PSKC encryption

Some of the information in PSKC files (e.g. key material) can be encrypted with either pre-shared keys, passphrase-based keys or asymmetric keys (asymmetric keys are currently unimplemented).

Embedded PSKC encryption is handled inside the Encryption class that defines encryption key or means of deriving keys. It is accessed from the encryption attribute of a PSKC instance:

>>> from binascii import a2b_hex
>>> from pskc import PSKC
>>> pskc = PSKC('somefile.pskcxml')
>>> pskc.encryption.key = a2b_hex('12345678901234567890123456789012')

or:

>>> pskc.encryption.derive_key('qwerty')

Once the encryption key has been set up, any encrypted key values from the PSKC file are available transparently.

If no key or an incorrect key has been configured, upon accessing encrypted information (e.g. the secret attribute of a Key instance) a DecryptionError exception will be raised.

When writing out a PSKC file, encryption can be configured with the setup_preshared_key() or setup_pbkdf2() function:

>>> from pskc import PSKC
>>> pskc = PSKC()
>>> pskc.encryption.setup_preshared_key(algorithm='AES256-CBC')

or:

>>> pskc.encryption.setup_pbkdf2(password='verysecure')

The Encryption class

class pskc.encryption.Encryption
id

Optional identifier of the encryption key.

algorithm

A URI of the encryption algorithm used. Setting a value for this attribute will result in an attempt to use the canonical URI for this algorithm. For instance setting a 3DES-CBC value will automatically be converted to http://www.w3.org/2001/04/xmlenc#aes128-cbc.

key_names

List of names provided for the encryption key.

key_name

Since usually only one name is defined for a key but the schema allows for multiple names, this is a shortcut for accessing the first value of key_names. It will return None if no name is available.

key

The binary value of the encryption key. In the case of pre-shared keys this value should be set before trying to access encrypted information in the PSKC file.

When using key derivation the secret key is available in this attribute after calling derive_key().

derive_key(password)

Derive a key from the supplied password and information in the PSKC file (generally algorithm, salt, etc.).

This function may raise a KeyDerivationError exception if key derivation fails for some reason.

fields

A list of Key instance field names that will be encrypted when the PSKC file is written. List values can contain secret, counter, time_offset, time_interval and time_drift.

setup_preshared_key(...)

Configure pre-shared key encryption.

Parameters:
  • key (binary) – the encryption key to use
  • id (str) – encryption key identifier
  • algorithm (str) – encryption algorithm
  • key_length (int) – encryption key length in bytes
  • key_name (str) – a name for the key
  • key_names (list) – a number of names for the key
  • fields (list) – a list of fields to encrypt

This is a utility function to easily set up encryption. Encryption can also be set up by manually by setting the Encryption properties.

This method will generate a key if required and set the passed values. By default AES128-CBC encryption will be configured and unless a key is specified one of the correct length will be generated. If the algorithm does not provide integrity checks (e.g. CBC-mode algorithms) integrity checking in the PSKC file will be set up using setup().

By default only the secret property will be encrypted when writing the file.

setup_pbkdf2(...)

Configure password-based PSKC encryption.

Parameters:
  • password (str) – the password to use (required)
  • id (str) – encryption key identifier
  • algorithm (str) – encryption algorithm
  • key_length (int) – encryption key length in bytes
  • key_name (str) – a name for the key
  • key_names (list) – a number of names for the key
  • fields (list) – a list of fields to encrypt
  • salt (binary) – PBKDF2 salt
  • salt_length (int) – used when generating random salt
  • iterations (int) – number of PBKDF2 iterations
  • prf (function) – PBKDF2 pseudorandom function

Defaults for the above parameters are similar to those for setup_preshared_key() but the password parameter is required.

By default 12000 iterations will be used and a random salt with the length of the to-be-generated encryption key will be used.