"I don't think [insert arbitrary misuse of crypto here] is horrifically insecure here"
This is wrong-headed thinking. If I had a dollar for every time a programmer said that and was wrong, I would be rich.
Strong crypto is only strong if you follow the instructions *exactly*. Everything else is snake oil.
"the key + IV-reuse is minimal"
The same key and IV are reused for every single password, so you get this:
>>> AES.new("0123456789abcdef", AES.MODE_CFB, "\0"*16).encrypt("a").encode('hex') '6a' >>> AES.new("0123456789abcdef", AES.MODE_CFB, "\0"*16).encrypt("ab").encode('hex') '6af9' >>> AES.new("0123456789abcdef", AES.MODE_CFB, "\0"*16).encrypt("ab").encode('hex') '6af9' >>> AES.new("0123456789abcdef", AES.MODE_CFB, "\0"*16).encrypt("abc").encode('hex') '6af9bb' >>> AES.new("0123456789abcdef", AES.MODE_CFB, "\0"*16).encrypt("abc").encode('hex') '6af9bb' >>> AES.new("0123456789abcdef", AES.MODE_CFB, "\0"*16).encrypt("abc").encode('hex') '6af9bb' >>> AES.new("0123456789abcdef", AES.MODE_CFB, "\0"*16).encrypt("abc1").encode('hex') '6af9bb63' >>> AES.new("0123456789abcdef", AES.MODE_CFB, "\0"*16).encrypt("abc2").encode('hex') '6af9bb60' >>> AES.new("0123456789abcdef", AES.MODE_CFB, "\0"*16).encrypt("abc3").encode('hex') '6af9bb61' >>> AES.new("0123456789abcdef", AES.MODE_CFB, "\0"*16).encrypt("abc4").encode('hex') '6af9bb66'
Notice a pattern in the ciphertexts?
"I don't think [insert arbitrary misuse of crypto here] is horrifically insecure here"
This is wrong-headed thinking. If I had a dollar for every time a programmer said that and was wrong, I would be rich.
Strong crypto is only strong if you follow the instructions *exactly*. Everything else is snake oil.
"the key + IV-reuse is minimal"
The same key and IV are reused for every single password, so you get this:
>>> AES.new( "0123456789abcd ef", AES.MODE_CFB, "\0"*16) .encrypt( "a").encode( 'hex') "0123456789abcd ef", AES.MODE_CFB, "\0"*16) .encrypt( "ab").encode( 'hex') "0123456789abcd ef", AES.MODE_CFB, "\0"*16) .encrypt( "ab").encode( 'hex') "0123456789abcd ef", AES.MODE_CFB, "\0"*16) .encrypt( "abc"). encode( 'hex') "0123456789abcd ef", AES.MODE_CFB, "\0"*16) .encrypt( "abc"). encode( 'hex') "0123456789abcd ef", AES.MODE_CFB, "\0"*16) .encrypt( "abc"). encode( 'hex') "0123456789abcd ef", AES.MODE_CFB, "\0"*16) .encrypt( "abc1") .encode( 'hex') "0123456789abcd ef", AES.MODE_CFB, "\0"*16) .encrypt( "abc2") .encode( 'hex') "0123456789abcd ef", AES.MODE_CFB, "\0"*16) .encrypt( "abc3") .encode( 'hex') "0123456789abcd ef", AES.MODE_CFB, "\0"*16) .encrypt( "abc4") .encode( 'hex')
'6a'
>>> AES.new(
'6af9'
>>> AES.new(
'6af9'
>>> AES.new(
'6af9bb'
>>> AES.new(
'6af9bb'
>>> AES.new(
'6af9bb'
>>> AES.new(
'6af9bb63'
>>> AES.new(
'6af9bb60'
>>> AES.new(
'6af9bb61'
>>> AES.new(
'6af9bb66'
Notice a pattern in the ciphertexts?