tags:

views:

884

answers:

4
+2  Q: 

Recommended Python cryptographic module?

I've been exploring what cryptographic modules are available to Python, and I've found 3: ezPyCrypt, yawPyCrypt and KeyCzar (which actually supports a few languages, but Python is included amongst them). The first two rely on the PyCrypto module.

Are there choices I am missing? Is there a clear front-runner for ease and features or does it simply come down to a manner of one's comfort level?

I'm currently leaning towards KeyCzar, with ezPyCrypt close behind.

I would be using the library for digital signature signing and verification, and potentially for key creation (although I won't cry if I have to make a call to something else for that functionality).

I am using Python 3.x and have access to GPG.

+3  A: 

If you are in an environment which includes GnuPG and Python >= 2.4, then you could also consider a tool such as python-gnupg. (Disclaimer: I'm the maintainer of this project.) It leaves the heavy lifting to gpg and provides a fairly straightforward API.

Overview of API:

>>> import gnupg
>>> gpg = gnupg.GPG(gnupghome='/path/to/keyring/directory')
>>> gpg.list_keys()

[{
  ...
  'fingerprint': 'F819EE7705497D73E3CCEE65197D5DAC68F1AAB2',
  'keyid': '197D5DAC68F1AAB2',
  'length': '1024',
  'type': 'pub',
  'uids': ['', 'Gary Gross (A test user) ']},
 {
  ...
  'fingerprint': '37F24DD4B918CC264D4F31D60C5FEFA7A921FC4A',
  'keyid': '0C5FEFA7A921FC4A',
  'length': '1024',
  ...
  'uids': ['', 'Danny Davis (A test user) ']}]
>>> encrypted = gpg.encrypt("Hello, world!", ['0C5FEFA7A921FC4A'])
>>> str(encrypted)

'-----BEGIN PGP MESSAGE-----\nVersion: GnuPG v1.4.9 (GNU/Linux)\n
\nhQIOA/6NHMDTXUwcEAf
...
-----END PGP MESSAGE-----\n'
>>> decrypted = gpg.decrypt(str(encrypted), passphrase='secret')
>>> str(decrypted)
'Hello, world!'
>>> signed = gpg.sign("Goodbye, world!", passphrase='secret')
>>> verified = verified = gpg.verify(str(signed))
>>> print "Verified" if verified else "Not verified"

'Verified'
Vinay Sajip  2009-07-16 14:15:34
I'm intrigued...would you mind giving a short explanation as to why one would use py-gpg over PyCrypt?
hewhocutsdown  2009-07-16 16:32:33
For easier interoperability with other systems and if the API fits your needs more closely. For example, I worked on a project recently with a major international bank which used GnuPG to send encrypted data to my client. With GnuPG doing the work at our end, there were zero compatibility and interop issues to worry about.
Vinay Sajip  2009-07-16 16:56:53
N.B. I haven't tested python-gnupg with Python 3.x - please bear that in mind.
Vinay Sajip  2009-07-16 17:00:50
Excellent, and thanks for the code sample. I'll bang on it w/ 3.x and I'll let you know how I find it.
hewhocutsdown  2009-07-16 18:10:34
Thanks. I've just run the tests on Python 3 and there were some obvious syntax changes which I've worked through. I think the subprocess interface may be more of a problem - at the momemt there is a fair amount of use of StringIO which I'll need to refactor.
Vinay Sajip  2009-07-16 18:35:32
A: 

How about http://www.amk.ca/python/code/crypto.html??

0x6adb015  2009-07-16 14:21:45
thanks, but that's what I already referenced (it's the PyCrypt that ezPyCrypt and others wrap around).
hewhocutsdown  2009-07-16 16:29:36
+3  A: 

pycrypt is actually a simple AES encrypt/decrypt module built on top of pycrypto like other modules you mention -- note that the latter is transitioning to the pycrypto.org URL as it's changing maintainers, and stable versions and docs are still at the original author's site. In addition to the easier-to-use wrappers you mention, one plus of pycrypto is that a pure-python subset of it is supplied with Google's App Engine, so getting familiar with it would be useful if you ever want to deploy any code there.

The major alternative (another powerful and complex project, like pycrypto) is pyopenssl, which is a fairly regular wrapping (a "thin wrapper", as the author describes it) of OpenSSL (that may be a plus if you're used to coding in C with calls to OpenSSL). An alternative packaging that's complete (comes with the needed libraries) and possibly legally safer (excludes parts on which there are patent disputes or doubts) is distributed by egenix.

Both main projects (pycrypto and pyopenssl) went through long periods of more or less inactivity as the original authors went on to other things, but both are actively developed and maintained again, which is always a good sign.

I am not aware of easy-to-use wrappers on top of pyopenssl (there most likely are, but they haven't been publicized like those on top of pycrypto) and so, if as it seems you do care about ease of use and aren't looking to write wrappers yourself, the ones on top of pycrypto appear to be a better choice.

Alex Martelli  2009-07-16 14:51:25
at some point this may change, but at present I am nowhere near capable of writing that sort of wrapper. :)So I'll probably stick to the pycrypto ones, unless this py-gpg idea is better. Thanks for pointing out pyopenssl!
hewhocutsdown  2009-07-16 16:35:17
A: 

I've just done such a survey last week and adopted M2Crypto that seems to be the most advanced wrapper today above openssl (found it in several recommandation lists while googling). I also tried pycrypto but it miss certificates management and standard key file format management that M2Crypto has (with pycrypto you have to pickle/unpicle your keys or write your own key manager for common formats).

I found M2Crypto was quite easy to use and was quicly able to develop what I needed (a signed and encrypted package format).

However I recommand to download full package, not just easy installing it, because in the package you also get nice exemples (look at demo directory).

Here is the link http://pypi.python.org/pypi/M2Crypto/0.20.1

A drawback could be that you are using python 3.0, I'm stuck with 2.5 at job (hopefully 2.6 soon) and don't know if M2Crypto works with python 3.0

I've not much practice with it yet, put if you have specific problems with it just ask here. Someone may answer.

kriss  2009-09-06 04:00:23

related questions

Programmatically talking to a Serial Port in OS X or Linux
Best ways to teach a beginner to program?
Calling a Function From a String With the Function's Name in Python
An executable Python app
Text Editor For Linux (Besides Vi)?
What Hosting Service is best for Django applications?
File size differences after copying a file to a server vía FTP
Python: what is the difference between (1,2,3) and [1,2,3], and when should I use each?
Python: What OS am I running on?
How do I make a menu in python that does not require the user to press (enter) to make a selection?
How do you express binary literals in Python?
What is the most efficient graph data structure in Python?
Adding a Method to an Existing Object
How to learn Python: Good Example Code?
How do I use Python's itertools.groupby()?
Python and MySQL
Class views in Django
Is there an IDE that provides code completion for Python
Using 'in' to match an attribute of Python objects in an array
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Continuous Integration System for a Python Codebase
Get a preview jpeg of a pdf on windows?
How can I find the full path to a font from its display name on a Mac?
XML Processing in Python