Fernet symmetric-key encryption

thoku

2/19/23, 6:31 AM

Fernet symmetric-key encryption

To encrypt and provide data — e.g. JSON strings in a database — using Python I'm wondering what is a good approach (package) for symmetric-key encryption.

The Python standard modules are only about hashes and secure random numbers: https://docs.python.org/3/library/crypto.html, so I started with https://github.com/pyca/cryptography as https://github.com/pycrypto/pycrypto looks rather stalled. Former refers to Fernet, but strangely I cannot find a Wikipedia entry, neither much background nor 3rd-party investigation on it (see also https://github.com/fernet/spec/ and https://cryptography.io/).

Given the key is exchanged securely

Is there an issue with the https://github.com/pyca/cryptography Fernet implementation?
Is there further reading (maybe under another name than 'Fernet') that supports, it is fine data-security wise?

130

0 + 0

implementation

symmetric

kelalaka

2/19/23, 8:45 AM

NaCL and [Python API of it](https://github.com/pyca/pynacl). Use 256-bit key.

thoku

2/23/23, 7:20 AM

Thank you! After your hint I also found their reference https://cryptography.io/en/latest/faq/#how-does-cryptography-compare-to-nacl-networking-and-cryptography-library. If you'd put your comment as answer, I'd accept it, since https://doc.libsodium.org/ looks better documented (...and has more GitHub stars, but I do not see a reason to argue against https://cryptography.io).

kelalaka

2/23/23, 7:27 AM

NaCL [core team](http://nacl.cr.yp.to/index.html) includes Bernstein. My comment can't be an answer since you were asking about issues with the Fernet. See the [features](http://nacl.cr.yp.to/features.html) of their page.

Score:1

Crypto

Daniel S

2/19/23, 8:28 AM

I’m not sure where the name Fernet encryption comes from, but their spec indicates that they are using AES-128 in CBC mode and then authenticating the cipher text with a SHA256 HMAC. They then base64 encode everything so that the cryptogram is printable ASCII.

I won’t claim to have done a code review, but their starting point is using good cryptographic primitives in a sensible way.

0 + 0

thoku

2/23/23, 1:32 PM

This is not exactly the answer I expected security-wise, but together with @kelalaka's comments above, and the usage (dependent packages) comparison of both libs [pyca/cryptography](https://github.com/pyca/cryptography/network/dependents) vs. [libsodium](https://github.com/jedisct1/libsodium/network/dependents) I feel safe enough now.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Fernet symmetric-key encryption

TH: การเข้ารหัสคีย์สมมาตร Fernet

RO: Criptare cu cheie simetrică Fernet

RU: Шифрование с симметричным ключом Fernet

VI: Mã hóa khóa đối xứng Fernet

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.