加密模块是 Fernet 安全的，我可以使用该模块进行 AES 加密吗？

Question

我可以使用密码学模块进行 AES 加密，什么是 Fernet，它是否像 AES 加密一样安全？

Answer 1

As Scott Arciszewski answered in a comment, Fernet is basically AES128 in CBC mode with a SHA256 HMAC message authentication code.

A full specification of the Fernet construction can be found here .

Answer 2

Fernet made more sense before GCM came around, as correctly implementing CBC + HMAC by yourself is difficult, and the CBC mode requires padding to 16 byte blocks.

It is still safe but I would not recommend it for new systems because AES256-GCM combines encryption and authentication into the same standard protocol, which can be en/decrypted by browsers (Javascript subtle crypto API) and all other crypto libraries and tools, not just the Python cryptography module. The GCM mode is also a lot faster, reaching several gigabytes per second with AES-NI.

It is unfortunate that it is hidden deep inside the hazmat module:

import secrets
from cryptography.hazmat.primitives.ciphers.aead import AESGCM

# Generate a random secret key (AES256 needs 32 bytes)
key = secrets.token_bytes(32)

# Encrypt a message
nonce = secrets.token_bytes(12)  # GCM mode needs 12 fresh bytes every time
ciphertext = nonce + AESGCM(key).encrypt(nonce, b"Message", b"")

# Decrypt (raises InvalidTag if using wrong key or corrupted ciphertext)
msg = AESGCM(key).decrypt(ciphertext[:12], ciphertext[12:], b"")

Even with the same key and the same message, the ciphertext will always be completely different (because of a different nonce). Do note that ciphertext is always exactly 28 bytes longer than the message, so if the message length needs to be hidden, you could pad all messages to same length before encryption.