are up to the task and want to make extra money just let me > know. > What I want from you is : > Your experience in the matter at hand > If you want to make a package (fixe price) just let me know when you > can finish it and your price. > If you want to be paid per hour, give me a time estimate and your > hourly rate. Plus when you can finish it. > > Thank you > > Francis --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: Looking for a security/encryption programmer for small contract
Dear Francis, > Only one person (or very limited group) will receive the encrypted > message by email. It will hold customer information need by the sale > rep. So no user will have to deal with the encrypted data. > > Server receive customer info -> encrypt critical info -> sent email to > sales rep. > sales rep. decrypt the information. If I understand your problem, I think that the best course of action is using GPG (GNU Privacy Guard), possibly with its Python module ( http://wiki.python.org/moin/GnuPrivacyGuard). When you need to send the critical info to the sales representative, you encrypt it and send it as an encrypted mail message. Then, the GUI could just be Mozilla Thunderbird, or any other OpenPGP-enabled e-mail client. This should make both server-side implementation and client-side deployment rather easy. As for safety, nothing is safer than OTP, but are we sure that your customer is able to go to great lengths to distribute long key streams over a perfectly safe channel to the sales representatives? Remember that if you make it cheaper to get the information by breaking into your public web server rather than eavesdropping on the connection, then you have just switched to a different problem :) Bye, -- Emanuele --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: Looking for a security/encryption programmer for small contract
> i'll be honest, i don't know anyone who's ever used a one-time-pad ooh...terminology clarification: OTP = one-time password OTP = one-time pad The former is a common tool used for safely logging in over an insecure channel (such as using S/Key when logging into my OpenBSD box over telnet). They're usually 5 quads of letters such as "OVEN DOVE MATE SPIN FLAT" and some generation methods kindly use real words to make them easier to type (still leaving about 387 quadrillion combos for an attacker to guess based on 4-letter words from my /usr/share/dict/words). With a little preparation, I can travel with a notecard in my wallet containing my next 10 OTPs in case I need something non-confidential on my home box and only have access to telnet rather than SSH. The latter is, as Derek notes, unbreakable without the key (assuming quality random data). However key management becomes unweildy. Which does the OP mean by "OTP"? -tim --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: Looking for a security/encryption programmer for small contract
i'll be honest, i don't know anyone who's ever used a one-time-pad outside of some military applications before we had computers everywhere. while the security is mathematically "perfect", it's so encumbering to implement that i consider it overall riskier. having to pass by courier gigs upon gigs of true-random numbers, plus the need to securely destroy that data afterwards, is really hard. many more vectors of attack at the human level. best to make damn sure your 192-bit AES key gets there in a trustworthy manner, and trust in the combined research of the professional cryptographic community. derek Tim Chase wrote: - Take a message, encrypt it using a secure method (should be better or equal than OTP), return the encrypted message. >> > >>> parties, Blowfish and DES3 are popular choices and likely to be >> just a point of fact: neither of these are >= to OTP. > > They're all strong cryptographically, but all shared-secret > solutions suffer the same fate of having to figure out how to > securely share your key/OTP if you aren't both the sender and the > recipient. > > I do like OTP for logins over insecure connections if absolutely > needed, but otherwise, I don't see non-public-key as a great win :) > >> also, on a side note, i wouldn't use 3DES for any new implementations. > [snip] >> i'd highly recommend AES instead. > > Good point...I remember hearing something about that a while > back, but I tend to use public-key for just about everything so > it didn't register in my active memory. > > -tim > > > > > > > -- looking to buy or sell anything? try: http://allurstuff.com it's a classified ads service that shows on a map where the seller is (think craigslist + google maps) plus it's 100% free :) --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: Looking for a security/encryption programmer for small contract
Only one person (or very limited group) will receive the encrypted message by email. It will hold customer information need by the sale rep. So no user will have to deal with the encrypted data. Server receive customer info -> encrypt critical info -> sent email to sales rep. sales rep. decrypt the information. I never work with that stuff before, except key for ssh login. So I'm looking for something secure, that will be possible to the sale rep to uncrypt de message/part of the message with a gui front end. Thank you for you help On Jan 23, 12:57 pm, Tim Chase <[EMAIL PROTECTED]> wrote: > >>> - Take a message, encrypt it using a secure method (should be better > >>> or equal than OTP), return the encrypted message. > > >> parties, Blowfish and DES3 are popular choices and likely to be > > > just a point of fact: neither of these are >= to OTP. > > They're all strong cryptographically, but all shared-secret > solutions suffer the same fate of having to figure out how to > securely share your key/OTP if you aren't both the sender and the > recipient. > > I do like OTP for logins over insecure connections if absolutely > needed, but otherwise, I don't see non-public-key as a great win :) > > > > > also, on a side note, i wouldn't use 3DES for any new implementations. > [snip] > > i'd highly recommend AES instead. > > Good point...I remember hearing something about that a while > back, but I tend to use public-key for just about everything so > it didn't register in my active memory. > > -tim --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: Looking for a security/encryption programmer for small contract
>>> - Take a message, encrypt it using a secure method (should be better >>> or equal than OTP), return the encrypted message. > > >> parties, Blowfish and DES3 are popular choices and likely to be > > just a point of fact: neither of these are >= to OTP. They're all strong cryptographically, but all shared-secret solutions suffer the same fate of having to figure out how to securely share your key/OTP if you aren't both the sender and the recipient. I do like OTP for logins over insecure connections if absolutely needed, but otherwise, I don't see non-public-key as a great win :) > also, on a side note, i wouldn't use 3DES for any new implementations. [snip] > i'd highly recommend AES instead. Good point...I remember hearing something about that a while back, but I tend to use public-key for just about everything so it didn't register in my active memory. -tim --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: Looking for a security/encryption programmer for small contract
Tim Chase wrote: >> What's need to be done : >> - Take a message, encrypt it using a secure method (should be better >> or equal than OTP), return the encrypted message. > > parties, Blowfish and DES3 are popular choices and likely to be just a point of fact: neither of these are >= to OTP. also, on a side note, i wouldn't use 3DES for any new implementations. while still largely impractical with today's computers, it is susceptible to meet-in-the-middle attacks, which makes it only slightly better than regular DES, which despite its long and glorious history is not a secure standard anymore. plus it's inferior in virtually every way to AES. i'd highly recommend AES instead. derek -- looking to buy or sell anything? try: http://allurstuff.com it's a classified ads service that shows on a map where the seller is (think craigslist + google maps) plus it's 100% free :) --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: Looking for a security/encryption programmer for small contract
> I'm building a web application for one of my clients with django. But > I need to do something that I have never did before and I am somehow > really short on time to learn it. > > So I am looking for someone who has experience with encryption/ > security in python. It is to be incorporated into my django app. Since this is more of a Python issue than a Django issue, you might get an improved response by asking on comp.lang.python or the more-specific Python-Crypto mailing list [1] Andrew Kuchling's pycrypto module is the popular solution: apt-get install python-crypto or snag it from [2] (as referenced from [3]) and of most interest, the Cipher and/or PublicKey sub-modules. > What's need to be done : > - Take a message, encrypt it using a secure method (should be better > or equal than OTP), return the encrypted message. > What should be considered: > - The user who receives the encrypted message, should be able to > uncrypt it into his Windows workstation. I'm looking for a existing > software that can do the job. You leave a bit of ambiguity here. The first item of importance is whether you use a public-key crypto scheme (unsurprisingly, the PublicKey module) or a secret-key crypto scheme (the Cipher module). How does the key get to the recipient? If your plan is to encrypt it, you have a chicken-and-egg problem... :) If, however, you can convey the secret shared-key between the parties, Blowfish and DES3 are popular choices and likely to be implemented in client software. Public-key cryptography is often the solution to the aforementioned chicken-and-egg problem as it doesn't require a shared secret. It's also frequently built into email software (or available as a plugin). This allows for a simple means by which you gather the public-keys of your recipients, and are a click or two away from encrypting the message that they can decrypt with their private key. Andrew's documentation[4] on the pycrypto module is excellent. From what I understand of your undertaking, public-key is a good way to go. > If you're are up to the task and want to make extra money just let me > know. -tim [1] http://listserv.surfnet.nl/archives/python-crypto.html [2] http://www.amk.ca/python/code/crypto.html [3] http://docs.python.org/lib/crypto.html [4] http://www.amk.ca/python/writing/pycrypt/ --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Looking for a security/encryption programmer for small contract
Hi, I'm building a web application for one of my clients with django. But I need to do something that I have never did before and I am somehow really short on time to learn it. So I am looking for someone who has experience with encryption/ security in python. It is to be incorporated into my django app. What's need to be done : - Take a message, encrypt it using a secure method (should be better or equal than OTP), return the encrypted message. What should be considered: - The user who receives the encrypted message, should be able to uncrypt it into his Windows workstation. I'm looking for a existing software that can do the job. If you're are up to the task and want to make extra money just let me know. What I want from you is : Your experience in the matter at hand If you want to make a package (fixe price) just let me know when you can finish it and your price. If you want to be paid per hour, give me a time estimate and your hourly rate. Plus when you can finish it. Thank you Francis --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
