If the only thing exposed was encrypted fernet tokens then there is no
way to determine the key used by those tokens short of a brute force
attack. Based on what you're describing users could potentially have
run a chosen plaintext attack as well, but Fernet's construction
(AES-CBC with random IV + HMAC for authentication) is CPA secure.

To be clear, you should still rotate keys and re-encrypt data as best practice.

-Paul

On Tue, Apr 21, 2020 at 7:55 AM Lucas Vazquez <lucas5zvazq...@gmail.com> wrote:
>
> Hello to all devs, I'm using Fernet with Django to store some private 
> external data in a Regulators Website.
> Recently, that data has been exposed in encrypted form by a mistake.
> Each user saw some of their data in encrypted form in the configuration view, 
> and if it modified them, the filtered contents were modified accordingly.
> Could any smart user have discovered, through various changes to the fields, 
> the secret key that I use with fernet?
>
> Have a good day
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev@python.org
> https://mail.python.org/mailman/listinfo/cryptography-dev
_______________________________________________
Cryptography-dev mailing list
Cryptography-dev@python.org
https://mail.python.org/mailman/listinfo/cryptography-dev

Reply via email to