From paul.l.kehrer at gmail.com Thu Apr 2 16:00:35 2020 From: paul.l.kehrer at gmail.com (Paul Kehrer) Date: Thu, 2 Apr 2020 15:00:35 -0500 Subject: [Cryptography-dev] PyCA cryptography 2.9 released Message-ID: PyCA cryptography 2.9 has been released to PyPI. cryptography includes both high level recipes and low level interfaces to common cryptographic algorithms such as symmetric ciphers, asymmetric algorithms, message digests, X509, key derivation functions, and much more. We support Python 2.7, Python 3.5+, and PyPy. Changelog (https://cryptography.io/en/latest/changelog/#v2-9): * BACKWARDS INCOMPATIBLE: Support for Python 3.4 has been removed due to low usage and maintenance burden. * BACKWARDS INCOMPATIBLE: Support for OpenSSL 1.0.1 has been removed. Users on older version of OpenSSL will need to upgrade. * BACKWARDS INCOMPATIBLE: Support for LibreSSL 2.6.x has been removed. * Removed support for calling public_bytes() with no arguments, as per our deprecation policy. You must now pass encoding and format. * BACKWARDS INCOMPATIBLE: Reversed the order in which rfc4514_string() returns the RDNs as required by RFC 4514. * Updated Windows, macOS, and manylinux wheels to be compiled with OpenSSL 1.1.1f. * Added support for parsing single_extensions in an OCSP response. * NameAttribute values can now be empty strings. -Paul Kehrer (reaperhulk) From sawyer.liu at nxp.com Tue Apr 7 23:44:40 2020 From: sawyer.liu at nxp.com (Sawyer Liu) Date: Wed, 8 Apr 2020 03:44:40 +0000 Subject: [Cryptography-dev] How to conver x509 PEM to DER Message-ID: Hello, I want to know how I can convert PEM file of X509 to DER file. Thanks. Best Regards Sawyer Liu(???) Microcontrollers, NXP Semiconductors 23/F, Exchange Building, No.118 Jianguo Road, Chaoyang District, Beijing, P.R.C 100022 ????????????118?????23? ???100022 Tel: 86-10-58798328, Fax: 86-10-58798010, Mobile: 86-1800 112 6984 E-mail: sawyer.liu at nxp.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul.l.kehrer at gmail.com Thu Apr 9 15:49:15 2020 From: paul.l.kehrer at gmail.com (Paul Kehrer) Date: Thu, 9 Apr 2020 14:49:15 -0500 Subject: [Cryptography-dev] How to conver x509 PEM to DER In-Reply-To: References: Message-ID: If you load it into cryptography you can serialize to DER using the public_bytes method using the appropriate encoding. You can see the docs for this method here: https://cryptography.io/en/latest/x509/reference/#cryptography.x509.Certificate.public_bytes -Paul (reaperhulk) > On Apr 8, 2020, at 7:00 AM, Sawyer Liu wrote: > > ? > Hello, > I want to know how I can convert PEM file of X509 to DER file. Thanks. > > Best Regards > Sawyer Liu(???) > > Microcontrollers, NXP Semiconductors > 23/F, Exchange Building, No.118 Jianguo Road, Chaoyang District, Beijing, P.R.C 100022 > ????????????118?????23? ???100022 > Tel: 86-10-58798328, Fax: 86-10-58798010, Mobile: 86-1800 112 6984 > E-mail: sawyer.liu at nxp.com > > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: From lucas5zvazquez at gmail.com Tue Apr 21 08:52:18 2020 From: lucas5zvazquez at gmail.com (Lucas Vazquez) Date: Tue, 21 Apr 2020 09:52:18 -0300 Subject: [Cryptography-dev] Noob question about some data that has been leaked in encrypted form Message-ID: Hello to all devs, I'm using Fernet with Django to store some private external data in a Regulators Website. Recently, that data has been exposed in encrypted form by a mistake. Each user saw some of their data in encrypted form in the configuration view, and if it modified them, the filtered contents were modified accordingly. Could any smart user have discovered, through various changes to the fields, the secret key that I use with fernet? Have a good day -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul.l.kehrer at gmail.com Tue Apr 21 11:35:58 2020 From: paul.l.kehrer at gmail.com (Paul Kehrer) Date: Tue, 21 Apr 2020 10:35:58 -0500 Subject: [Cryptography-dev] Noob question about some data that has been leaked in encrypted form In-Reply-To: References: Message-ID: If the only thing exposed was encrypted fernet tokens then there is no way to determine the key used by those tokens short of a brute force attack. Based on what you're describing users could potentially have run a chosen plaintext attack as well, but Fernet's construction (AES-CBC with random IV + HMAC for authentication) is CPA secure. To be clear, you should still rotate keys and re-encrypt data as best practice. -Paul On Tue, Apr 21, 2020 at 7:55 AM Lucas Vazquez wrote: > > Hello to all devs, I'm using Fernet with Django to store some private external data in a Regulators Website. > Recently, that data has been exposed in encrypted form by a mistake. > Each user saw some of their data in encrypted form in the configuration view, and if it modified them, the filtered contents were modified accordingly. > Could any smart user have discovered, through various changes to the fields, the secret key that I use with fernet? > > Have a good day > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev