Is the Fernet cryptography module safe, and can I do AES encryption with that module?

Question

Can I do AES encryption with the Fernet cryptography module? What is Fernet, and is it safe like AES encryption?

Answer 1

Fernet made more sense before GCM came around, as correctly implementing CBC + HMAC by yourself is difficult, and the CBC mode requires padding to 16 byte blocks.

It is still safe but I would not recommend it for new systems because AES256-GCM combines encryption and authentication into the same standard protocol, which can be en/decrypted by browsers (Javascript subtle crypto API) and all other crypto libraries and tools, not just the Python cryptography module. The GCM mode is also a lot faster, reaching several gigabytes per second with AES-NI.

It is unfortunate that it is hidden deep inside the hazmat module:

import secrets
from cryptography.hazmat.primitives.ciphers.aead import AESGCM

# Generate a random secret key (AES256 needs 32 bytes)
key = secrets.token_bytes(32)

# Encrypt a message
nonce = secrets.token_bytes(12)  # GCM mode needs 12 fresh bytes every time
ciphertext = nonce + AESGCM(key).encrypt(nonce, b"Message", b"")

# Decrypt (raises InvalidTag if using wrong key or corrupted ciphertext)
msg = AESGCM(key).decrypt(ciphertext[:12], ciphertext[12:], b"")

Even with the same key and the same message, the ciphertext will always be completely different (because of a different nonce). Do note that ciphertext is always exactly 28 bytes longer than the message, so if the message length needs to be hidden, you could pad all messages to same length before encryption.

Answer 2

As Scott Arciszewski answered in a comment, Fernet is basically AES128 in CBC mode with a SHA256 HMAC message authentication code.

A full specification of the Fernet construction can be found here.