Ian Bicking: the old part of his blog

Comment

Python 2.2 does indeed have an hmac library -- I hadn't noticed it before. But I don't see how it changes much -- HMAC just seems to be a way to sign things, and an HMAC is not noticeably different than hashing the concatenation of the key and plaintext (except it standardizes aspects). Standardizing my homebrew encryption isn't that important ;)

Note that the key is in all cases secret, and is not reused. So (A XOR C) XOR (B XOR C) wouldn't happen -- i.e., someone couldn't submit a known plaintext (B), and use that to decode (A XOR C), since the two messages would actually be (A XOR C1) and (B XOR C2). But I think if, say, you had a 200 character plaintext, and a 20 character hash, you could potentially find out what the hash is, since character 1, 21, 41, 61, 81, 101, 121, 141, 161, and 181 would have been XORed with the same value, and you could start to guess (using knowledge about the likely distribution of characters) what that value of the key/mask had been. This would still only allow you to break that one message -- the key would remain secret even after a successful brute-force attack of this style.
Comment on Homebrew encryption
by Ian Bicking