On Sunday, 25 June 2023 19:45:53 CEST, Soni L. wrote:
Pure-python forbids using the cryptography package. Only python
code and the python stdlib are allowed. The fact that TLS uses
AES at all means it might be possible to trick the python ssl
module to do arbitrary AES, with some effort.
At the end of the day, the TLS protocol is also part of the ssl
module's API surface. It's not the API surface you'd usually
interact with, but nothing really stops you from doing so.
Even if you did force the python ssl socket to use AES keys you want, you
wouldn't be able to encrypt more than 2^14 Bytes at a time.
And those bytes would still be encrypted in TLS specific way, so, no, you
can't use ssl module for generic AES encryption.
Please use pyca-cryptography for it. While it's not pure python it now also
works with stuff like pypy, so you're better of figuring how to get it
running in a semi-pure python way than jumping through hoops just to get to
code that is vulnerable to side channel attacks (as any crypto written in
pure
python will be).
On 6/25/23 14:31, Eric Rescorla wrote:
I believe https://cryptography.io/en/latest/ is what you want.
TLS does not use AES in a way that is consistent with what you
would get if you just used a typical AES library.
-Ekr
On Sun, Jun 25, 2023 at 10:21 AM Soni L. <fakedme+...@gmail.com> wrote:
Python doesn't expose raw AES, etc. But it does expose a fairly
rich TLS library. Wondering if it would be possible to just
connect a TLS socket to a raw TCP socket and somehow write bytes
into TLS and get ciphertext out or write bytes into the raw TCP
socket and get plaintext out.
The point is to use AES for non-TLS protocols.
On 6/25/23 14:15, Eric Rescorla wrote:
I'm not aware of any. Why would you want to do this? Most such
libraries I am aware of expose low-level primitives or are built
on libraries which do.
-Ekr
On Sun, Jun 25, 2023 at 6:28 AM Soni L. <fakedme+...@gmail.com> wrote:
Has anyone done any work towards tricking a TLS library into providing
cryptographic primitives? We know of similar work with regards to
javacard https://arxiv.org/abs/1810.01662 but not sure if it can be
applied to TLS.
--
Regards,
Hubert Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
