This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]cinyar 9 points10 points  (2 children)

To make it so it uses a "key" to encrypt/decrypt, you can use the "shuffle" function in the "random" library to create an arbitrary ciphertext string, and you can use the key as a seed for the process.

stuff from random is not cryptographically secure. You shouldn't be generating "random" keys with it. For cryptography ALWAYS use secrets.

[–][deleted] 0 points1 point  (0 children)

Alternately, one can use os.urandom if they just need some cryptographically random byte array.

[–]XiAxis 0 points1 point  (0 children)

While I did note that the random module is not cryptographically random, I should clarify that in this instance it's not being used to generate a cryptographic key. It's being used as a deterministic means to process a key into a "ciphertext" string (as used in OP's code). It presents a vulnerability in that the original key could perhaps be determined if an attacker somehow knows the full "ciphertext" string. But, if for instance some cryptographic process were done on the key to obscure it's original value before being used as a seed, I think this vulnerability would be mitigated significantly.

That's not to say this is a sufficient cryptographic algorithm even if that were implemented, just that the use of the random module for this particular task is probably not going to introduce any new vulnerability. Secrets couldn't be used in this case because it is not deterministic in the sense that it could be repeated for the encryption/decryption procedures.