[Cryptography-dev] Message authentication and integrity

[Darren S.]

Hi,

Working on part of a project where there's no requirement for
confidentiality, but do need to verify message authentication and
integrity. The case is a simple multi-node system where a client
component makes a request of another component using an HTTP request.
The transport does not currently implement SSL/TLS. The request
recipient simply needs to be certain that an authorized/known client
issued the request. Each node is under the same administrative
control/owner and a secure channel such as SSH may be used for setting
up pre-shared keys.

What python cryptography recipe is suitable for this? Fernet appears
to be geared around symmetric encryption although shared secrets also
work for authentication and this seems to be stated when discussing
cryptography.fernet.InvalidToken if the token "does not have a valid
signature."

I'd like to avoid any PKI for the time being, so in addition to
cryptography's support we also note PyNaCl digital signatures [1] and
the standard library's hmac [2] module. Asymmetric keys as implemented
in [1] seem suited. And the native availability and relative
simplicity of [2] are also attractive.

For this sort of thing, does the cryptography library provide anything
that using pre-shared keys and transmitting the computed HMAC with the
message wouldn't solve? Do either of these approaches have any
significant issues that using public-key message signing would solve?

[1] https://pynacl.readthedocs.io/en/latest/signing/
[2] https://docs.python.org/3/library/hmac.html

Thanks,

-- 
Darren Spruell
phatbuckett at gmail.com