Is PyCrypto safe and reliable to use?

Question

I am planning on using PyCrypto for a project and I want to know whether PyCrypto is safe and reliable enough to use. How can I ensure that PyCrypto is encrypting data correctly according to the various encryption algorithms such as RSA and AES?

Answer 1

It depends.

Some parts of PyCrypto are really good. For example, the API for Crypto.Random (introduced in PyCrypto 2.1) was designed to be pretty foolproof, and the underlying algorithm it uses (Fortuna) was also designed to be pretty foolproof.

Other parts are just implementations of low-level crypto primitives, so it works, but you have to know what you are doing to use them correctly. For example, Crypto.PublicKey.RSA doesn't implement the full RSA PKCS#1 standard (which is what most people think about when they talk about "RSA"). It only implements the basic RSA primitive (m^e mod n and c^d mod n), and you still have to provide your own PKCS#1 implementation.

The best way to ensure that PyCrypto is encrypting your data correctly (without reading the source code, which I encourage everyone to do) is to use a standard protocol and/or message format, and test that your code interoperates with other implementations. If you're making up your own message format (which you probably shouldn't do anyway), then you need to be very careful to ensure that PyCrypto is actually doing everything that you think it's doing.

Disclaimer: I'm the current PyCrypto maintainer, so my opinions shouldn't be considered an independent review.

Update: PyCrypto v2.5 and later now include proper RSA PKCS#1 encryption and signature implementations. See the API documentation for Crypto.Cipher.PKCS1_OAEP and Crypto.Signature.PKCS1_PSS for details.

Answer 2

No. PyCrypto is no longer under active development and the cryptography library should be used instead.

Source: https://github.com/dlitz/pycrypto/issues/173