Python
Jose

Python: PKCS#5 v2.0 PBKDF2 (python-pbkdf2)

More than 3 years have passed since last update.

PKCS #5: PASSWORD-BASED CRYPTOGRAPHY STANDARD

インストール:

$ pip install pbkdf2

HMAC-SHA256で128ビットの派生キーを作って、コンテンツキーをAESでラップして相手に渡す。:

    def test_pbes2(self):
        # PBES2-HS256+A128KW

        from pbkdf2 import PBKDF2
        from Crypto import Random

        klen = 16                           # key length

        # Sender ----
        cek = Random.get_random_bytes(klen) # CEK
        key = Random.get_random_bytes(klen) # shared key
        p2s = Random.get_random_bytes(32)   # salt
        p2c = 4096                          # iter count

        from Crypto.Hash import HMAC, SHA256, SHA384, SHA512
        # Derive shared key to KEK by Alice
        kek_alice  = PBKDF2(key, p2s, p2c,
                            digestmodule=SHA256,
                            macmodule=HMAC).read(klen)
        self.assertEqual(len(kek_alice), klen)

        # Wrap CEK to CEKCI with AES
        from jose.jwa.aes import aes_key_wrap
        cekci = aes_key_wrap(kek_alice, cek)

        # Recepient ----
        # 'key' has been shared before a session.
        # 'p2s', 'p2c', and 'cekci' are delivered on a session

        # Derive shared key to KEY by Bob
        kek_bob = PBKDF2(key, p2s, p2c,
                         digestmodule=SHA256,
                         macmodule=HMAC).read(klen)
        self.assertEqual(kek_alice, kek_bob)

        # UnWrap CEKCI to CEK with AES
        from jose.jwa.aes import aes_key_unwrap
        cek_agreed = aes_key_unwrap(kek_bob, cekci)

        self.assertEqual(cek, cek_agreed)