Splitting into languages

Author: martinthomson

decrypt.js nodejs/decrypt.jsdecrypt.js renamed to nodejs/decrypt.js

@@ -0,0 +1,19 @@
+'use strict';
+
+var base64 = require('urlsafe-base64');
+var crypto = require('crypto');
+var ece = require('./ece.js');
+
+if (process.argv.length < 5) {
+  console.warn('Usage: ' + process.argv.slice(0, 2).join(' ') +
+               ' <key> <salt> <message>');
+  process.exit(2);
+}
+
+var result = ece.decrypt(base64.decode(process.argv[4]), {
+  key: process.argv[2],
+  salt: process.argv[3]
+});
+
+console.log(base64.encode(result));
+console.log(result.toString('utf-8'));

nodejs/decrypt2.js

@@ -0,0 +1,19 @@
+'use strict';
+
+var base64 = require('urlsafe-base64');
+var crypto = require('crypto');
+var ece = require('./ece.js');
+
+if (process.argv.length < 5) {
+  console.warn('Usage: ' + process.argv.slice(0, 2).join(' ') +
+               ' <key> <salt> <message>');
+  process.exit(2);
+}
+
+var result = ece.encrypt(base64.decode(process.argv[4]), {
+  key: process.argv[2],
+  salt: process.argv[3]
+});
+
+console.log(base64.encode(result));
+console.log(result.toString('utf-8'));

ece.js nodejs/ece.jsece.js renamed to nodejs/ece.js

@@ -0,0 +1,8 @@
+var base64 = require('urlsafe-base64');
+var crypto = require('crypto');
+
+var buffer = base64.decode('HH5QdMESn_mjg-BDyY6xrURjmeHmlesP3l7HopOOMAhtcWkH7KNKlxLlkBoligipE3pr6hoCbzdv1IOBErrrphIWIZIkyt7WZybg4o0PudVQaFoL82x2MpashMq2lqmVM6HY_GdSYyANzpeiXA7T6EoicC1Y');
+var gcm = crypto.createDecipheriv('id-aes128-GCM', base64.decode('HUV2cCEaSNAX0FWaZgMlzA'), base64.decode('YJ8P9Oy8k5J7TWoW'));
+gcm.setAuthTag(buffer.slice(buffer.length - 16));
+var data = Buffer.concat([gcm.update(buffer.slice(0, buffer.length - 16)), gcm.final()]);
+console.log(base64.encode(data.slice(1)));

nodejs/encrypt2.js

@@ -0,0 +1,131 @@
+import os, struct
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.kdf.hkdf import HKDF
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives.ciphers import (
+    Cipher, algorithms, modes
+)
+import pyelliptic
+
+keys = {}
+
+def deriveKey(salt, key=None, dh=None, keyid=None):
+    if salt is None or len(salt) != 16:
+        raise Exception(u"'salt' must be a 16 octet value")
+
+    if key is not None:
+        secret = key
+    elif dh is not None:
+        if keyid is None:
+            raise Exception(u"'keyid' is not specified with 'dh'")
+        if keys[keyid] is None:
+            raise Exception(u"'keyid' doesn't identify a key")
+        secret = keys[keyid].get_ecdh_key(dh)
+    elif keyid is not None:
+        secret = keys[keyid]
+    if secret is None:
+        raise Exception(u"unable to determine the secret")
+
+    hkdf_key = HKDF(
+        algorithm=hashes.SHA256(),
+        length=16,
+        salt=salt,
+        info=b"Content-Encoding: aesgcm128",
+        backend=default_backend()
+    )
+    hkdf_nonce = HKDF(
+        algorithm=hashes.SHA256(),
+        length=12,
+        salt=salt,
+        info=b"Content-Encoding: nonce",
+        backend=default_backend()
+    )
+    return (hkdf_key.derive(secret), hkdf_nonce.derive(secret))
+
+def iv(base, counter):
+    if (counter >> 64) != 0:
+        raise Exception(u"Counter too big")
+    (mask,) = struct.unpack("!Q", base[4:])
+    return base[:4] + struct.pack("!Q", counter ^ mask)
+
+def decrypt(buffer, salt, key=None, keyid=None, dh=None, rs=4096):
+    def decryptRecord(key, nonce, counter, buffer):
+        decryptor = Cipher(
+            algorithms.AES(key),
+            modes.GCM(iv(nonce, counter), tag=buffer[-16:]),
+            backend=default_backend()
+        ).decryptor()
+        data = decryptor.update(buffer[:-16]) + decryptor.finalize()
+        (pad,) = struct.unpack("!B", data[0]);
+        if data[1:1+pad] != (b"\x00" * pad):
+            raise Exception(u"Bad padding")
+        data = data[1+pad:]
+        return data
+
+    (key_, nonce_) = deriveKey(salt=salt, key=key, keyid=keyid, dh=dh)
+    if rs < 2:
+        raise Exception(u"Record size too small")
+    rs += 16 # account for tags
+    if len(buffer) % rs == 0:
+        raise Exception(u"Message truncated")
+
+    result = b""
+    counter = 0
+    for i in xrange(0, len(buffer), rs):
+        result += decryptRecord(key_, nonce_, counter, buffer[i:i+rs])
+        ++counter
+    return result
+
+def encrypt(buffer, salt, key=None, keyid=None, dh=None, rs=4096):
+    def encryptRecord(key, nonce, counter, buffer):
+        encryptor = Cipher(
+            algorithms.AES(key),
+            modes.GCM(iv(nonce, counter)),
+            backend=default_backend()
+        ).encryptor()
+        data = encryptor.update(b"\x00" + buffer) + encryptor.finalize()
+        data += encryptor.tag
+        return data
+
+    (key_, nonce_) = deriveKey(salt=salt, key=key, keyid=keyid, dh=dh)
+    if rs < 2:
+        raise Exception(u"Record size too small")
+    rs -= 1 # account for padding
+
+    result = b""
+    counter = 0
+    # the extra one ensures that we produce a padding only record if the data
+    # length is an exact multiple of rs-1
+    for i in xrange(0, len(buffer) + 1, rs):
+        result += encryptRecord(key_, nonce_, counter, buffer[i:i+rs])
+        ++counter
+    return result
+
+if __name__ == "__main__":
+    import base64
+
+    salt=base64.urlsafe_b64decode("mUFsKgrmI-i_-HowjX_2XA==")
+    key=base64.urlsafe_b64decode("F-hAEGCm7KIGUiSdS4GGtA==")
+    m = base64.urlsafe_b64decode("iEPbDBuohQLznv45IlaF1eLRCeu6aWfsq-pDP7OnzgH4A0x5lyIEVAfM39RgeLekW1VgZWIFL_WvuveEhaHj0-iEvxDHw_apYGFYWEY6KmMhXgWPmFZ-2wAMnDsQ-DDVbZHsXw==")
+    rs=3300
+    print ("message", len(m),  base64.urlsafe_b64encode(m))
+    e = encrypt(m, salt=salt, key=key, rs=rs)
+    print ("encrypted", len(e), base64.urlsafe_b64encode(e))
+    d = decrypt(e, salt=salt, key=key, rs=rs)
+    print ("decrypted", len(d), base64.urlsafe_b64encode(d))
+    print (m == d)
+
+    salt = os.urandom(16)
+    print ("salt", base64.urlsafe_b64encode(salt))
+    keys["receiver"] = pyelliptic.ECC(curve="prime256v1")
+    print ("receiver", base64.urlsafe_b64encode(keys["receiver"].get_pubkey()),
+           base64.urlsafe_b64encode(keys["receiver"].get_privkey()))
+    keys["sender"] = pyelliptic.ECC(curve="prime256v1")
+    print ("sender", base64.urlsafe_b64encode(keys["sender"].get_pubkey()),
+           base64.urlsafe_b64encode(keys["sender"].get_privkey()))
+
+    e = encrypt(m, salt=salt, keyid="sender", dh=keys["receiver"].get_pubkey(), rs=rs)
+    print ("encrypted", len(e), base64.urlsafe_b64encode(e))
+    d = decrypt(e, salt=salt, keyid="receiver", dh=keys["sender"].get_pubkey(), rs=rs)
+    print ("decrypted", len(d), base64.urlsafe_b64encode(d))
+    print (m == d)

nodejs/gcm.js

@@ -0,0 +1,137 @@
+import ece
+import base64
+import os
+import struct
+import sys
+import pyelliptic
+
+count = 20
+if len(sys.argv) > 1:
+    count = int(sys.argv[1])
+maxLen = 100
+if len(sys.argv) > 2:
+    maxLen = int(sys.argv[2])
+
+def log(arg):
+    if (count == 1):
+        print arg
+
+def rlen():
+    return struct.unpack_from('=H', os.urandom(2))[0]
+
+def encryptDecrypt(length, encryptParams, decryptParams=None):
+    if decryptParams is None:
+        decryptParams = encryptParams
+    log('Salt: ' + base64.urlsafe_b64encode(encryptParams['salt']))
+    input = os.urandom(min(length, maxLen))
+    # input = new Buffer('I am the walrus')
+    log('Input: ' + base64.urlsafe_b64encode(input))
+    encrypted = ece.encrypt(input, salt=encryptParams.get('salt'), key=encryptParams.get('key'), keyid=encryptParams.get('keyid'), dh=encryptParams.get('dh'), rs=encryptParams.get('rs'))
+    log('Encrypted: ' + base64.urlsafe_b64encode(encrypted))
+    decrypted = ece.decrypt(encrypted, salt=decryptParams.get('salt'), key=decryptParams.get('key'), keyid=decryptParams.get('keyid'), dh=decryptParams.get('dh'), rs=decryptParams.get('rs'))
+    log('Decrypted: ' + base64.urlsafe_b64encode(decrypted))
+    assert input == decrypted
+    log("----- OK");
+
+
+def useExplicitKey():
+    params = {
+        'key': os.urandom(16),
+        'salt': os.urandom(16),
+        'rs': rlen() + 1
+    }
+    log('Key: ' + base64.urlsafe_b64encode(params['key']))
+    encryptDecrypt(rlen() + 1, params)
+
+
+def exactlyOneRecord():
+    length = min(rlen(), maxLen)
+    params = {
+        'key': os.urandom(16),
+        'salt': os.urandom(16),
+        'rs': length + 1
+    }
+    encryptDecrypt(length, params)
+
+
+def detectTruncation():
+    length = min(rlen(), maxLen)
+    key = os.urandom(16)
+    salt = os.urandom(16)
+    rs = length + 1
+    input = os.urandom(min(length, maxLen))
+    encrypted = ece.encrypt(input, salt=salt, key=key, rs=rs)
+    ok = False
+    try:
+        ece.decrypt(encrypted[0:length + 1 + 16], salt=salt, key=key, rs=rs)
+    except Exception as e:
+        log('Decryption error: %s' % e.args)
+        log('----- OK')
+        ok = True
+
+    if not ok:
+        raise Exception('Decryption succeeded, but should not have')
+
+
+
+def useKeyId():
+    keyid = base64.urlsafe_b64encode(os.urandom(16))
+    key = os.urandom(16)
+    ece.keys[keyid] = key
+    params = {
+        'keyid': keyid,
+        'salt': os.urandom(16),
+        'rs': rlen() + 1
+    }
+    encryptDecrypt(rlen(), params)
+
+
+# This is a complete crap-shoot: the pre-eminent crypto library in python
+# doesn't even do ECDH; so this doesn't actually work
+def useDH():
+    def isUncompressed(k):
+        b1 = k.get_pubkey()[0]
+        assert struct.unpack("B", b1)[0] == 4, 'is an uncompressed point'
+
+    # the static key is used by the receiver
+    staticKey = pyelliptic.ECC(curve='prime256v1')
+    isUncompressed(staticKey)
+    staticKeyId = base64.urlsafe_b64encode(staticKey.get_pubkey()[1:])
+    ece.keys[staticKeyId] = staticKey
+
+    log('Receiver private: ' + base64.urlsafe_b64encode(staticKey.get_privkey()))
+    log('Receiver public: ' + base64.urlsafe_b64encode(staticKey.get_pubkey()))
+
+    # the ephemeral key is used by the sender
+    ephemeralKey = pyelliptic.ECC(curve='prime256v1')
+    isUncompressed(ephemeralKey)
+    ephemeralKeyId = base64.urlsafe_b64encode(ephemeralKey.get_pubkey()[1:])
+    ece.keys[ephemeralKeyId] = ephemeralKey
+
+    log('Sender private: ' + base64.urlsafe_b64encode(ephemeralKey.get_privkey()))
+    log('Sender public: ' + base64.urlsafe_b64encode(ephemeralKey.get_pubkey()))
+
+    encryptParams = {
+        'keyid': ephemeralKeyId,
+        'dh': staticKey.get_pubkey(),
+        'salt': os.urandom(16),
+        'rs': rlen() + 1
+    }
+    decryptParams = {
+        'keyid': staticKeyId,
+        'dh': ephemeralKey.get_pubkey(),
+        'salt': encryptParams['salt'],
+        'rs': encryptParams['rs']
+    }
+
+    encryptDecrypt(rlen(), encryptParams, decryptParams)
+
+if __name__ == '__main__':
+    for i in range(0,count):
+        useExplicitKey()
+        exactlyOneRecord()
+        detectTruncation()
+        useKeyId()
+        useDH()
+
+    print 'All tests passed.'