Join us and get access to hundreds of tutorials and a community of expert Pythonistas.

Unlock This Lesson

This lesson is for members only. Join us and get access to hundreds of tutorials and a community of expert Pythonistas.

Unlock This Lesson

Hint: You can adjust the default video playback speed in your account settings.
Hint: You can set the default subtitles language in your account settings.
Sorry! Looks like there’s an issue with video playback 🙁 This might be due to a temporary outage or because of a configuration issue with your browser. Please see our video player troubleshooting guide to resolve the issue.

Using Fernet Ciphers to Secure Your Content

00:00 In the previous lesson, I gave you a brief introduction to cryptography and showed you some frequency analysis used to break that cryptography. In this lesson, I’m going to talk about far stronger ciphers and how to truly secure your content.

00:14 Coming up with secure cryptographic schemes is difficult, so you probably shouldn’t do it yourself. Luckily, there’s libraries that can do all that for you.

00:24 The one I’m going to be showing you is Python’s cryptography. You can install that using pip install cryptography. Because it’s going to be so strong, I’m also going to need to write a client that can read the messages from the server. The requests library is an excellent way of talking to a web server.

00:41 I’m going to be using that to fetch the secure message before decrypting it using the cryptography library. You’ll need to pip install requests, as well.

00:51 Once you have the Python library installed, you can import the Fernet cipher from it. Fernet is a symmetric coding mechanism, so first off, you’re going to need a secret key.

01:04 There’s a method in the module that will generate a key for you, and here it is. Notice that this is binary data. Once you have that key, you can create a cipher by instantiating a Fernet object, passing in that key.

01:19 The cipher can then be used to encrypt some text. Notice that the text also needs to be in binary. This is just how the library works.

01:31 The enciphered text is that easy-to-read mess. Using the same cipher object and the encrypted text, you can decrypt. And there it is—the original data. Getting encryption right is difficult. You should never implement it yourself.

01:48 You should always be using a library. You’ve already seen how frequency analysis can cause problems for someone using a cipher. Block ciphers get around this by grouping chunks of text together.

02:00 This makes frequency analysis far more difficult. AES encryption is a strong industry standard. It uses 128-bit keys and blocks. You can use longer keys with it by cycling through the algorithm multiple times.

02:16 Fernet, which I’ve just demonstrated, is an implementation of the AES cipher using a specific padding mechanism so that each block is of a certain size.

02:27 This is a modified version of the Flask server from earlier. This time, taking advantage of Fernet enciphering. Lines 9 and 10 create the Fernet cipher based on a secret key passed in as an environment variable. Lines 14 and 15 replace the previous response of the cleartext message with an encrypted one. Here it is on the command line.

02:49 Start by passing in the environment variable, paste in a key, run the client, and there’s the server running on port 5684, like before.

03:04 Hit that with curl

03:07 and you get back an encrypted response. For the members of your club to be able to read this, they’re going to need to be able to decrypt this message.

03:17 This is a client program that will talk to the server using requests, and then decrypt based on a key. Lines 10 and 11 is where the requests library hits the server on port 5684 and gets the response. Lines 13 and 14 uses the fernet library to decrypt the response.

03:37 15 prints the decrypted response to the screen. Let’s see that in action. Once again—environment variable, pasting in the key, run the client, and you get back the decrypted response shhhh, this is a secret. To demonstrate this is truly secure, I’m going to pass in a bad key. Give me a second.

04:05 Here it is. And an exception. The cryptography library raises an InvalidToken exception, denoting that the key passed in could not be used to decrypt the message. Without the right key, you can’t view the message. Your message is secure.

04:23 Here, I’m back in Wireshark to look at the message. Still on the Loopback interface, still on port 5684. In another window, I’ve got the server running, and here’s the content.

04:38 Once again, applying the http filter, you can see the GET and the response. The GET hasn’t changed,

04:49 but the response has. The body of the response is the encrypted text. If someone were using Wireshark to eavesdrop on your connection, they wouldn’t be able to see your message. They’d only see the encrypted content.

05:05 Using a Fernet cipher has given you a strong encryption on your server. The problem you now have is managing keys. Anytime you add a member to your club, someone who you want to be able to read the message, you have to distribute the keys.

05:19 What happens if you suspect a key has been leaked and you need to change the key? Or, what happens if someone leaves your group? You’ll need to issue new keys for all the remaining members in order to keep it private.

05:31 This key management problem is difficult and it’s why asymmetric encryption has become so popular. Next up in the continued journey towards understanding HTTPS—how asymmetric key exchange works.

Become a Member to join the conversation.