use a random Initialization Vector for AES using CFB (Cipher FeedBack).

https://www.dlitz.net/software/pycrypto/api/current/Crypto.Cipher.blockalgo-module.html#MODE_CFB

use a random Initialization Vector for AES using CFB (Cipher FeedBack).
https://www.dlitz.net/software/pycrypto/api/current/Crypto.Cipher.blockalgo-module.html#MODE_CFB
68c1e536 · Kazuhiko Shiozaki · 02587c60 · 68c1e536
Commit 68c1e536 authored Apr 30, 2014 by Kazuhiko Shiozaki
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 4 deletions

product/ERP5Security/ERP5KeyAuthPlugin.py product/ERP5Security/ERP5KeyAuthPlugin.py +8 -4

No files found.
--- a/product/ERP5Security/ERP5KeyAuthPlugin.py
+++ b/product/ERP5Security/ERP5KeyAuthPlugin.py
@@ -54,6 +54,7 @@ from Products.ERP5Security.ERP5UserManager import ERP5UserManager,\
                                                  _AuthenticationFailure

 from Crypto.Cipher import AES
+from Crypto import Random
 from base64 import urlsafe_b64decode, urlsafe_b64encode

 class AESCipher:
@@ -64,12 +65,15 @@ class AESCipher:
    self.encryption_key = encryption_key.ljust(32)[:32]

  def encrypt(self, login):
-    encryptor = AES.new(self.encryption_key, self.mode)
-    return urlsafe_b64encode(encryptor.encrypt(login.ljust(((len(login)-1)/16+1)*16)))
+    iv = Random.new().read(AES.block_size)
+    encryptor = AES.new(self.encryption_key, self.mode, IV=iv)
+    return urlsafe_b64encode(iv + encryptor.encrypt(login.ljust(((len(login)-1)/16+1)*16)))

  def decrypt(self, crypted_login):
-    decryptor = AES.new(self.encryption_key, self.mode)
-    return decryptor.decrypt(urlsafe_b64decode(crypted_login)).rstrip()
+    decoded_crypted_login = urlsafe_b64decode(crypted_login)
+    iv = decoded_crypted_login[:AES.block_size]
+    decryptor = AES.new(self.encryption_key, self.mode, IV=iv)
+    return decryptor.decrypt(decoded_crypted_login[AES.block_size:]).rstrip()

 # This cipher is weak. Do not use.
 class CesarCipher: