PSKC encryption¶
Some of the information in PSKC files (e.g. key material) can be encrypted with either pre-shared keys, passphrase-based keys or asymmetric keys (asymmetric keys are currently unimplemented).
Embedded PSKC encryption is handled inside the Encryption
class that
defines encryption key or means of deriving keys. It is accessed from the
encryption
attribute of a PSKC
instance:
>>> from binascii import a2b_hex
>>> from pskc import PSKC
>>> pskc = PSKC('somefile.pskcxml')
>>> pskc.encryption.key = a2b_hex('12345678901234567890123456789012')
or:
>>> pskc.encryption.derive_key('qwerty')
Once the encryption key has been set up, any encrypted key values from the PSKC file are available transparently.
If no key or an incorrect key has been configured, upon accessing encrypted
information (e.g. the secret
attribute of a
Key
instance) a DecryptionError
exception will be raised.
When writing out a PSKC file, encryption can be configured with the
setup_preshared_key()
or
setup_pbkdf2()
function:
>>> from pskc import PSKC
>>> pskc = PSKC()
>>> pskc.encryption.setup_preshared_key(algorithm='AES256-CBC')
or:
>>> pskc.encryption.setup_pbkdf2(password='verysecure')
The Encryption class¶
- class pskc.encryption.Encryption¶
- id¶
Optional identifier of the encryption key.
- algorithm¶
A URI of the encryption algorithm used. See the section Supported encryption algorithms below for a list of algorithms URIs.
Assigned values to this attribute will be converted to the canonical URI for the algorithm if it is known. For instance, the value
3DES-CBC
will automatically be converted intohttp://www.w3.org/2001/04/xmlenc#tripledes-cbc
.
- is_encrypted¶
An indicator of whether the PSKC file requires an additional pre-shared key or passphrase to decrypt the contents of the file. Will be
True
if a key or passphrase is needed,False
otherwise.
- key_names¶
List of names provided for the encryption key.
- key_name¶
Since usually only one name is defined for a key but the schema allows for multiple names, this is a shortcut for accessing the first value of
key_names
. It will returnNone
if no name is available.
- key¶
The binary value of the encryption key. In the case of pre-shared keys this value should be set before trying to access encrypted information in the PSKC file.
When using key derivation the secret key is available in this attribute after calling
derive_key()
.
- derive_key(password)¶
Derive a key from the supplied password and information in the PSKC file (generally algorithm, salt, etc.).
This function may raise a
KeyDerivationError
exception if key derivation fails for some reason.
- fields¶
A list of
Key
instance field names that will be encrypted when the PSKC file is written. List values can containsecret
,counter
,time_offset
,time_interval
andtime_drift
.
Configure pre-shared key encryption when writing the file.
- Parameters:
key (bytes) – the encryption key to use
id (str) – encryption key identifier
algorithm (str) – encryption algorithm
key_length (int) – encryption key length in bytes
key_name (str) – a name for the key
key_names (list) – a number of names for the key
fields (list) – a list of fields to encrypt
This is a utility function to easily set up encryption. Encryption can also be set up by manually by setting the
Encryption
properties.This method will generate a key if required and set the passed values. By default AES128-CBC encryption will be configured and unless a key is specified one of the correct length will be generated. If the algorithm does not provide integrity checks (e.g. CBC-mode algorithms) integrity checking in the PSKC file will be set up using
setup()
.By default only the
secret
property will be encrypted when writing the file.
- setup_pbkdf2(...)¶
Configure password-based PSKC encryption when writing the file.
- Parameters:
password (str) – the password to use (required)
id (str) – encryption key identifier
algorithm (str) – encryption algorithm
key_length (int) – encryption key length in bytes
key_name (str) – a name for the key
key_names (list) – a number of names for the key
fields (list) – a list of fields to encrypt
salt (bytes) – PBKDF2 salt
salt_length (int) – used when generating random salt
iterations (int) – number of PBKDF2 iterations
prf (function) – PBKDF2 pseudorandom function
Defaults for the above parameters are similar to those for
setup_preshared_key()
but the password parameter is required.By default 12000 iterations will be used and a random salt with the length of the to-be-generated encryption key will be used.
- remove_encryption()¶
Decrypt all data stored in the PSKC file and remove the encryption configuration. This can be used to read and encrypted PSKC file, decrypt the file, remove the encryption and output an unencrypted PSKC file or to replace the encryption algorithm.
Supported encryption algorithms¶
The following encryption algorithms are currently supported by python-pskc.
URI |
Description |
---|---|
|
AES encryption in CBC mode with various key lengths |
|
AES key wrap with various key lengths |
|
Triple DES (3DES) encryption in CBC mode |
|
Triple DES (3DES) key wrap |