| Alex Gaynor | f6c47e9 | 2013-08-08 07:16:01 -0700 | [diff] [blame] | 1 | Symmetric Encryption |
| 2 | ==================== |
| 3 | |
| 4 | Symmetric encryption is a way to encrypt (hide the plaintext value) material |
| 5 | where the encrypter and decrypter both use the same key. |
| 6 | |
| 7 | Block ciphers |
| 8 | ------------- |
| 9 | |
| 10 | Block ciphers work by encrypting content in chunks, often 64- or 128-bits. They |
| 11 | combine an underlying algorithm (such as AES), with a mode (such as CBC, CTR, |
| 12 | or GCM). A simple example of encrypting content with AES is: |
| 13 | |
| 14 | .. code-block:: pycon |
| 15 | |
| Alex Gaynor | f6c47e9 | 2013-08-08 07:16:01 -0700 | [diff] [blame] | 16 | >>> from cryptography.primitives.aes import AES |
| Alex Gaynor | a4f529e | 2013-08-08 11:29:06 -0700 | [diff] [blame] | 17 | >>> from cryptography.primitives.block import BlockCipher, CBC |
| Alex Gaynor | f6c47e9 | 2013-08-08 07:16:01 -0700 | [diff] [blame] | 18 | >>> cipher = BlockCipher(AES(key), CBC(iv)) |
| 19 | >>> cipher.encrypt("my secret message") + cipher.finalize() |
| 20 | # The ciphertext |
| 21 | [...] |
| 22 | |
| Alex Gaynor | 0ca7fdb | 2013-08-08 07:35:26 -0700 | [diff] [blame] | 23 | Here ``key`` is the encryption key (which must be kept secret), and ``iv`` is |
| Alex Gaynor | e786943 | 2013-08-08 07:39:26 -0700 | [diff] [blame] | 24 | the initialization vector (which must be random). Exactly what form these |
| Alex Gaynor | 0ca7fdb | 2013-08-08 07:35:26 -0700 | [diff] [blame] | 25 | values should take is described for each of the ciphers and modes. |
| 26 | |
| 27 | ``encrypt()`` should be called repeatedly with additional plaintext, and it |
| 28 | will return the encrypted bytes, if there isn't enough data, it will buffer it |
| 29 | internally. ``finalize()`` should be called at the end, and will return |
| 30 | whatever data is left. |
| Alex Gaynor | d96d100 | 2013-08-08 07:37:26 -0700 | [diff] [blame] | 31 | |
| 32 | Ciphers |
| 33 | ~~~~~~~ |
| 34 | |
| Alex Gaynor | 5ba2dfa | 2013-08-08 11:04:44 -0700 | [diff] [blame] | 35 | .. class:: cryptography.primitives.aes.AES(key) |
| 36 | |
| Alex Gaynor | 1e3f81f | 2013-08-08 11:31:43 -0700 | [diff] [blame^] | 37 | AES (Advanced Encryption Standard) is a block cipher standardized by NIST. |
| Alex Gaynor | 5ba2dfa | 2013-08-08 11:04:44 -0700 | [diff] [blame] | 38 | AES is both fast, and cryptographically strong. It is a good default |
| 39 | choice for encryption. |
| 40 | |
| 41 | :param bytes key: The secret key, either ``128``, ``192``, or ``256`` bits. |
| Alex Gaynor | 48ec9a3 | 2013-08-08 11:13:46 -0700 | [diff] [blame] | 42 | This must be kept secret. |
| Alex Gaynor | 5ba2dfa | 2013-08-08 11:04:44 -0700 | [diff] [blame] | 43 | |
| Alex Gaynor | d96d100 | 2013-08-08 07:37:26 -0700 | [diff] [blame] | 44 | |
| 45 | Modes |
| 46 | ~~~~~ |
| 47 | |
| Alex Gaynor | a4f529e | 2013-08-08 11:29:06 -0700 | [diff] [blame] | 48 | .. class:: cryptography.primitives.block.CBC(initialization_vector) |
| Alex Gaynor | 48ec9a3 | 2013-08-08 11:13:46 -0700 | [diff] [blame] | 49 | |
| 50 | CBC (Cipher block chaining) is a mode of operation for block ciphers. It is |
| 51 | considered cryptographically strong. |
| 52 | |
| 53 | :param bytes initialization_vector: Must be random bytes. They do not need |
| 54 | to be kept secret (they can be included |
| Alex Gaynor | c651f76 | 2013-08-08 11:17:56 -0700 | [diff] [blame] | 55 | in a transmitted message). Should be |
| 56 | the same number of bytes as the ``key`` |
| 57 | for the cipher. |
| Alex Gaynor | 1c1bad6 | 2013-08-08 11:27:47 -0700 | [diff] [blame] | 58 | ``initialization_vectors`` should never |
| 59 | be reused across different messages. |