Fernet isn't an algorithm. It's a user-proof library for doing authenticated AES encryption; it is essentially Python's answer to Rails' MessageEncryptor, and has had more success than MessageEncryptor at becoming a standard for its ecosystem.<p>The real lesson here though: don't get cryptography advice from SANS. Cryptography is a specialized field; SANS is pretty close to the opposite of that.
<a href="https://github.com/fernet/spec/blob/master/Spec.md">https://github.com/fernet/spec/blob/master/Spec.md</a><p>It's just a simple format specification using standard crypto primitives.<p>> AES in CBC mode with a 128-bit key for encryption; using PKCS7 padding.<p>> HMAC using SHA256 for authentication.
When would someone use this over libsodium(Or libhydrogen? Is that considered secure yet?)? It seems python-specific. I love python, but I'm a fan of universal standards.
Not sure the linked project is the up to date one.<p>I regularly use the 'cryptography' package that has a 'Fernet' object in 'cryptography.fernet'.<p>And it is in cryptography so I trust they maintain it at least a bare minimum.<p>It is an amazing blackbox that assures me I can just provide a key and a ciphertext and rest easy that my data is correctly decrypted and autehnticated !