Python Crypto: State of the Art (Part 1)

There is a lot of interest in doing cryptography using Python these days which has resulted in quite an impressive number of cryptography related Python modules out there. PyPI package index alone has about 50 'cryptography'-tagged entries.

Unfortunately, the quality and scope of those packages, well, varies. So instead of putting together a list of All The Crypo Stuff Out There, I tried to discover cryptography toolkits an enterprise Python developer could be interested in.

By “cryptography toolkit” I mean what people usually refer as a "crypto system", though that is not quite a correct term. In other words, Cryptography Toolkit is a software system featuring a set of:

  • encryption algorithms
  • hash functions
  • cryptography protocols
  • random number generators
  • key/certificate manipulation tools
  • I/O routines

All that, of course, should be packaged together as a Python module. An ideal toolkit is expected to be:

there should be a way to add new or substitute existing algorithms with alternative implementations
it should be able to "understand" other toolkits like MS Crypto API/CNG and JCA
for example, the standard Python SSL implementation is using insecure SSLv2 which ignores certificates completely. Guess what that means?
cover a range of cryptography algorithms, protocols and schemes
the bare minimum is DES and RSA support, ECC is highly desired
FIPS-140 is a minimum, NSA Suite B is ideal

Certain algorithm implementations (like a standalone SEAL2 library) limited to specific host platforms (like bindings for Mozilla's PKCS#11 DLL) are left out of this article, as well as alpha-quality software.

Given these parameters, the search yielded six results presented in the following table.

(click to enlarge)


  • Only NSS and OpenSSL are implementing Elliptic Curve algorithms
  • There is only one toolkit compatible with Google App Engine: cryptopy
  • None of the listed toolkits is Python 3 compatible
  • All toolkits except one are governed by the US export law
  • Not a single toolkit is compliant to the NSA Suite B

(Part 2...)