Let’s do a Python AES CBC Mode Encrypt example. Python 3.8.10 will be used.
AES (Advanced Encryption Standard) is a method of data encryption established in 2001. It is a block cipher and uses a symmetric-key algorithm, which means the same key is used for both encryption and decryption of the data.
CBC (Cipher Block Chaining) is a mode of operation of AES whose strength lies in its ability to reliably obfuscate patterns in the plaintext. To achieve this, an initialization vector or iv is used in the first block and each subsequent block of plaintext is “XOR’d” with the previous block of ciphertext before being encrypted. This makes each ciphertext block dependent on the chain of processed plaintext blocks that came before it. Recall that XOR or Exclusive Or is a logical operation that is true only if the arguments are different.
First, let’s import the library to be used, pycryptodome:
pip install pycryptodomexNow, let’s write our code:
from base64 import b64encode
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
from Crypto.Random import get_random_bytes
sensitive_data = b"ALIENS DO EXIST!!!!"
key = get_random_bytes(16) #must be 16, 24 or 32 bytes long
cipher = AES.new(key, AES.MODE_CBC)
ciphertext = cipher.encrypt(pad(sensitive_data, AES.block_size))
print(f"iv: {b64encode(cipher.iv).decode('utf-8')}")
print(f"ciphertext:{b64encode(ciphertext).decode('utf-8')}")
print(f"key: {b64encode(key).decode('utf-8')}")
#Sample output
#iv: V3/oW179L1BRtRP11Nfc/w==
#ciphertext:0W6tw7CduTlymN8tOeWAL4UhCuu0ItyV7oZ7q3JWx3k=
#key: jbFlVdSLxI7kWkQTTjvoyQ==Let’s explain what is happening here:
- We import the libraries we will need.
- We define the data to be encrypted as sensitive_data. This is the plaintext.
- The key is the user defined value required by the AES cipher to encrypt the data and it must be 16, 24 or 32 bytes long. Because AES uses the symmetric-key algorithm both the encryption and decryption key is the same. The key must be kept secret.
- The variable cipher is a CBC Cipher object. It is the return value of the AES.new() method which accepts the key and the AES encryption mode which, for the CBC method, must be MODE_CBC.
- The variable ciphertext is the encrypted plaintext. The method cipher.encrypt() accepts the sensitive_data to be encrypted as a parameter, but it expects the data to have a length that is a multiple of the AES.block_size which is 16 bytes. To achieve that, we pass the block size and data to the pad() function which pads the data if needed to ensure that it is a multiple of the block size, else the cipher will return an error.
- The iv is the initialization vector that is needed by the AES algorithm. It is the same length as the block size. If one is not explicitly provided a random iv will be generated, as it was in this case. The actual value is accessible by using the built in variable cipher.iv
When the above code executes you will see three values on the terminal/console/command line: the iv or initialization vector, the ciphertext and the key. Each values is encoded in base64 to make it readable. Be sure to take note of these 3 values because they will be needed for the DECRYPTION tutorial.
The next step would be to DECRYPT this data, which we will do in PART 2 of this tutorial.
Thanks for reading!👌👌👌
