If you’re struggling picking a Crypto suite … Fernet may be the answer

We are starting to see a whole lot of software developers getting interested in cryptography, especially in assessing for vulnerabilities…

If you’re struggling picking a Crypto suite … Fernet may be the answer

We are starting to see a whole lot of software developers getting interested in cryptography, especially in assessing for vulnerabilities within applications. So for someone to be faced with: RSA, AES, BCrypt, 3DES, DES, MD5, HMAC, private keys, public keys, and …. you might think you it was impossible to decide which is the best way to go. But luckily there’s a cipher suite that tries to implement best practice … Fernet [here]:

Key: 4c504a4e756c2d776f77346d3644737178626e696e687357486c776670304a656377517a59704f4c6d43513d
Cipher: 67414141414142625a7930326f316c433138624e43755a56646d3939396362384537725577334d6765644449516f757a7976694b59337155617131703655744577424a2d616d484f4b7031413630356a7a50433039595750424c4a634833433271773d3d
Plain text: hello world

So what is Fernet?

Fernet is a symmetric encryption method which makes sure that the message encrypted cannot be manipulated/read without the key. It uses URL safe encoding for the keys. Fernet also uses 128-bit AES in CBC mode and PKCS7 padding, with HMAC using SHA256 for authentication. The IV is created from os.random(). All of this is the kind of thing that good software needs.

AES is top drawer encryption, and SHA-256 avoids many of the problems caused by MD5 and SHA-1 (as the length of the hash values is too small). With CBC (Cipher Block Chaining) we get a salted output, and which is based on a random value (the IV value). And with HMAC we can provide authenticated access from both sides.

And for PKCS7, that’s a standard too. Fernet is used to define best practice cryptography methods, and Hazmat supports core cryptographical primitives:

The token has a version number, a time stamp, the IV, the cipher text and an HMAC signature:

Version: 8 bits.
Timestamp: 64 bits.
IV: 128 bits.
Ciphertext — variable length: Multiple of 128 bits.
HMAC: 256 bits.

We end up with a token which has a Base-64 format:

gAAAAABWC9P7–9RsxTz_dwxh9-O2VUB7Ih8UCQL1_Zk4suxnkCvb26Ie4i8HSUJ4caHZuiNtjLl3qfmCv_fS3_VpjL7HxCz7_Q==

A sample run gives [here]:

Token:  gAAAAABWC9P7-9RsxTz_dwxh9-O2VUB7Ih8UCQL1_Zk4suxnkCvb26Ie4i8HSUJ4caHZuiNt
jLl3qfmCv_fS3_VpjL7HxCz7_Q==
Current time:   Wed Sep 30 13:30:32 2015

Token Details
=============
Decoded data:  8000000000560bd3fbfbd46cc53cff770c61f7e3b655407b221f140902f5fd993
8b2ec67902bdbdba21ee22f0749427871a1d9ba236d8cb977a9f982bff7d2dff5698cbec7c42cfbf
d
======Analysis====
Version:        80
Date created:   00000000560bd3fb
IV:             fbd46cc53cff770c61f7e3b655407b22
Cipher:         1f140902f5fd9938b2ec67902bdbdba2
HMAC:           1ee22f0749427871a1d9ba236d8cb977a9f982bff7d2dff5698cbec7c42cfbfd

======Converted====
Time stamp:     1443615739
Date created:   Wed Sep 30 13:22:19 2015
IV:             fbd46cc53cff770c61f7e3b655407b22
Decoded:        password

Decrypting

When used with a key we can decode [here]. Here are some sample Fernet tokens. Can you determine the messages and when they were created?

Token=”gAAAAABWC9itaE9nFdqmI48kW6eTxUgTN4QRMHztr9buhiJVlRxxlDcdSdWuD7zb9apkYdeJ1LNh_DBM4WgiZW1WlejIJdUzWQ==”, key=”JGMZNCmpDjpN2Jz10wMcF9kXc1vM8QC1nuxHB2gjIgY=”. Try.
Token=”gAAAAABWC9mx6EZuXA4_903Vw01LpmxxeQsfFmiXUC3arejQ4NTExSYER2NGjXnoaN051qIpbZaHqzMvz9BJT8FmwjWCoHW3Iy-KFLnEVZaznVfa5Yvplzg=”, key=”ZocYZaBsHlv7qm_uRh7BOa_KBYvsQRsVv-e7oarTGUA=”. Try.
Token=”gAAAAABWC9sLMfNlyVGFBXjoDkju9X0MQolE9IRHfDF1-UL2x8ZQQMSEkXRfAFNzdnsF0tupW7rxpu9Jw1MqEpQahDwV6m24azVdn0Mctu_v4-VXFqi9cGQy_DmfZK_CuKxoGkaUElw_”, key=”d3tqBFPIAjF9Sa12E0GjWefSfcIAEXxi6Y64EY7fmlY=”. Try.
Token=”gAAAAABWDDX4bYvLWNMcYDJjT_D5EzQps7i4FW6RlbF50s7b9BqFpBuvlhxdI3UeO8mbje-NfxSir-invL1F_CKipGCH-jXH4VlB6k0AOqjdsfmuLoCxjlJkvJcs_J1YXMzZDY4nQG35oxm8bNzHcr8ZPMpZIvWXUs3lKe2h8BymZiWBZOoxkFxETvEJ2-bbm8c9ODa6XkTZ6E70621BXTKSTPM5OXuBmSL3h2sCbv6WXreux6yUyD0=”, Key=tkk5Ot6O34drSnyPE1HHBd6C7G1TjLW9ypBz3g854HE=” Try.

Autokeying — creating a lock-out

The key generated is a URL-safe base64-encoded key with 32 bytes. When the message is encrypted it contains the time it was generated in plaintext. If we use:

decrypt(token,TTL)

then an exception is raised is the token was created more that TTL seconds ago. A example of autokeying is here.

Conclusions

So there you go … if you’re struggling to choose your crypto in your apps … you could do no worse that select Fernet. For some reasons, our industry still struggles to use encryption properly. With Fernet, we have, at least, a standardise token library which is fairly easy to integrate into many applications. The autokeying function, too, limits the usage of brute force attempts.

Join Coinmonks Telegram Channel and Youtube Channel get daily Crypto News

Also, Read

Copy Trading | Crypto Tax Software
Grid Trading | Crypto Hardware Wallet
Crypto Telegram Signals | Crypto Trading Bot
Best Crypto Exchange | Best Crypto Exchange in India
Best Crypto APIs for Developers
Best Crypto Lending Platform
An ultimate guide to Leveraged Token