[kwlug-disc] Fernet
Nick Guenther
nguenthe at uwaterloo.ca
Tue Jan 12 22:25:04 EST 2016
If you ever have cause to write crypto code, you should know about
Fernet:
https://github.com/fernet/spec/blob/master/Spec.md
https://cryptography.io/en/latest/fernet/
It's dead-simple timestamped, authenticated encryption. You put bytes
in, you get bytes out. If you want, when you get bytes out you can ask
for an age limit.
f = Fernet(key)
c = f.encrypt(b"stuff")
try:
print(f.decrypt(c, ttl=60*60))
except InvalidToken:
print("Sorry, your token has expired.") #or is from a different site
# or is simply an attempt at hacking us
This lets you do things like store account data in a client-side
session cookie. Much smaller databases on your end, slightly more
bandwidth, minimal impact on the client.
There's no new technology here. What's new is that it's usable and
standardized. Instead of worrying about doing your padding wrong or
choosing the wrong key size or chaining mode, they've just spec'd and
sealed the current state of the art.
The library points out that using crypto in practice suffers by
> Lack of high level, “Cryptography for humans”, APIs.
and Fernet exactly is spec'd to help that.
Everyone go star this on github right now!
Python features itsdangerous as well, which has a cute name, but does
only does timestamping+signing. That *might* be useful sometimes, in
the rare case you want to give somebody a read-only datastructure,
but I would rather use Fernet by default and duplicate the
publically-known parts of my data on the side.
More information about the kwlug-disc
mailing list