We Keep Coding

Encryption with NodeJS doesn't match encryption using Python (cryptography.fernet)

Cryptography noob here. I'm trying to write a script in NodeJS that encrypts a string and produces output that matches the output of my Python script that uses the cryptography.fernet library. My overall goal is to use the original key to encrypt messages in Node that will later be decrypted using Python.
Sample of my Python code:
from cryptography.fernet import Fernet
key = Fernet.generate_key() # For example: 6saGtiTFEXej729GUWSeAyQdIpRFdGhfY2XFUDpvsu8=
f = Fernet(key)
message = 'Hello World'
encoded = message.encode()
encrypted = f.encrypt(encoded)
Which produces the output: gAAAAABhJs_E-dDVp_UrLK6PWLpukDAM0OT5M6bfcqvVoCvg7r63NSi4OWOamLpABuYQG-5wsts_9h7cLbCsWmctArXcGqelXz_BXl_o2C7KM9o7_eq7VTc=
My Node script uses the built-in Crypto module and must also use the same 32-byte key that is being used in my Python program. I know that fernet uses is AES-128-CBC as its algorithm, so that's what I'm using for my Node script.
My NodeJS code:
const crypto = require("crypto");
const key = '6saGtiTFEXej729GUWSeAyQdIpRFdGhfY2XFUDpvsu8=';
const algorithm = 'aes-128-cbc';
const message = 'Hello World';
const iv = crypto.randomBytes(16);
const cipher = crypto.createCipheriv(algorithm, key, iv);
const encrypted = cipher.update(message, 'utf8', 'hex') + cipher.final('hex');
Which is giving me: Error: Invalid key length
My first problem is that I'm unsure how to convert the key so that it's the proper length. I also know from looking at fernet's source code that the key is split into two parts: the first 16 bytes are the signing_key and the last 16 bytes are the encryption_key - I haven't found much information on whether/how I need to deal with those two pieces of the original key in my Node implementation.
Since I'm new to this I'm a little confused on how to accomplish what I'm after. Any tips or advice is very much appreciated.

The specs for the Fernet format can be found on https://github.com/fernet/spec/blob/master/Spec.md
There they specify both a generating and a veryfying steps, here is the generating which should give enough information for your implementation:
Record the current time for the timestamp field.
Choose a unique IV.
Construct the ciphertext:
Pad the message to a multiple of 16 bytes (128 bits) per RFC 5652, section 6.3. This is the same padding technique used in PKCS #7 v1.5 and all versions of SSL/TLS (cf. RFC 5246, section 6.2.3.2 for TLS 1.2).
Encrypt the padded message using AES 128 in CBC mode with the chosen IV and user-supplied encryption-key.
Compute the HMAC field as described above using the user-supplied signing-key.
Concatenate all fields together in the format above.
base64url encode the entire token.
From this we can see that the signing key (first half of full key) is used in HMAC, while the second half is used in the AES128-CBC, so just dividing the key into two separate elements (with proper conversion from hex string to bytes) should be enough for using Node.js crypto module (https://nodejs.org/en/knowledge/cryptography/how-to-use-crypto-module/) to construct your own implementation.

How to load an RSA512 public key and exponent from a .bin file into python

I'm having trouble loading an RSA512 public key from a .bin file into python. The issue mainly stems from the fact that I don't know what format the key is stored in. This is the only description of the file I was given.
"key.bin - Raw binary bytes of RSA 512 bit public key and exponent. Used to verify signature of incoming
packets."
I don't know if this is helpful but here are bytes printed in python of the .bin file.
9902c4a66b1ff76392919e7bbc35d51a5128b9da03e131b489d5ed01c1d075fc4c139a9952e9a3b040d984219a4aef0d421f6b8f9c79e1c3c35a218ecba54dc9010001
The goal of the actual challenge is to build a udp server that verifies the digital signature and integrity of an incoming packet. Currently i'm using python 2.7 with the cryptography library. Documentation can be found below.
https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/?highlight=rsa%20512
I have already tried the code below but I get the same error for the first two formats and a slightly different one for the third.
with open("key.bin", "rb") as key_file:
private_key = serialization.load_der_public_key(key_file.read(), backend=default_backend())
ValueError: Could not deserialize key data.
with open("key.bin", "rb") as key_file:
private_key = serialization.load_pem_public_key(key_file.read(), backend=default_backend())
ValueError: Could not deserialize key data.
with open("key.bin", "rb") as key_file:
private_key = serialization.load_ssh_public_key(key_file.read(), backend=default_backend())
ValueError: Key is not in the proper format or contains extra data.
Also the hashing algorithm used for verification is SHA256 but that is probably irrelevant.

key.bin - Raw binary bytes of RSA 512 bit public key and exponent. Used to verify signature of incoming packets.
In a RSA-512 key, the modulus is a 512-bit number, which fits in 64 bytes or 128 hexadecimal digits. Your file is represented by 134 hex digits, so it's likely that 128 of these digits are the modulus and the rest is the public exponent and possibly metadata.
The public exponent is almost always 3 or 65537=0x010001. Given that key.bin ends with 010001 in hex, a reasonable guess is that those last 3 bytes are the public exponent, and the first 64 bytes are the modulus.
with open("key.bin", "rb") as key_file:
n_bytes = key_file.read(64)
e_bytes = key_file.read(3)
You now need to figure out whether the encoding is little-endian or big-endian. You can't tell from the public exponent because it's palindromic. So try both possibilities:
n = int(n_bytes.encode('hex'), 16)
or
n = int(reversed(n_bytes).encode('hex'), 16)
Since you have the key in an ad hoc format, rather than a standard format that is used in real life, you're probably meant to use arithmetic primitives rather than a cryptography library to work with the key.

Your key is not encoded in a known standard. You need to extract the modulus and exponent, and then build the public key out of them.
The modulus defines the RSA key size and is therefore 512 bits or 64 bytes as unsigned big endian value. The public exponent may have any size, but is usually small. The most used exponent value is 010001 in hexadecimals, which is the fifth prime of Fermat (also called F4, zero based index). Better however to simply get the first 64 bytes and assume the rest encodes is the public exponent.
So you can use RSAPublicNumbers to create the values from the modulus n and exponent e. Trick is to make sure that you create the modulus as positive value instead of a negative value.
Let's say that data is the binary data read from the file. Then you can get the public key in the following way.
You may want to use 'little' instead of 'big' if the following doesn't work (big endian is the RSA default, but you never know). However, in your case the little endian value is dividable by e.g. 11, so that's not a likely modulus value (the prime values should be close to half the key size in bits to be secure).
modsize = 512 // 8
modBytes = data[slice(0, modsize)]
mod = int.from_bytes(modBytes, byteorder='big')
expBytes = data[slice(modsize, None)]
exp = int.from_bytes(expBytes, byteorder='big')
pubkey = RSAPublicNumbers(exp, mod).public_key(default_backend())
Note that from_bytes has only been added in Python 3.2. RSAPublicNumbers is a bit weird in the sense that it takes the exponent parameter before the modulus. Every other API that I've seen takes the modulus before the exponent.

RSA public key size python

I need help using RSA encryption and decryption in Python.
I tried to generate a public key and a private key by using RSA 2048, then send the public key as hex to a destination. However, I faced a problem, the generated public key size is greater than 2048 bit. I used the following script. Could I know why the key size is greater than 2048 bit?
import Crypto
from Crypto.PublicKey import RSA
key = RSA.generate(2048)
binPrivKey = key.exportKey('DER')
binPubKey = key.publickey().exportKey('DER')
print(binPubKey.encode('hex'))

If you want to export the key for use somewhere else, you will probably find it easier to export the key in PEM format as follows:
>>> print(key.publickey().exportKey('PEM'))
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtd2o9NY7P9CvXzECu4Ky
tieqYGAkOFrvuRnZpf3VP4VK0XMFSXM8/i5c0Q3Ml44If/zqVo/cXAO85YqV8ZtJ
YRtK9wcEr5epTX6iahxqgObgjFAbIRd6+we6znxBy+OG0JfEGn/GSBoq9g8mcr2e
HhKflp3B57X3+Qn1EbIYDFThWxy4HUZXh64LJiA5s0yeYzlGyjcC6R/Q59/CsyKP
K5LdcRp+CUrHfqwimiFUEZ+KNOob1klAyY4UKX9CI1AnWwZuSrmtbH+11Cfwgnnk
5RpqDvFNB30qsuD0elE+9zLOrq0jGicEoPtYAC3Z7phoODoR5vHbJ0R38qGItLMl
/wIDAQAB
-----END PUBLIC KEY-----
The DER format contains the same data, but in binary form, which is perhaps a little less portable.
The key length isn't 2048 bits because a public key contains not only the modulus n, but also the encryption exponent e.
If you just want the 2048-bit modulus n, then you can extract it as follows:
>>> print(key.n)
22958437811749378126735904957386766172644032831528249830706401935201456098524775
93935742531467773637499977046456570312080938678104306767641814358663672099815985
37166257748568890906635464134344070390567919827141645499361303936386291407244786
88192939984906393278409502460458733268776367836168349094440408475953441252058796
28391483565417017898863634275114447933217938009351306832376849011143622553495660
63424041991601059614183085270921567421339154500925080655811214971889251644612159
17495238196068931081086234165571014450595993262432428425126883651547622718096951
337250550253777137307186332200705951701212904813212411391
And yes, this is a 2048-bit value:
>>> print(key.n.bit_length())
2048

An RSA public key consists of two components: the modulus and the public exponent. The size of the modulus determines the key size. It is therefore 2048 bits if that's the size given to the key pair generator. The public exponent can be any value and could be up to 2048 bits as well. However, it is usually small. Nowadays it is commonly set to the value 65537, which is 010001 in hexadecimals. It is a special number called the fifth prime of Fermat, usually indicated by "F4" (zero based indexation).
The public key structure should contain both components. The encoded key size is generally larger than the key size for any asymmetric primitive such as RSA. Besides that is may contain overhead (to identify the location of the modulus and exponent) and information about the key itself (for instance an OID that indicates that it is indeed an RSA public key).
To know more about this you could take a look at the PKCS#1 and X.509 certificate specifications. The latter specifies a structure called SubjectPublicKeyInfo which is PEM encoded in the answer of squeamish ossifrage. You can parse it online here.
SEQUENCE (2 elem)
SEQUENCE (2 elem)
OBJECT IDENTIFIER1.2.840.113549.1.1.1 rsaEncryption (PKCS #1)
NULL
BIT STRING (1 elem)
SEQUENCE (2 elem)
INTEGER (2048 bit) 229584378117493781267359049573867661726440328315282498307064019352014…
INTEGER 65537
Here the first number is the modulus and the second is the public exponent.
So in short there is a difference between key size, encoded key size and key strength.
Notes:
An RSA key pair of 2048 bits only provides a key strength of 112 bits (i.e. 112 bits of security), while AES-128 provides about 127 bits of security. In general you should try to use a 3072 bit key instead.
The private key often contains the parameters for the Chinese Remainder Theorem and the public exponent on top of the 2048 bit modulus and 2048 bit private exponent, so it will be even larger.

Bytes to string in AES encryption and decryption in Python 3

I want to do an AES encryption and decryption to string. but the key and message must be in bytes, so I converted the message to bytes by doing this:
b"string"
This is my AES code:
# Encryption
encryption_suite = AES.new(b'1234567812345678', AES.MODE_OCB)
cipher_text = encryption_suite.encrypt(b"A really secret message. Not for prying eyes.")
# Decryption
decryption_suite = AES.new(b'1234567812345678', AES.MODE_OCB)
plaintext = decryption_suite.decrypt(cipher_text)
however i need to turn the decrypted plain text back to string to be readable.
Currently the plaintext looks like this:
b'x\x85\x92\x9d\xe6\x0bJ\xfe\x9b(\x10G\x8e\x05\xc5\xf4\xcdA9\xc18\xb8_\xf9vbmK\x16\xf8\xa3\xb6'
I tried using
plaintext.decode(encoding='windows-1252')
and
plaintext.decode("utf-8").strip('\x00')
but all i get is this:
UnicodeDecodeError: 'charmap' codec can't decode byte 0x9d in position 3: character maps to
or this:
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xb1 in position 1: invalid start byte
I need to convert these bytes back to a readable string.. if you can help, that would be appreciated.

The main issue with your code is that you don't supply a nonce to AES.new(). OCB requires a nonce; if you don't supply one a random nonce will be created every time you create a new AES object, and so decryption will fail.
From the docs:
nonce (byte string): a non-repeatable value, of length between 1 and 15 bytes.. If not present, a random nonce of the recommended length (15 bytes) will be created.
You have two options, either create a nonce and pass it to AES.new() (in encryption and decryption) or use the random nonce created by AES during encryption.
Next, OCB is an authenticated encryption algorithm but it seems that you don't check the MAC. This is important because the MAC verifies the integrity of the ciphertext.
The encryption and decryption methods of AES accept and return bytes. You can convert the plaintext (if it is text) to string with .decode(). If you want to convert the ciphertext to string you'll have to base64-encode it first, in order to encode the raw bytes to ASCII characters (just remember to decode before decryption). b64encode() also returns bytes but can be converted to string easily.
An example,
from Crypto.Cipher import AES
from Crypto.Random import get_random_bytes
from base64 import b64encode
key = get_random_bytes(16) # A 16 byte key for AES-128
nonce = get_random_bytes(15)
message = "A really secret message. Not for prying eyes.".encode()
cipher = AES.new(key, AES.MODE_OCB, nonce=nonce)
ciphertext, mac = cipher.encrypt_and_digest(message)
cipher = AES.new(key, AES.MODE_OCB, nonce=nonce)
plaintext = cipher.decrypt_and_verify(ciphertext, mac)
print(b64encode(ciphertext).decode())
#CSwHy3ir3MZ7yvZ4CzHbgYOsKgzhMqjq6wEuutU7vJJTJ0c38ExWkAY1QkLO
print(plaintext.decode())
#A really secret message. Not for prying eyes.
Note that if .decrypt_and_verify() fails to verify the MAC a ValueError exception will be raised, so you may want to use a try-except block. The nonce and mac values are not secret and it's safe to store them next to the ciphertext.
Finally, if you plan to derive a key from a passphrase you should use a password-based KDF. KDFs create strong keys, use salt and iterations, and they are very resistant to fruteforce attacks. You will find KDF functions in Crypto.Protocol.KDF.

You can't convert binary data to a string because it is inherently not a string. It's binary data. The chances of the output of your encryption just happening, by chance, to be a correctly formatted UTF8 string is pretty unlikely.
You should look at base64 instead. It bloats the data (3 bytes to 4 characters) but is better suited for your use case.
EDIT:. My mistake, I misunderstood your question. The output you have isn't correct, the first byte is not a '1' in UTF8. This is likely an issue with the encryption/decryption.

I think your encoding is "ISO-8859-1". So you can do:
plaintext.decode("ISO-8859-1")

Python Crypto RSA, 127 bytes length cipher with a 1024 bits key

When I test RSA encryption on my laptop using PyCrypto (Archlinux, package: python-crypto/python2-crypto), I used a 1024 key generated by RSA module to encrypt a random data, and it produced a 127 bytes length cipher.
A simple code following: (I got the values when debugging)
from Crypto.PublicKey import RSA
pubkey = b'-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDq+qbaMTZtPH3LuXLrAn37YGzc\ngrL7ieTILtkXTl5PIozJUQZ06bQXr/uS+FtvYNSvaT53ZpSyKmVmWtoX7lFzA6FW\nsILFTgFUDNRnPIQv1rQb16wi694rKPRe1uIr8/hthXtTec8b2aJovizQOlkXY0Pq\nZohNGofi02xlUD8KsQIDAQAB\n-----END PUBLIC KEY-----'
prikey = b'-----BEGIN RSA PRIVATE KEY-----\nMIICXgIBAAKBgQDq+qbaMTZtPH3LuXLrAn37YGzcgrL7ieTILtkXTl5PIozJUQZ0\n6bQXr/uS+FtvYNSvaT53ZpSyKmVmWtoX7lFzA6FWsILFTgFUDNRnPIQv1rQb16wi\n694rKPRe1uIr8/hthXtTec8b2aJovizQOlkXY0PqZohNGofi02xlUD8KsQIDAQAB\nAoGBAMkKEI0ng8Br+9i8XqTQ6gaTVjBHpmhtbw8SfexhwXCFR9zJ9PM8LDgD+gKh\neGFPgEhfi/FOE7Rnb3/mBShqXsWbqz7STJ05GOxtKo+L1z5K7X4E9WmVjIEVU46I\nhF43LJQvoDjQRbZh2cUMSYUR8+LqJJd6MFdhLJhEIf+LhCbBAkEA71lRBiSwZH/8\nsaUE4qZ/vxkS65czBcWLSCgn+7D/kvunX1hxqi3zTxMn4gyluw3IICzvLFgdDG6f\nUZk23aDcyQJBAPtTgvi4lYAIoeh6Xx8NZxroVNVBlP9BzJTBCcnX1Ym0aC/p+6n8\n7Lu9bkKk/hb0r7Oy76wzxObWv9uvRQNp+qkCQQCoOy8oEkGpYgxLEKIObNj9iLIz\nxWKne+IaJZ902UPKG/fYnGHIK+QIgH5X9GvIvjcb5nl1wbkpM9fnkrltrdOBAkBe\n7LbuHEGTHy+P8BBXWSeVOSU5etC87GxJzvNUginMHhCv8C82kCoV6sFneIvjvb1T\nIQV3RAJdscS7Q+LMHE4pAkEAzp2o8+2+9QJwzkpxGyNjJ7ZECQsZIb7MOH7LYhX0\ncnwffXFt4ttcwbyX2SdhCVPBDkczkJkOzcnEqtjoWt+dBw==\n-----END RSA PRIVATE KEY-----'
pub = RSA.importKey(pubkey)
data = b'\xc9\xc5\xa9\x1b\xc2\x0f\x05\xf0\xe3\xe1W\x9d\x94b\xc6 '
cipher = pub.encrypt(data, 0)[0]
print(len(cipher))
This will print 127 (normally it would be 128 for 1024 bits key), and I don't know why.

You are not using a correct encryption scheme. From the documentation:
Even though you may choose to directly use the methods of an RSA key object to perform the primitive cryptographic operations (e.g. _RSAobj.encrypt), it is recommended to use one of the standardized schemes instead (like Crypto.Cipher.PKCS1_v1_5 or Crypto.Signature.PKCS1_v1_5).
although nowadays the more modern/safe Crypto.Cipher.PKCS1_OAEP should be preferred over Crypto.Cipher.PKCS1_v1_5.
If you use one of these schemes then the output will always be 128 bytes. The reason for that is that PKCS#1 specifies a function called I2OSP, which converts the result of the modular exponentiation (which is a number bounded by the modulus/the key size) to a static number of octets, the key size to be exact.
The output of the direct encrypt function is what is called raw or textbook RSA: just modular exponentiation. This will just return the number, which may have leading zero bits. How many depends on chance, (somewhat) on the value of the modulus and if signed or unsigned encoding is used.