Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fernet: HMAC Key size smaller than SHA-256 output size #2863

Closed
wkral opened this issue Mar 29, 2016 · 1 comment
Closed

Fernet: HMAC Key size smaller than SHA-256 output size #2863

wkral opened this issue Mar 29, 2016 · 1 comment

Comments

@wkral
Copy link

wkral commented Mar 29, 2016

Discovered this by browsing issues in the spec: fernet/spec#8 which points to the HMAC RFC stating that this isn't a great idea to have a key size smaller than the algorithm's output size. https://tools.ietf.org/html/rfc2104#section-3

This is further supported by the SHA-256+ RFC https://tools.ietf.org/html/rfc4868#section-2.1.1 which states that the key length MUST be equal to the output length.

The Fernet code selecting AES-128 and SHA-256 has a combined key of 32 bytes or 256 bits and enforces that size in the code. With those selected algorithms the key size should be 128 + 256 or 384 bits total.
@reaperhulk
Copy link
Member

This can only be addressed in the spec since we only implement, not design. The lack of maintenance on the fernet spec is more than a little frustrating, but we'll keep at it.

This was referenced May 5, 2016
Closed
Merged
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 17, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wkral @reaperhulk