Hello, I'm reaching out to the cryptography experts for this issue.
Using Python 3.9 on a RHEL 9.4 platform with the cryptography module installed on it. The requirements are to encrypt some data using *class* cryptography.hazmat.primitives.ciphers.aead.AESGCM(*key*) I've written the encryption code to use the above cipher and it works without any issues. The issue I'm running into is in the decryption step. The same Python code is called with the flag set to decryption but it raises the InvalidToken exception. Reading the documentation it says this could occur if the ciphertext is changed, which it is not. Or if the nonce is different, I adjusted the code to save each nonce during the encryption process and I supply this same nonce during decryption. The documentation also says this exception can occur if the key is different. This is where my confusion is, the .decrypt() only takes in the ct, nonce and aad parameters. Obviously when the Python module is run for decryption, it creates a new key from the password and is used for decryption. Which will be different than what was used during encryption. I don't think the solution is to also store the key along with the nonce, since it's a very bad security practice. What am I missing? Do I need to parse the ciphertext and extract the tag or something? But then .decrypt() method doesn't use a tag parameter. FYI, I'm saving the ciphertext and the nonce with the 'wb' flag in the open() statement and the decryption step uses the 'rb' flag to read in the ciphertext and the nonce. The example code snippet in the cryptography website shows the encrypt and decrypt operation in sequence. In my situation, encryption happens at one time and the decryption has to happen some time later. Several websites/users are using the Pycryptodome module for this. I'd rather not because the cryptography module works great for my other requirements. Also I'd prefer not to use cryptography module and the Pycryptodome module as well. I think that would be overkill. Best PE
_______________________________________________ Cryptography-dev mailing list Cryptography-dev@python.org https://mail.python.org/mailman/listinfo/cryptography-dev
