Key derivation function with Python

Welcome to the next pikoTutorial !

In one of the previous articles we learned how to perform symmetric data encryption using Python. The last example was about direct conversion of a user provided password to the encryption key. Although it works, this is not the recommended way to do that. Today you will learn about the recommended one which is key derivation function.

Key derivation function

Below you can find the extended example of how to use PBKDF2HMAC key derivation function in Python:

<span># import utility for Base64 encoding </span><span>import</span> <span>base64</span>
<span># import Fernet </span><span>from</span> <span>cryptography.fernet</span> <span>import</span> <span>Fernet</span>
<span>from</span> <span>cryptography.hazmat.primitives.kdf.pbkdf2</span> <span>import</span> <span>PBKDF2HMAC</span>
<span>from</span> <span>cryptography.hazmat.primitives</span> <span>import</span> <span>hashes</span>
<span># import getpass for secure input reading </span><span>from</span> <span>getpass</span> <span>import</span> <span>getpass</span>
<span># read plain text password </span><span>plain_text_password</span><span>:</span> <span>str</span> <span>=</span> <span>getpass</span><span>(</span><span>prompt</span><span>=</span><span>'</span><span>Password: </span><span>'</span><span>)</span>
<span># convert the password to bytes </span><span>password_bytes</span> <span>=</span> <span>plain_text_password</span><span>.</span><span>encode</span><span>(</span><span>'</span><span>utf-8</span><span>'</span><span>)</span>
<span># some salt value for demonstration, use a secure random value in practice </span><span>salt</span> <span>=</span> <span>b</span><span>'</span><span>\x00</span><span>'</span> <span>*</span> <span>16</span>
<span># use PBKDF2HMAC to derive a secure key from the password </span><span>kdf</span> <span>=</span> <span>PBKDF2HMAC</span><span>(</span>
    <span>algorithm</span><span>=</span><span>hashes</span><span>.</span><span>SHA256</span><span>(),</span>
    <span>length</span><span>=</span><span>32</span><span>,</span>
    <span>salt</span><span>=</span><span>salt</span><span>,</span>
    <span>iterations</span><span>=</span><span>100000</span>
<span>)</span>
<span># encode the derived key with Base64 </span><span>key</span> <span>=</span> <span>base64</span><span>.</span><span>urlsafe_b64encode</span><span>(</span><span>kdf</span><span>.</span><span>derive</span><span>(</span><span>password_bytes</span><span>))</span>
<span># create a Fernet instance with the derived key </span><span>fernet</span> <span>=</span> <span>Fernet</span><span>(</span><span>key</span><span>)</span>
<span># data to be encrypted </span><span>data</span> <span>=</span> <span>b</span><span>'</span><span>Some secret data</span><span>'</span>
<span># encrypt the data </span><span>encrypted_data</span> <span>=</span> <span>fernet</span><span>.</span><span>encrypt</span><span>(</span><span>data</span><span>)</span>
<span># decrypt the data </span><span>decrypted_data</span> <span>=</span> <span>fernet</span><span>.</span><span>decrypt</span><span>(</span><span>encrypted_data</span><span>)</span>
<span># print the decrypted data </span><span>print</span><span>(</span><span>f</span><span>"</span><span>Decrypted text: </span><span>{</span><span>decrypted_data</span><span>.</span><span>decode</span><span>()</span><span>}</span><span>"</span><span>)</span>
<span># import utility for Base64 encoding </span><span>import</span> <span>base64</span>
<span># import Fernet </span><span>from</span> <span>cryptography.fernet</span> <span>import</span> <span>Fernet</span>
<span>from</span> <span>cryptography.hazmat.primitives.kdf.pbkdf2</span> <span>import</span> <span>PBKDF2HMAC</span>
<span>from</span> <span>cryptography.hazmat.primitives</span> <span>import</span> <span>hashes</span>
<span># import getpass for secure input reading </span><span>from</span> <span>getpass</span> <span>import</span> <span>getpass</span>
<span># read plain text password </span><span>plain_text_password</span><span>:</span> <span>str</span> <span>=</span> <span>getpass</span><span>(</span><span>prompt</span><span>=</span><span>'</span><span>Password: </span><span>'</span><span>)</span>
<span># convert the password to bytes </span><span>password_bytes</span> <span>=</span> <span>plain_text_password</span><span>.</span><span>encode</span><span>(</span><span>'</span><span>utf-8</span><span>'</span><span>)</span>
<span># some salt value for demonstration, use a secure random value in practice </span><span>salt</span> <span>=</span> <span>b</span><span>'</span><span>\x00</span><span>'</span> <span>*</span> <span>16</span>
<span># use PBKDF2HMAC to derive a secure key from the password </span><span>kdf</span> <span>=</span> <span>PBKDF2HMAC</span><span>(</span>
    <span>algorithm</span><span>=</span><span>hashes</span><span>.</span><span>SHA256</span><span>(),</span>
    <span>length</span><span>=</span><span>32</span><span>,</span>
    <span>salt</span><span>=</span><span>salt</span><span>,</span>
    <span>iterations</span><span>=</span><span>100000</span>
<span>)</span>
<span># encode the derived key with Base64 </span><span>key</span> <span>=</span> <span>base64</span><span>.</span><span>urlsafe_b64encode</span><span>(</span><span>kdf</span><span>.</span><span>derive</span><span>(</span><span>password_bytes</span><span>))</span>
<span># create a Fernet instance with the derived key </span><span>fernet</span> <span>=</span> <span>Fernet</span><span>(</span><span>key</span><span>)</span>
<span># data to be encrypted </span><span>data</span> <span>=</span> <span>b</span><span>'</span><span>Some secret data</span><span>'</span>
<span># encrypt the data </span><span>encrypted_data</span> <span>=</span> <span>fernet</span><span>.</span><span>encrypt</span><span>(</span><span>data</span><span>)</span>
<span># decrypt the data </span><span>decrypted_data</span> <span>=</span> <span>fernet</span><span>.</span><span>decrypt</span><span>(</span><span>encrypted_data</span><span>)</span>
<span># print the decrypted data </span><span>print</span><span>(</span><span>f</span><span>"</span><span>Decrypted text: </span><span>{</span><span>decrypted_data</span><span>.</span><span>decode</span><span>()</span><span>}</span><span>"</span><span>)</span>
# import utility for Base64 encoding import base64
# import Fernet from cryptography.fernet import Fernet
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
from cryptography.hazmat.primitives import hashes
# import getpass for secure input reading from getpass import getpass
# read plain text password plain_text_password: str = getpass(prompt='Password: ')
# convert the password to bytes password_bytes = plain_text_password.encode('utf-8')
# some salt value for demonstration, use a secure random value in practice salt = b'\x00' * 16
# use PBKDF2HMAC to derive a secure key from the password kdf = PBKDF2HMAC(
    algorithm=hashes.SHA256(),
    length=32,
    salt=salt,
    iterations=100000
)
# encode the derived key with Base64 key = base64.urlsafe_b64encode(kdf.derive(password_bytes))
# create a Fernet instance with the derived key fernet = Fernet(key)
# data to be encrypted data = b'Some secret data'
# encrypt the data encrypted_data = fernet.encrypt(data)
# decrypt the data decrypted_data = fernet.decrypt(encrypted_data)
# print the decrypted data print(f"Decrypted text: {decrypted_data.decode()}")

Enter fullscreen mode Exit fullscreen mode

Key created this way is not only safer, but also no longer requires plain text password to be exactly 32 bytes long.

Note for beginners: remember that salt is mandatory to decrypt the data!

原文链接：Key derivation function with Python