If the only thing exposed was encrypted fernet tokens then there is no way to determine the key used by those tokens short of a brute force attack. Based on what you're describing users could potentially have run a chosen plaintext attack as well, but Fernet's construction (AES-CBC with random IV + HMAC for authentication) is CPA secure.
To be clear, you should still rotate keys and re-encrypt data as best practice. -Paul On Tue, Apr 21, 2020 at 7:55 AM Lucas Vazquez <lucas5zvazq...@gmail.com> wrote: > > Hello to all devs, I'm using Fernet with Django to store some private > external data in a Regulators Website. > Recently, that data has been exposed in encrypted form by a mistake. > Each user saw some of their data in encrypted form in the configuration view, > and if it modified them, the filtered contents were modified accordingly. > Could any smart user have discovered, through various changes to the fields, > the secret key that I use with fernet? > > Have a good day > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev@python.org > https://mail.python.org/mailman/listinfo/cryptography-dev _______________________________________________ Cryptography-dev mailing list Cryptography-dev@python.org https://mail.python.org/mailman/listinfo/cryptography-dev
