[Cryptography-dev] Fernet newbie question: suppling existing key for decoding
David Evans
djve60 at gmail.com
Mon Jan 5 19:05:40 CET 2015
I found the answer to what I was trying to find at
http://incolumitas.com/2014/10/19/using-the-python-cryptography-module-with-custom-passwords/
when following up on the URLs.
In case the site goes off line the code I was after is just (copied from
the site) by Nikolai Tschacher:
import base64
from cryptography.fernet import Fernet
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.backends import default_backend
def get_key(password):
digest = hashes.Hash(hashes.SHA256(), backend=default_backend())
digest.update(password)
return base64.urlsafe_b64encode(digest.finalize())
def encrypt(password, token):
f = Fernet(get_key(key))
return f.encrypt(bytes(token))
def decrypt(password, token):
f = Fernet(get_key(password))
return f.decrypt(bytes(token))
but the problem I have with this is using a non-randomized password helps
subvert the security of the 32-bit random password that Fernet provides.
However, as Nikolai notes, it's more usable for interactive activities.
For new code I'll be using Fernet but for existing code I think I'm forced
to keep to PyCrypto. Since a Fernet message is a self-signed (a little like
a PKCS12 type file) it will not be appropriate for many existing processes
but I think it should be used where possible.
Thanks for the help,
David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20150105/6b09a5dc/attachment.html>
More information about the Cryptography-dev
mailing list