[Cryptography-dev] Noob question about some data that has been leaked in encrypted form
Paul Kehrer
paul.l.kehrer at gmail.com
Tue Apr 21 11:35:58 EDT 2020
If the only thing exposed was encrypted fernet tokens then there is no
way to determine the key used by those tokens short of a brute force
attack. Based on what you're describing users could potentially have
run a chosen plaintext attack as well, but Fernet's construction
(AES-CBC with random IV + HMAC for authentication) is CPA secure.
To be clear, you should still rotate keys and re-encrypt data as best practice.
-Paul
On Tue, Apr 21, 2020 at 7:55 AM Lucas Vazquez <lucas5zvazquez at gmail.com> wrote:
>
> Hello to all devs, I'm using Fernet with Django to store some private external data in a Regulators Website.
> Recently, that data has been exposed in encrypted form by a mistake.
> Each user saw some of their data in encrypted form in the configuration view, and if it modified them, the filtered contents were modified accordingly.
> Could any smart user have discovered, through various changes to the fields, the secret key that I use with fernet?
>
> Have a good day
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev at python.org
> https://mail.python.org/mailman/listinfo/cryptography-dev
More information about the Cryptography-dev
mailing list