Passing Encrypted Tokens: The Fernet Way
Why don’t we pass everything in an encrypted form? Well, we can have problems with the format of our encryption, especially if we use: salted ciphers; hash signatures (HMAC); and different formats for our key. And for our Web applications, how do we keep compatibility with HTTP, and pass values in a URL-safe way?
Well, Fernet tokens come to our rescue, and are defined as a way which integrates the best practice in encryption and integrity checking. The format of the token is:
For this we have 128-bit AES in a CBC (Cipher Block Chaining) mode and with an HMAC signature to prove the integrity of the message. The format of the token has a version number of 8 bits, a 64-bit timestamp, a 128-bit Initialisation Vector (IV), and a 256-bit HMAC signature. The cipher is then created in multiples of 128 bits, as AES uses a 128-bit block size. In this way we can check the date that the data was encrypted, and where the cipher text will change each time based on the IV. The token can then be send, and used with an encryption key. We also standardise the padding method with PCKS#7 [here].
Here is an example using a SHA-256 hash of a password [here]:
