<a href="https://colab.research.google.com/github/taylan-sen/intro_jupyter_notebooks/blob/main/fernet_symmetric_encryption.ipynb" target="_parent"><img src="https://colab.research.google.com/assets/colab-badge.svg" alt="Open In Colab"/></a>

This notebook provides a summary of how to use


### The python **cryptography** package:  


The cryptography package is a robust, well-documented library for cryptographic operations in Python. It provides various cryptographic recipes and primitives to implement secure encryption, decryption, hashing, and more.

Key Features:

* Symmetric Encryption: AES, ChaCha20, Fernet, etc.
* Asymmetric Encryption: RSA, DSA, Elliptic Curve Cryptography.
*  Key Derivation: PBKDF2, Scrypt, HKDF.
* Message Authentication: HMAC.
* Digital Signatures: RSA, DSA, ECDSA.
* Hashing Algorithms: SHA-256, SHA-512, BLAKE2.
* Certificate Management: X.509 certificates, TLS/SSL.  

<hr>

### python organization

* A python **class** is a combination of functions and variables into a unit (for following the *object oriented* coding paradigm).  

* A python **module** is a python file that can be *imported* to provide additional functions, classes, constants, or variables.

* A python **package** is a directory containing python modules along with any necessary initialization code.

* Classes, modules, and packages help organize code into meaningful reusable units.

<hr>

In the **cryptography** package, there are two moduels:  
 * cryptography.fernet: Module for symmetric encryption.
 * cryptography.hazmat: Module for low-level cryptographic primitives.




### **Fernet**
<img src="FernetImage.jpg" width="300px">.

Within the cryptography.fernet module is the **Fernet** class which provides a relatively simple-to-use symmetric encryption scheme.

* **Encryption**: The process of converting a message (plaintext) into an unreadable code (ciphertext) using an algorithm and a key to protect the data from unauthorized access.

* **Decryption**: The process of converting ciphertext back into plaintext using a key, allowing the original data to be read.

* **Plaintext**: The original, readable data or message before it is encrypted.

* **Ciphertext**: The encrypted form of data that is not readable without decryption.

* **Key**: A piece of information used in cryptographic algorithms to perform encryption and decryption, ensuring data security; a password used to encrypt data can be refered to as a key.

* **Symmetric encryption** - a method of encryption and decryption in which the same key is usd to encrypt and decrypt (contrast with asymmetric encryption, such as public-private key encryption, which uses a different key to encrypt and decrypt).


<img src="https://www.inviul.com/wp-content/uploads/2016/11/Cryptosytem.gif" width="500px">


<h2>Confidentiality, Integrity, and Authentication</h2>


<table>
    <thead>
        <tr>
            <th>Aspect</th>
            <th>Definition</th>
            <th>Objective</th>
            <th>Example Techniques</th>
        </tr>
    </thead>
    <tbody>
        <tr>
            <td>Confidentiality</td>
            <td>Protects data from unauthorized access or disclosure.</td>
            <td>Ensures data privacy.</td>
            <td>Encryption (AES, RSA), Access Controls</td>
        </tr>
        <tr>
            <td>Integrity</td>
            <td>Ensures data is not altered or tampered with.</td>
            <td>Ensures data accuracy.</td>
            <td>Hashing (SHA-256), HMAC, Digital Signatures</td>
        </tr>
        <tr>
            <td>Authentication</td>
            <td>Verifies the identity of a user, system, or data source.</td>
            <td>Ensures data origin.</td>
            <td>Passwords, Public/Private Keys, Certificates</td>
        </tr>
    </tbody>
</table>

<br>
<br>

Fernet uses:
* Confidentiality:
  * AES-128 encryption - this encryption algorithm is generally viewed as being good enough, giving a reasonable tradeoff in terms of speed and strength.
* Integrity:
  * HMAC-SHA256 -
    * Hash-Based Message Authentication Code
    * SHA256 - Secure Hash Algorithm 256 bit
* Authentication: HMAC with a secret key

## Fernet Code

The Fernet class is where most of the symmetric encryption functionality you will typical use is located. You must first import this class using:


    from cryptography.fernet import Fernet


### Using a generated key

Fernet can be used to generate the keys used to encrypt and decrypt data. The Fernet key format is 44 characters long, which is 32 bytes, which is 256 bits.  


example fernet key (the leading b causes the data type to be bytes):

    b'Gxw1V_huXqG6e8w24GzVxIxDt3ZUlCIIIhlj9MTlA_M='

The function to generate a key is a static method (i.e. a function defined in a class that does not require an instance of the class to be called, and is associated with the class, not the instances).

    new_key = Fernet.generate_key()

### Encryption and Decryption

In order to encrypt and decrypt, a Fernet object needs to be instantiated with the key. From this object the encrypt() and decrypt() methods can then be called.

    my_key = b'Gxw1V_huXqG6e8w24GzVxIxDt3ZUlCIIIhlj9MTlA_M='
    fernet_object = Fernet(my_key)
    plain_text = 'Hello world!"
    cipher_text = fernet_object.encrypt(plain_test.encode())
    decrypted_text = fernet_object.decrypt().decode()


Note that python strings must be converted to bytes before encrypting. This can be done as shown above with the string method **encode()**. Similarly, bytes can be converted to str using **decode()**.  

The code cells below provide complete working examples.

In [None]:
# GENERATE KEY AND ENCRYPT

from cryptography.fernet import Fernet

key = Fernet.generate_key()
fernet_object = Fernet(key)
print(f'Key:  {key}')
plain_text = 'I like chicken'
cipher_text = fernet_object.encrypt(plain_text.encode())

print(f'Encrypted: {cipher_text}')


Key:  b'dV6wm0_WCHxcceRSLgqt7G1VfZblYaTbQ3-03lNkT9c='
Encrypted: b'gAAAAABoK1bsFW1IT0JtkGKniAQJ7JL9pjhL4A6R0WfGKqVs5oZCbAjF5zlDGbyH3nU4fExfy2Fl-0COV6kDwmXY-cLc1nDPcg=='


In [None]:
# DECRYPT (AFTER LOADING KEY AND CIPHERTEXT)
key = b'sYx-yIoC0l6eAm9fzFLC4VPioIWx8f0QiAVltUbexrQ='
cipher_text = b'gAAAAABoKhhKB6ELTGD9TSx6B9jdazVviHVXfZ-cXDNlY5AsMWULBxnBflqB2LRnH3Bqw3l_WkGhCvbUWWnTNCznlTc3jn1qCg=='

fernet = Fernet(key)
plain_text2 = fernet.decrypt(cipher_text).decode()
print(f'Decrypted: {plain_text2}')


Decrypted: I like chicken


### **Using a short password** - Password-Based Key Derivation Function 2 (PBKDF2) using Hash-based Message Authentication Code (HMAC)

A fernet key, with its 44 character length (256 bits), is typically too hard for most people to memorize, and is even a chore to manually write down or type. Fernet itself does not directly support transforming a short password into a 44-character key. However, the python **hashlib** module provides the pbkdf2_hmac method of transforming a short password into a secure 44 character (256 bit) key. This method takes special steps to protect from a cryptoraphic vulnerability associated with short passwords known as a **precomputation attack** (aka rainbow table attack).  

In summary, the hashlib module's pbkdf2_hmac() function uses a one-way function (e.g. a "secure hash function" such as SHA256) to produce a 256 bit key from a short phrase. The short phrase is concatenated with a short random phrase (**salt**), and then passed through the hashfunction multiple iterations.  

Fernet also requires that the key be "URL-safe", meaning it should only consist of characters which can safely be included in URL query parameters (e.g. no + or /).  The code below uses the python base64 module's urlsafe_b64encode function to make the key from pbkdf2_hmac() URL-safe.


In [2]:
from cryptography.fernet import Fernet
from hashlib import pbkdf2_hmac
from base64 import urlsafe_b64encode


password = 'Hello world'
salt = 'palssjrrkwasdfaEKalWds'  # the salt should be randomly generated
key = pbkdf2_hmac('sha256', password.encode(), salt.encode(), 100000)
url_safe_key = urlsafe_b64encode(key)
fernet = Fernet(url_safe_key)
msg = 'I like chicken'
encrypted = fernet.encrypt(msg.encode())
decrypted = fernet.decrypt(encrypted).decode()

print(encrypted)
print(decrypted)

b'gAAAAABoK6lz2HyPiC_13mYuJazRooCfoRgiA17LP4xnJ8dM_iJg_WvvS3fKauaeMINpEPEnNVVK9x1F0TRLdxDrV3Kbk3X-yg=='
I like chicken
