How to implement Fernet encryption with AES 256

3
votes

I'm currently using Fernet encryption which uses AES 128 keys. However my client requires using AES 256. I'm not very familiar with cryptography but here is what I understood so far.

Fernet needs a 256 bits key that is splitted in half. First half is the signing key, second one is the encryption key. As they are 128 bits long it is AES 128.

Would it be enough to double the input key and modify the implementation like below to get AES 256 ?

class Fernet(object):
    def __init__(self, key, backend=None):
        if backend is None:
            backend = default_backend()

        key = base64.urlsafe_b64decode(key) # Here 512 bits long instead of 256

        self._signing_key = key[:16] # double this
        self._encryption_key = key[16:] # double this
        self._backend = backend
2
pythonencryptioncryptographyaespython-cryptography
The 128 and 256 in AES-128 and AES-256 are the number of bits, not bytes in the key. As the Fernet documentation states: "Fernet uses ... AES in CBC mode with a 128-bit key for encryption; using PKCS7 padding."President James K. Polk
Translation mistake, thanks.May.D

2 Answers

3
votes

Yes, you could double the binary input, the input before the key was base 64 encoded. If the result is 256 bit secure depends on how the key is generated. So yes, it is possible to double the size check on the key, but that doesn't say much. If the input key material is 512 bits with a security level of 512 bits then yes, then splitting the key is fine.

Personally I would recommend (and I have recommended it in the past to Fernet) to use HKDF to derive the two keys instead of just splitting the key in two. I cannot see how the key is generated, but if it is generated by PBKDF2 - which Fernet does use to create keys from passwords - then PBKDF2 may require double the amount of work to generate 512 bits, while the attacker will only have to generate 256 bits to perform an attack (and therefore perform half of the work).

Note that using base64 encoding is not great for keys as strings are hard to delete from memory in most runtimes; it's much better if the keys are stored in a key store.

1
votes

The Fernet Specification is to use AES-128. If you modify the algorithm to use AES-256, then you would no longer be using Fernet. If it's a requirement that you use both Fernet and AES-256, I would recommend encrypting your payload independently using AES-256 and then applying the Fernet algorithm to the result. This essentially encrypts it again using AES-128.