One-Time-Pad

我的一次性密碼是否安全?

  • February 27, 2017

這是我為加密文本文件而製作的程序。它使用一次性密碼來加密文件,但我不知道我的程序中是否有任何漏洞可能是漏洞。我的一次性密碼是否安全?

import os
q = 1
while q == 1:
   e = raw_input("file to encypt: ")
   #This will open a file for encryption
   o = open(e, "r")
   o1 = o.read()
   #This is the plain text to encrypt
   #'The quick brown fox jumps over the lazy dog'
   plain = o1
   #This will measure the length of the plain text
   f3 = len(plain)
   #generate random chacters as long as the text
   a1 = os.urandom(f3)
   #makes the random characters tuple format
   b = list(a1)
   b2 = list(plain)
   s = plain
   #gives the ascii value of the charters
   L = [ord(c) for c in s]
   s = a1
   a = [ord(c) for c in s]
   b = [ord(c) for c in plain]
   #adds the random digits and the plain text
   c = map(sum, zip(a,b))
   #uses Modular arithmetic if the sum is greater than 256
   x=c
   z = []
   for y in x:
       z.append(y-256 if y>=256 else y)
   z = [y-256 if y >= 256 else y for y in x]
   #converts the sum back to charter form
   cipher_text = ''.join(chr(i) for i in z)
   #makes a folder for the files
   base1 = os.path.basename(e)
   base2 = os.path.splitext(base1)[0]
   #makes a folder for the output
   p = "/Users/kyle/one_time_pad/"+base2
   print p
   if os.path.exists(p):
       print
   else:
       os.mkdir(p)

   key = a1
   #makes a file containg the key
   p = p + "/"
   f2 = p+"key.txt"
   #print f2
   if os.path.exists(f2):
       f1 = file(f2, "w")
       f1 = open(f2, "w")
       f1.write(key)
       f1.close()
   else:
       f1 = file(f2, "w")
       f1 = open(f2, "w")
       f1.write(key)
       f1.close()

   #makes a file containg the cipher text
   f3 = p+"cipher_text.txt"
   if os.path.exists(f3):
       f1 = file(f3, "w")
       f1 = open(f3, "w")
       f1.write(cipher_text)
       f1.close()
   else:
       f1 = file(f3, "w")
       f1 = open(f3, "w")
       f1.write(cipher_text)
       f1.close()

   f4 = p+"encrypt.py"
   encrypt1 = open("/Users/kyle/encrypt.py", "r")
   encrypt = encrypt1.read()
   if os.path.exists(f4):
       f1 = file(f4, "w")
       f1 = open(f4, "w")
       f1.write(encrypt)
       f1.close()
   else:
       f1 = file(f4, "w")
       f1 = open(f4, "w")
       f1.write(encrypt)
       f1.close()

   f5 = p+"decrypt.py"
   encrypt1 = open("/Users/kyle/decrypt.py", "r")
   encrypt = encrypt1.read()
   if os.path.exists(f5):
       f1 = file(f5, "w")
       f1 = open(f5, "w")
       f1.write(encrypt)
       f1.close()
   else:
       f1 = file(f5, "w")
       f1 = open(f5, "w")
       f1.write(encrypt)
       f1.close()

   print 50*"-"

這是我用於解密的程式碼

import os

q = 1
while q == 1: 
   #opens the cipher text and it converts it to decimal
   cipher = raw_input("cipher text: ")
   cipher1 = open(cipher, "r")
   cipher2 = cipher1.read()
   cipher3 = [ord(c) for c in cipher2]

   #opens the key and coverts it to decimal
   key = raw_input("key: ")
   key1 = open(key, "r")
   key2 = key1.read()
   key3 = [ord(c) for c in key2]

   #subtracts the key from the cipher
   a = cipher3
   b = key3
   c = map(lambda x: (x[0]-x[1]) % 256, zip(a,b))

   #prints out the decrypted plain text
   decrypt = ''.join(map(chr,c))
   #makes a file with the decrypted output 
   path1 = raw_input("out folder: ")
   name = "plain_text.txt"
   path2 = path1 + "/" + name
   if os.path.exists(path2):
       f1 = file(path2, "a")
       f1 = open(path2, "a")
       f1.write(decrypt)
       f1.close()
   else:
       f1 = file(path2, "w")
       f1 = open(path2, "w")
       f1.write(decrypt)
       f1.close()

   print 50*"-"

我看到的第一個漏洞是您正在使用 random generator urandom。你怎麼知道這個函式生成的序列是真正隨機的?

第二個漏洞是您將密鑰保存為明文!

您不應該使用os.urandom,因為該模組是基於種子編號的 PRNG。相反,您應該使用/dev/random.

將密鑰保存為明文並不是一個壞主意。這是一個可怕的想法。如果您在 Linux 上編寫 python,請將密鑰保存在WAVE Audio File. 如果您在 Windows 上編寫 Py’,請將其另存為Executable 兩者都是速記的可怕想法,但它是基本的。並將其保存為這些文件格式,請使用 DeepSound。

而且,不建議將密鑰保存在硬碟上。將其保存在 USB 快閃記憶體驅動器、Micro SD 卡或其他任何東西上。

但是請確保包含密鑰文件的介質已完全加密,我建議您創建自己的 AES 硬碟加密應用程序,或者僅從原始碼編譯 VeraCrypt。

AES 密鑰應以明文、紙質形式而非數字媒體形式傳遞,並且應面對面傳遞給消息接收者。

解密時,機器應該完全離線,並且遠離智能手機或任何具有網際網路連接(WIFI 或移動數據)的設備,以防止 BitWhisper 或 Acoustic 密碼分析。

對不起,如果我看起來像個偏執狂,但我就是一個!;-)

關於 PRNG、聲學密碼分析的來源:維基百科。

來源/dev/randomhttps ://cryptoaarchy.freed0m4all.net/wiki/One_Time_Pad

引用自:https://crypto.stackexchange.com/questions/8906