Fernet (Decode)
[Tokens Home][Home]
Fernet is a symmetric encryption method which makes sure that the message encrypted cannot be manipulated/read without the key. It uses URL safe encoding for the keys. Fernet uses 128-bit AES in CBC mode and PKCS7 padding, with HMAC using SHA256 for authentication. The IV is created from os.random(). This page decodes the token. Generate a token here: [Fernet]
ExamplesHere are some sample Fernet tokens. Can you determine the messages and when they were created?
Coding# https://asecuritysite.com/encryption/ferdecode import base64 import binascii import struct import time import six _MAX_CLOCK_SKEW = 60 from cryptography.exceptions import InvalidSignature from cryptography.hazmat.primitives import hashes, padding from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes from cryptography.hazmat.primitives.hmac import HMAC from cryptography.fernet import Fernet import sys token = "gAAAAABWC9P7-9RsxTz_dwxh9-O2VUB7Ih8UCQL1_Zk4suxnkCvb26Ie4i8HSUJ4caHZuiNtjLl3qfmCv_fS3_VpjL7HxCz7_Q=="; key= "-s6eI5hyNh8liH7Gq0urPC-vzPgNnxauKvRO4g03oYI="; if (len(sys.argv)>1): token=sys.argv[1] if (len(sys.argv)>2): key=sys.argv[2] def decrypt(self, token, ttl=None): current_time = int(time.time()) print("Current time:\t",time.ctime(current_time)) print("\nToken Details") print("=============") if not isinstance(token, bytes): raise TypeError("token must be bytes.") try: data = base64.urlsafe_b64decode(token) except (TypeError, binascii.Error): raise InvalidToken print("Decoded data: ",binascii.hexlify(bytearray(data))) print("======Analysis====") print("Version:\t",binascii.hexlify(bytearray(data[0:1]))) print("Date created:\t",binascii.hexlify(bytearray(data[1:9]))) print("IV:\t\t",binascii.hexlify(bytearray(data[9:25]))) print("Cipher:\t\t",binascii.hexlify(bytearray(data[25:-32]))) print("HMAC:\t\t",binascii.hexlify(bytearray(data[-32:]))) print("======Converted====") if not data or six.indexbytes(data, 0) != 0x80: raise InvalidToken try: timestamp, = struct.unpack(">Q", data[1:9]) print("Time stamp:\t",timestamp) print("Date created:\t",time.ctime(timestamp)) except struct.error: raise InvalidToken if ttl is not None: if timestamp + ttl < current_time: raise InvalidToken if current_time + _MAX_CLOCK_SKEW < timestamp: raise InvalidToken h = HMAC(self._signing_key, hashes.SHA256(), backend=self._backend) h.update(data[:-32]) try: h.verify(data[-32:]) except InvalidSignature: raise InvalidToken iv = data[9:25] print("IV:\t\t",binascii.hexlify(iv)) ciphertext = data[25:-32] decryptor = Cipher( algorithms.AES(self._encryption_key), modes.CBC(iv), self._backend ).decryptor() plaintext_padded = decryptor.update(ciphertext) try: plaintext_padded += decryptor.finalize() except ValueError: raise InvalidToken unpadder = padding.PKCS7(algorithms.AES.block_size).unpadder() unpadded = unpadder.update(plaintext_padded) try: unpadded += unpadder.finalize() except ValueError: raise InvalidToken print("Decoded:\t",unpadded) return unpadded key f = Fernet(key) decrypt(f,token.encode()) Sample runToken: gAAAAABWC9P7-9RsxTz_dwxh9-O2VUB7Ih8UCQL1_Zk4suxnkCvb26Ie4i8HSUJ4caHZuiNt jLl3qfmCv_fS3_VpjL7HxCz7_Q== Current time: Wed Sep 30 13:30:32 2015 Token Details ============= Decoded data: 8000000000560bd3fbfbd46cc53cff770c61f7e3b655407b221f140902f5fd993 8b2ec67902bdbdba21ee22f0749427871a1d9ba236d8cb977a9f982bff7d2dff5698cbec7c42cfbf d ======Analysis==== Version: 80 Date created: 00000000560bd3fb IV: fbd46cc53cff770c61f7e3b655407b22 Cipher: 1f140902f5fd9938b2ec67902bdbdba2 HMAC: 1ee22f0749427871a1d9ba236d8cb977a9f982bff7d2dff5698cbec7c42cfbfd ======Converted==== Time stamp: 1443615739 Date created: Wed Sep 30 13:22:19 2015 IV: fbd46cc53cff770c61f7e3b655407b22 Decoded: password |