Score:0

Fernet symmetric-key encryption

ua flag

Fernet symmetric-key encryption

To encrypt and provide data — e.g. JSON strings in a database — using Python I'm wondering what is a good approach (package) for symmetric-key encryption.

The Python standard modules are only about hashes and secure random numbers: https://docs.python.org/3/library/crypto.html, so I started with https://github.com/pyca/cryptography as https://github.com/pycrypto/pycrypto looks rather stalled. Former refers to Fernet, but strangely I cannot find a Wikipedia entry, neither much background nor 3rd-party investigation on it (see also https://github.com/fernet/spec/ and https://cryptography.io/).

Given the key is exchanged securely

  • Is there an issue with the https://github.com/pyca/cryptography Fernet implementation?
  • Is there further reading (maybe under another name than 'Fernet') that supports, it is fine data-security wise?
kelalaka avatar
in flag
NaCL and [Python API of it](https://github.com/pyca/pynacl). Use 256-bit key.
thoku avatar
ua flag
Thank you! After your hint I also found their reference https://cryptography.io/en/latest/faq/#how-does-cryptography-compare-to-nacl-networking-and-cryptography-library. If you'd put your comment as answer, I'd accept it, since https://doc.libsodium.org/ looks better documented (...and has more GitHub stars, but I do not see a reason to argue against https://cryptography.io).
kelalaka avatar
in flag
NaCL [core team](http://nacl.cr.yp.to/index.html) includes Bernstein. My comment can't be an answer since you were asking about issues with the Fernet. See the [features](http://nacl.cr.yp.to/features.html) of their page.
Score:1
ru flag

I’m not sure where the name Fernet encryption comes from, but their spec indicates that they are using AES-128 in CBC mode and then authenticating the cipher text with a SHA256 HMAC. They then base64 encode everything so that the cryptogram is printable ASCII.

I won’t claim to have done a code review, but their starting point is using good cryptographic primitives in a sensible way.

thoku avatar
ua flag
This is not exactly the answer I expected security-wise, but together with @kelalaka's comments above, and the usage (dependent packages) comparison of both libs [pyca/cryptography](https://github.com/pyca/cryptography/network/dependents) vs. [libsodium](https://github.com/jedisct1/libsodium/network/dependents) I feel safe enough now.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.