aes-cipher (2024)

Introduction

AES cipher is a library to encrypt/decrypt using AES256-CBC. It is possible to encrypt/decrypt both files and raw data (string or bytes).

A master key and IV are derived from the given password and (optionally) salt using a key derivation function. The key derivation function can be chosen among the provided ones:
- PBKDF2-SHA512
- Scrypt
Alternatively, it can also be customized by the user by simply implementing the IKeyDerivator interface.
Salt is randomly generated (16-byte long) if not specified.
A random key and IV are generated and used to encrypt the actual data. In this way, if the same file is encrypted with the same password multiple times, the encrypted file will always be different.
The random key and IV are encrypted with the master key and IV
HMAC-SHA256 of the encrypted key/IV and file data is computed to ensure integrity, using the master key as key

It is possible to specify either a single password or a list of passwords.In the last case, the file will be encrypted multiple times with a different password each time.

Installation

The package requires Python >= 3.7.
To install it:

Using setuptools:
See Also
Implementing RSA Encryption and Decryption in Python Python security best practices cheat sheet | Snyk What is the maximum file size we can open using Python?Best Practices for Storing X.509 Private Keys
```
 python setup.py install
```
Using pip:
```
 pip install aes_cipher
```

To run tests:

python -m unittest discover

Or you can install tox:

pip install tox

And then simply run tox:

tox

This will run code coverage with different Python versions and perform style and code analysis.
For quick test:

tox -e unittest

APIs

Key derivation

Pbkdf2Sha512 class: derive keys using PBKDF2-SHA512 algorithm

Pbkdf2Sha512(itr_num): construct the class
- itr_num: iterations number

For default values, the Pbkdf2Sha512Default class instance can be used:

Pbkdf2Sha512Default = Pbkdf2Sha512(512 * 1024)

Scrypt class: derive keys using Scrypt algorithm

Scrypt(n, p, r): construct the class
- n: CPU/Memory cost parameter
- p: block size parameter
- r: parallelization parameter

For default values, the ScryptDefault class instance can be used:

ScryptDefault = Scrypt(16384, 8, 8)

To add a custom key derivation function, the IKeyDerivator interface shall be implemented:

Encryption

DataEncrypter class: encrypt bytes or string data

DataEncrypter(key_derivator): construct the class
- key_derivator: key derivator to be used for master key and IV generation, it shall be an instance of the IKeyDerivator interface. Default value: Pbkdf2Sha512Default.
DataEncrypter.Encrypt(data, passwords [, salts]): encrypt data with the specified passwords and salts
- data: input data (string or bytes)
- passwords: list of passwords (list of strings)
- salts (optional): list of salts (list of strings). The number of salts shall be the same of the passwords. If not specified, salts will be randomly generated (16-byte long).
DataEncrypter.GetEncryptedData(): get encrypted data (bytes)

FileEncrypter class: encrypt a file

FileEncrypter(key_derivator): construct the class
- key_derivator: see DataEncrypter constructor
FileEncrypter.Encrypt(file_in, passwords [, salts]): encrypt file with the specified passwords and salts
- file_in: input file
- passwords: see DataEncrypter.Encrypt
- salts: see DataEncrypter.Encrypt
FileEncrypter.GetEncryptedData(): get encrypted data (bytes)
FileEncrypter.SaveTo(file_out): save to file
- file_out: output file to be saved

Decryption

DataDecrypter class: decrypt bytes or string data

DataDecrypter(key_derivator): construct the class
- key_derivator: key derivator to be used for master key and IV generation, it shall be an instance of the IKeyDerivator interface. Default value: Pbkdf2Sha512Default.
DataDecrypter.Decrypt(data, passwords): decrypt data with the specified passwords
- data: input data (string or bytes)
- passwords: see DataEncrypter.Encrypt
DataDecrypter.GetDecryptedData(): get decrypted data (bytes)

FileDecrypter class: decrypt a file

FileDecrypter(key_derivator): construct the class
- key_derivator: see DataDecrypter constructor
FileDecrypter.Decrypt(file_in, passwords)
- file_in: input file
- passwords: see DataDecrypter.Decrypt
FileDecrypter.GetDecryptedData(): get decrypted data (bytes)
FileDecrypter.SaveTo(file_out): save to file
- file_out: output file to be saved

Examples

Data encryption with single password and random salt, using PBKDF2-SHA512 algorithm with default values:

data_encrypter = DataEncrypter(Pbkdf2Sha512Default)data_encrypter.Encrypt(data, "test_pwd")enc_data = data_encrypter.GetEncryptedData()

Data encryption with single password and custom salt, using PBKDF2-SHA512 algorithm with custom values:

data_encrypter = DataEncrypter( Pbkdf2Sha512(1024 * 1024))data_encrypter.Encrypt(data, ["test_pwd"], ["test_salt"])enc_data = data_encrypter.GetEncryptedData()

Data encryption with multiple passwords and custom salts, using Scrypt algorithm with default values:

data_encrypter = DataEncrypter(ScryptDefault)data_encrypter.Encrypt(data, ["test_pwd_1", "test_pwd_2"], ["test_salt_1", "test_salt_2"])enc_data = data_encrypter.GetEncryptedData()

Data decryption with single password and random salt:

data_decrypter = DataDecrypter()data_decrypter.Decrypt(data, ["test_pwd"])dec_data = data_decrypter.GetDecryptedData()

Data decryption with multiple passwords and custom salts:

data_decrypter = DataDecrypter()data_decrypter.Decrypt(data, ["test_pwd_1", "test_pwd_2"], ["test_salt_1", "test_salt_2"])dec_data = data_decrypter.GetDecryptedData()

File encryption with single password and random salt:

file_encrypter = FileEncrypter()file_encrypter.Encrypt(file_in, "test_pwd")file_encrypter.SaveTo(file_out)

Enable logging:

data_encrypter = DataEncrypter()data_encrypter.Logger().SetLevel(logging.INFO)data_decrypter = DataDecrypter()data_decrypter.Logger().SetLevel(logging.INFO)

Sample Application

A sample application based on the library using the PBKDF2-SHA512 algorithm can be found in the app folder.

Basic usage:

python aes_cipher_app.py -m <enc:dec> -p <password1,password2,...> -i <input_files_or_folder> -o <output_folder> [-s <salt1,salt2,...>] [-t <itr_num>] [-v] [-h]

Parameters description:

Short name	Long name	Description
`-m`	`--mode`	Operational mode: `enc` for encrypting, `dec` for decrypting
`-p`	`--password`	Password used for encrypting/decrypting. It can be a single password or a list of passwords separated by a comma
`-i`	`--input`	Input to be encrypted/decrypted. It can be a single file, a list of files separated by a comma or a folder (in this case all files in the folder will be encrypted/decrypted)
`-o`	`--output`	Output folder where the encrypted/decrypted files will be saved
`-s`	`--salt`	Optional: custom salts for master key and IV derivation, random if not specified`
`-t`	`--iteration`	Optional: number of iteration for the PBKDF2-SHA512 algorithm, default value: 524288
`-v`	`--verbose`	Optional: enable verbose mode
`-h`	`--help`	Optional: print usage and exit

NOTE: the password shall not contain spaces or commas (in this case it will be interpreted as multiple passwords)

Examples:

Encrypt a file one time with the given password and salt. If input_file is a folder, all the files inside the folder will be encrypted:
```
 python aes_cipher_app.py -m enc -p test_pwd -i input_file -o encrypted -s test_salt
```

Decrypt the previous file:

 python aes_cipher_app.py -m dec -p test_pwd -i encrypted -o decrypted -s test_salt

Encrypt multiple files one time with the given password and salt. If one of the input files is a directory, it will be discarded:
```
 python aes_cipher_app.py -m enc -p test_pwd -i input_file1,input_file2,input_file3 -o encrypted -s test_salt
```

Encrypt a file 3 times using 3 passwords with random salts and custom number of iteration:

 python aes_cipher_app.py -m enc -p test_pwd_1,test_pwd_2,test_pwd_3 -t 131072 -i input_file -o encrypted

Decrypt the previous file:

 python aes_cipher_app.py -m dec -p test_pwd_1,test_pwd_2,test_pwd_3 -t 131072 -i encrypted -o decrypted

FAQs

What is the AES cipher? ›

The Advanced Encryption Standard (AES) is a symmetric block cipher chosen by the U.S. government to protect classified information. AES is implemented in software and hardware throughout the world to encrypt sensitive data. It is essential for government computer security, cybersecurity and electronic data protection.

Read On ›

Is 256 AES a weak cipher? ›

AES-256 encryption algorithm is widely recognized as one of the most secure and robust encryption methods available today. It provides a high level of protection for sensitive data by using a 256-bit key, making it extremely difficult for unauthorized individuals to decrypt the information.

Discover More Details ›

Is AES still used? ›

AES encryption is a symmetric cryptography algorithm. This means that the encryption and decryption process uses the same key for both processes. AES has been the standard for symmetric encryption for the last few decades, and is still widely used today for its secure encryption capabilities.

Is AES decrypt or encrypt? ›

AES is implemented in hardware and software worldwide to encrypt sensitive data. It is a symmetric block cipher essential for government computer security, electronic data protection, and cybersecurity.

See Details ›

Has AES been cracked? ›

A machine that can crack a DES key in a second would take 149 trillion years to crack a 128-bit AES key. Hence, it is safe to say that AES-128 encryption is safe against brute-force attacks. AES has never been cracked yet and it would take large amounts of computational power to crack this key.

Find Out More ›

What is the secret key in AES? ›

AES is a block cipher that takes a fixed-size key and fixed-size plaintext, and returns fixed-size ciphertext. AES has three variants that are selected based on the secret key length, all of which use a fixed-sized block of 16 bytes (or 128 bits).

Tell Me More ›

Will AES ever be broken? ›

AES-256 is unbreakable by brute force

The larger the key size, the more difficult it becomes to break the encryption. Breaking AES-256 will require large amounts of computing power making it impossible for malicious actors to generate the necessary brute force to break AES-256 encryption.

Show Me More ›

Does the US government use AES? ›

AES has been adopted by the U.S. government. It supersedes the Data Encryption Standard (DES), which was published in 1977.

Explore More ›

Is AES the strongest encryption? ›

AES 256-bit encryption is the strongest and most robust encryption standard that is commercially available today. While it is theoretically true that AES 256-bit encryption is harder to crack than AES 128-bit encryption, AES 128-bit encryption has never been cracked.

Is AES public key or private key? ›

AES is a symmetric key algorithm, which means there is just one key, used both to encrypt and decrypt. This is different from RSA, where you have two keys - a private one and a public one, related in a specific way. AES keys are simply random bytes.

Show Me More ›

How do I know if my AES is encrypted? ›

On the right, under Disk Properties, if you see the following text: Status: Encrypted - AES, then your hard drive is encrypted.

Read The Full Story ›

What does AES stand for? ›

The Advanced Encryption Standard (AES) is an algorithm that uses the same key to encrypt and decrypt protected data.

See Details ›

What is the strongest AES cipher? ›

AES-256 is considered to be quantum resistant, as it has similar quantum resistance to AES-128's resistance against traditional, non-quantum, attacks at 128 bits of security. AES-192 and AES-128 are not considered quantum resistant due to their smaller key sizes.

Get More Info Here ›

Is AES a cybercrime? ›

AES stands for Advanced Encryption Standard, which is actually a cryptographic algorithm used to secure data through encryption and decryption processes. It is not a form of cybercrime but rather a method of protecting data from being compromised by unauthorized individuals.

Does AES use a key? ›

Advanced Encryption Standard (AES) 256 is a virtually impenetrable symmetric encryption algorithm that uses a 256-bit key to convert your plain text or data into a cipher.