Hi, Working on part of a project where there's no requirement for confidentiality, but do need to verify message authentication and integrity. The case is a simple multi-node system where a client component makes a request of another component using an HTTP request. The transport does not currently implement SSL/TLS. The request recipient simply needs to be certain that an authorized/known client issued the request. Each node is under the same administrative control/owner and a secure channel such as SSH may be used for setting up pre-shared keys.
What python cryptography recipe is suitable for this? Fernet appears to be geared around symmetric encryption although shared secrets also work for authentication and this seems to be stated when discussing cryptography.fernet.InvalidToken if the token "does not have a valid signature." I'd like to avoid any PKI for the time being, so in addition to cryptography's support we also note PyNaCl digital signatures [1] and the standard library's hmac [2] module. Asymmetric keys as implemented in [1] seem suited. And the native availability and relative simplicity of [2] are also attractive. For this sort of thing, does the cryptography library provide anything that using pre-shared keys and transmitting the computed HMAC with the message wouldn't solve? Do either of these approaches have any significant issues that using public-key message signing would solve? [1] https://pynacl.readthedocs.io/en/latest/signing/ [2] https://docs.python.org/3/library/hmac.html Thanks, -- Darren Spruell phatbuck...@gmail.com _______________________________________________ Cryptography-dev mailing list Cryptography-dev@python.org https://mail.python.org/mailman/listinfo/cryptography-dev
