def test_unicode_typeerror(self, backend):
with pytest.raises(TypeError):
HKDF(hashes.SHA256(), 16, salt="foo", info=None, backend=backend)
with pytest.raises(TypeError):
HKDF(hashes.SHA256(), 16, salt=None, info="foo", backend=backend)
with pytest.raises(TypeError):
hkdf = HKDF(hashes.SHA256(),
16,
salt=None,
info=None,
backend=backend)
hkdf.derive("foo")
with pytest.raises(TypeError):
hkdf = HKDF(hashes.SHA256(),
16,
salt=None,
info=None,
backend=backend)
hkdf.verify("foo", b"bar")
with pytest.raises(TypeError):
hkdf = HKDF(hashes.SHA256(),
16,
salt=None,
info=None,
backend=backend)
hkdf.verify(b"foo", "bar")
def test_already_finalized(self, backend):
hkdf = HKDF(
hashes.SHA256(),
16,
salt=None,
info=None,
backend=backend
)
hkdf.derive(b"\x01" * 16)
with pytest.raises(AlreadyFinalized):
hkdf.derive(b"\x02" * 16)
hkdf = HKDF(
hashes.SHA256(),
16,
salt=None,
info=None,
backend=backend
)
hkdf.verify(b"\x01" * 16, b"gJ\xfb{\xb1Oi\xc5sMC\xb7\xe4@\xf7u")
with pytest.raises(AlreadyFinalized):
hkdf.verify(b"\x02" * 16, b"gJ\xfb{\xb1Oi\xc5sMC\xb7\xe4@\xf7u")
hkdf = HKDF(
hashes.SHA256(),
16,
salt=None,
info=None,
backend=backend
)
def hashed_encryption_password_to_encryption_secret(user_id,
hashed_encryption_password,
key_size, iv_size):
"""Derives encryption secret cryptomaterial (key, IV) from the provided encryption password and config."""
backend = default_backend()
salt = UUID(user_id).bytes
key_info = '{}-encryption-key'.format(user_id).encode(DEFAULT_ENCODING)
iv_info = '{}-encryption-iv'.format(user_id).encode(DEFAULT_ENCODING)
key_kdf = HKDF(algorithm=hashes.SHA512(),
length=key_size,
salt=salt,
info=key_info,
backend=backend)
iv_kdf = HKDF(algorithm=hashes.SHA512(),
length=iv_size,
salt=salt,
info=iv_info,
backend=backend)
key = key_kdf.derive(key_material=hashed_encryption_password)
iv = iv_kdf.derive(key_material=hashed_encryption_password)
return key, iv
def deriveKey(salt, key=None, dh=None, keyid=None):
if salt is None or len(salt) != 16:
raise Exception(u"'salt' must be a 16 octet value")
if key is not None:
secret = key
elif dh is not None:
if keyid is None:
raise Exception(u"'keyid' is not specified with 'dh'")
if keys[keyid] is None:
raise Exception(u"'keyid' doesn't identify a key")
secret = keys[keyid].get_ecdh_key(dh)
elif keyid is not None:
secret = keys[keyid]
if secret is None:
raise Exception(u"unable to determine the secret")
hkdf_key = HKDF(
algorithm=hashes.SHA256(),
length=16,
salt=salt,
info=b"Content-Encoding: aesgcm128",
backend=default_backend()
)
hkdf_nonce = HKDF(
algorithm=hashes.SHA256(),
length=12,
salt=salt,
info=b"Content-Encoding: nonce",
backend=default_backend()
)
return (hkdf_key.derive(secret), hkdf_nonce.derive(secret))
def exchange(config: Config, context: dict, expected_tlv_state: TlvState, encrypted_data: bytes) -> List[dict]:
"""pair_setup M5 and M6"""
srp = context.get('srp')
if expected_tlv_state != TlvState.m5 or not srp:
return _error(TlvState.m6, TlvError.unknown, 'Unexpected pair_setup state')
hkdf = HKDF(algorithm=SHA512(), length=32, salt=SALT_ENCRYPT, info=INFO_ENCRYPT, backend=default_backend())
decrypt_key = hkdf.derive(srp.session_key)
chacha = ChaCha20Poly1305(decrypt_key)
try:
data = chacha.decrypt(NONCE_SETUP_M5, encrypted_data, None)
except InvalidTag:
return _error(TlvState.m6, TlvError.authentication, 'pair_setup M5: invalid auth tag during chacha decryption')
try:
tlv = tlv_parser.decode(data)[0]
except ValueError:
return _error(TlvState.m6, TlvError.authentication, 'unable to decode decrypted tlv data')
hkdf = HKDF(algorithm=SHA512(), length=32, salt=SALT_CONTROLLER, info=INFO_CONTROLLER, backend=default_backend())
ios_device_x = hkdf.derive(srp.session_key)
ios_device_info = ios_device_x + tlv[TlvCode.identifier].encode() + tlv[TlvCode.public_key]
if not _verify_ed25519(key=tlv[TlvCode.public_key], message=ios_device_info, signature=tlv[TlvCode.signature]):
return _error(TlvState.m6, TlvError.authentication, 'ios_device_info ed25519 signature verification is failed')
config.add_pairing(tlv[TlvCode.identifier], tlv[TlvCode.public_key], ControllerPermission.admin) # save pairing
# M6 response generation
hkdf = HKDF(algorithm=SHA512(), length=32, salt=SALT_ACCESSORY, info=INFO_ACCESSORY, backend=default_backend())
accessory_x = hkdf.derive(srp.session_key)
signing_key = ed25519.SigningKey(config.accessory_ltsk)
public_key = signing_key.get_verifying_key().to_bytes()
accessory_info = accessory_x + config.device_id.encode() + public_key
accessory_signature = signing_key.sign(accessory_info)
sub_tlv = tlv_parser.encode([{
TlvCode.identifier: config.device_id,
TlvCode.public_key: public_key,
TlvCode.signature: accessory_signature,
}])
encrypted_data = chacha.encrypt(NONCE_SETUP_M6, sub_tlv, None)
config.pair_setup_mode = False
return [{
TlvCode.state: TlvState.m6,
TlvCode.encrypted_data: encrypted_data,
}]
def test_unicode_typeerror(self, backend):
with pytest.raises(TypeError):
HKDF(
hashes.SHA256(),
16,
salt=six.u("foo"),
info=None,
backend=backend
)
with pytest.raises(TypeError):
HKDF(
hashes.SHA256(),
16,
salt=None,
info=six.u("foo"),
backend=backend
)
with pytest.raises(TypeError):
hkdf = HKDF(
hashes.SHA256(),
16,
salt=None,
info=None,
backend=backend
)
hkdf.derive(six.u("foo"))
with pytest.raises(TypeError):
hkdf = HKDF(
hashes.SHA256(),
16,
salt=None,
info=None,
backend=backend
)
hkdf.verify(six.u("foo"), b"bar")
with pytest.raises(TypeError):
hkdf = HKDF(
hashes.SHA256(),
16,
salt=None,
info=None,
backend=backend
)
hkdf.verify(b"foo", six.u("bar"))
def get_encrypted_message(self):
if not self.shared_key:
return { "IV": "", "Ciphertext": "" }
# Derive the key
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.kdf.hkdf import HKDF
hkdf = HKDF(algorithm = hashes.SHA256(), length = 32, salt = None, info = b'dhexercise', backend = default_backend())
from os import urandom
IV = urandom(16)
aes_key = hkdf.derive(self.shared_key)
"""
Single block AES in CTR mode. Use a new random IV and return this as well.
"""
# Message masked with a caesar cipher to make it a surprise!
message = b"Iutmxgz{rgzouty2&\x7fu{-|k&y{iikyyl{r" \
b"r\x7f&yngxkj&g&jollok3nkrrsgt&qk\x7f2" \
b"&znkt&jkxo|kj&g&y\x7fsskzxoi&qk\x7f&g" \
b"tj&jkix\x7fvzkj&znoy&skyygmk'"
cipher = Cipher(algorithms.AES(aes_key), modes.CTR(IV), backend=default_backend())
encryptor = cipher.encryptor()
ciphertext = encryptor.update(bytes([b - 6 % 255 for b in message])) + encryptor.finalize()
return { "IV": IV, "Ciphertext": ciphertext }
def extract(
self,
key: COSEKeyInterface,
alg: Optional[int] = None,
context: Optional[Union[List[Any], Dict[str, Any]]] = None,
) -> COSEKeyInterface:
if not context:
raise ValueError("context should be set.")
if isinstance(context, dict):
alg = self._alg if isinstance(self._alg, int) else 0
context = to_cis(context, alg)
else:
self._validate_context(context)
# Derive key.
hkdf = HKDF(
algorithm=self._hash_alg,
length=COSE_KEY_LEN[context[0]] // 8,
salt=self._salt,
info=self._dumps(context),
)
derived = hkdf.derive(key.key)
return COSEKey.from_symmetric_key(derived,
alg=context[0],
kid=self._kid)
def derive_key(key_material, info, algorithm=None, length=None):
if algorithm is None:
algorithm = hashes.SHA512()
if length is None:
length = algorithm.digest_size
hkdf = HKDF(algorithm, length, b'h.security', info, backend)
return hkdf.derive(key_material)
def kdf_ntor(key, length):
hkdf_object = HKDF(algorithm=SHA256(),
length=length,
salt=T_KEY,
info=M_EXPAND,
backend=_default_backend)
return hkdf_object.derive(key)
def hkdf_func(shared_secret):
backend = default_backend()
info = b'mb_security'
hkdf = HKDF(algorithm=hashes.SHA256(),length=32, info=info, backend = backend, salt=None)
derived_key=hkdf.derive(shared_secret)
print('hkdf: {}' .format(ba.hexlify(derived_key)))
return derived_key
def hkdf(inp, length):
hkdf = HKDF(algorithm=hashes.SHA256(),
length=length,
salt=b'',
info=b'',
backend=default_backend())
return hkdf.derive(inp)
def process_secret(self, message: str) -> bool:
logger.debug("Process Secret: {}".format(message))
if self.state == STATE_KEY:
load_client_pub_key = load_pem_public_key(
self.pub_key_client, backend=default_backend())
secret = self.priv_key_server.exchange(load_client_pub_key)
if (self.sintese == "SHA512"):
sintese = hashes.SHA512()
else:
sintese = hashes.SHA256()
if ("CHACHA20" in self.cipher):
size = int(int(self.cipher.split("CHACHA20")[1]) / 8)
else:
size = int(int(self.cipher.split("AES")[1]) / 8)
kdf = HKDF(algorithm=sintese,
length=size,
salt=None,
info=b'handshake data',
backend=default_backend())
self.key = kdf.derive(secret)
self.state = STATE_SECRET
else:
logger.warning("Invalid state. Discarding")
return False
self._send({'type': 'OK'})
return True
def test_keys(args):
iviv, ctct, LSV, CV, PROD, RANGE = args
BOUND = (1 << 224)
for i in range(RANGE[0], RANGE[1]):
res = 0
for j in range(25):
u, v = LSV[j]
if ((i >> j) & 1) == 0:
res += CV[j] * u
else:
res += CV[j] * (v - u)
res = res % PROD
sec = int(res)
if sec > BOUND:
continue
sec = sec.to_bytes(28, "big")
hkdf = HKDF(
algorithm=hashes.SHA256(),
length=16,
salt=None,
info=FLAG_CIPHER_KDF_INFO,
)
key = hkdf.derive(sec)
cipher = Cipher(algorithms.AES(key), modes.CTR(iviv))
decryptor = cipher.encryptor()
flag = decryptor.update(ctct) + decryptor.finalize()
if b"ctf{" in flag or b"CTF{" in flag:
print(flag)
return flag
return None
def encryption_step_4(self, module, message, additional_data, cm):
server_ephemeral_public_key_stream = message[len(self.cmh_struct_encryption[3][0]):]
try:
public_numbers = ec.EllipticCurvePublicNumbers.from_encoded_point(self.curve, "\x04"+server_ephemeral_public_key_stream)
except:
common.internal_print("Erroneous key received from the server. Are you sure you are using the same settings on both sides?", -1)
return module.cmh_struct[cm][4+module.is_caller_stateless()]
server_ephemeral_public_key = public_numbers.public_key(default_backend())
client_ephemeral_private_key = ec.generate_private_key(self.curve, default_backend())
client_ephemeral_public_key = client_ephemeral_private_key.public_key()
module.encryption.set_private_key(client_ephemeral_private_key)
module.encryption.set_public_key(client_ephemeral_public_key)
pbk = client_ephemeral_public_key.public_numbers().encode_point()[1:]
module.send(common.CONTROL_CHANNEL_BYTE, self.cmh_struct_encryption[4][0]+pbk, module.modify_additional_data(additional_data, 0))
hkdf = HKDF(algorithm=hashes.SHA256(), length=32, salt="IRatherEatMaldonThanHimalayan", info=None, backend=default_backend())
module.encryption.set_shared_key(hkdf.derive(client_ephemeral_private_key.exchange(ec.ECDH(), server_ephemeral_public_key)))
module.post_encryption_client(message[len(self.cmh_struct_encryption[3][0]):], additional_data)
common.internal_print("Encryption key agreed with the server.", 1)
return module.cmh_struct[cm][3]
def encryption_step_3(self, module, message, additional_data, cm):
client_public_key_stream = message[len(self.cmh_struct_encryption[2][0]):]
try:
public_numbers = ec.EllipticCurvePublicNumbers.from_encoded_point(self.curve, "\x04"+client_public_key_stream)
except:
common.internal_print("Erroneous key received from the client. Are you sure you are using the same settings on both sides?", -1)
return module.cmh_struct[cm][4+module.is_caller_stateless()]
client_public_key = public_numbers.public_key(default_backend())
c = module.lookup_client_pub(additional_data)
hkdf = HKDF(algorithm=hashes.SHA256(), length=32, salt="IRatherEatMaldonThanHimalayan", info=None, backend=default_backend())
c.get_encryption().set_shared_key(hkdf.derive(self.server_private_key.exchange(ec.ECDH(), client_public_key)))
server_ephemeral_private_key = ec.generate_private_key(self.curve, default_backend())
server_ephemeral_public_key = server_ephemeral_private_key.public_key()
# no need to save, but who knows?!
c.get_encryption().set_private_key(server_ephemeral_private_key)
c.get_encryption().set_public_key(server_ephemeral_public_key)
c.get_encryption().set_encrypted(True)
pbk = server_ephemeral_public_key.public_numbers().encode_point()[1:]
module.send(common.CONTROL_CHANNEL_BYTE, self.cmh_struct_encryption[3][0]+pbk, module.modify_additional_data(additional_data, 1))
return module.cmh_struct[cm][3]
def verify_start(config: Config, context: dict, ios_device_public_key: bytes) -> List[dict]:
"""pair_verify M1 and M2"""
curve25519 = X25519PrivateKey.generate()
accessory_curve25519_public_key: bytes = curve25519.public_key().public_bytes()
shared_secret: bytes = curve25519.exchange(X25519PublicKey.from_public_bytes(ios_device_public_key))
accessory_info: bytes = accessory_curve25519_public_key + config.device_id.encode() + ios_device_public_key
signing_key = ed25519.SigningKey(config.accessory_ltsk)
accessory_signature = signing_key.sign(accessory_info)
sub_tlv = tlv_parser.encode([{
TlvCode.identifier: config.device_id,
TlvCode.signature: accessory_signature,
}])
hkdf = HKDF(algorithm=SHA512(), length=32, salt=SALT_VERIFY, info=INFO_VERIFY, backend=default_backend())
session_key = hkdf.derive(shared_secret)
chacha = ChaCha20Poly1305(session_key)
encrypted_data = chacha.encrypt(NONCE_VERIFY_M2, sub_tlv, None)
context['session_key'] = session_key
context['shared_secret'] = shared_secret
context['accessory_curve25519_public_key'] = accessory_curve25519_public_key
context['ios_device_curve25519_public_key'] = ios_device_public_key
return [{
TlvCode.state: TlvState.m2,
TlvCode.public_key: accessory_curve25519_public_key,
TlvCode.encrypted_data: encrypted_data,
}]
def hkdf_expand_and_extract(
secret: bytes,
initiator_node_id: NodeID,
recipient_node_id: NodeID,
salt: bytes,
) -> Tuple[bytes, bytes, bytes]:
info = b"".join((HKDF_INFO, initiator_node_id, recipient_node_id))
hkdf = HKDF(
algorithm=SHA256(),
length=3 * AES128_KEY_SIZE,
salt=salt,
info=info,
backend=cryptography_default_backend(),
)
expanded_key = hkdf.derive(secret)
if len(expanded_key) != 3 * AES128_KEY_SIZE:
raise Exception("Invariant: Secret is expanded to three AES128 keys")
initiator_key = expanded_key[:AES128_KEY_SIZE]
recipient_key = expanded_key[AES128_KEY_SIZE:2 *
AES128_KEY_SIZE] # noqa: E203
auth_response_key = expanded_key[2 * AES128_KEY_SIZE:3 *
AES128_KEY_SIZE # noqa: E203
]
return initiator_key, recipient_key, auth_response_key
def KDF(self):
print(self.sent_rand)
print(self.recv_rand)
if "2" in str(self.state):
print("Client kdf")
self.masterkey = self.sent_rand
self.masterkey += self.recv_rand #self.server_rand
else:
print("Server kdf")
self.masterkey = self.recv_rand #self.server_rand
self.masterkey += self.sent_rand
#print(self.masterkey)
self.masterkey += self.pmk
#print(self.masterkey)
kdf = HKDF(algorithm=hashes.SHA256(),
salt=b'',
info=None,
length=48,
backend=default_backend())
gen = kdf.derive(self.masterkey)
#print("<><><><><><><> "+ str(gen)+ "<><><><><><><><><><>")
self.client_write_key = gen[0:16]
self.server_write_key = gen[16:32]
self.client_iv = gen[32:40]
self.server_iv = gen[40:48]
if "2" in str(self.state):
self.sendFin()
def get_filename_and_key(self, upath, ext=None):
path = upath.encode('utf-8')
nonpath = b"//\x00" # cannot occur in path, which is normalized
# Generate per-file key material via HKDF
info = path
if ext is not None:
info += nonpath + ext
hkdf = HKDF(algorithm=hashes.SHA256(),
length=3 * 32,
salt=self.salt_hkdf,
info=info,
backend=backend)
data = hkdf.derive(self.key)
# Generate key
key = data[:32]
# Generate filename
h = hmac.HMAC(key=data[32:],
algorithm=hashes.SHA512(),
backend=backend)
h.update(info)
fn = h.finalize().encode('hex')
return os.path.join(self.path, fn), key
def derive_keys(self, name: str) -> SSSSDerivedKeys:
hkdf = HKDF(SHA256(), 64, None, name.encode('utf-8'), backend = default_backend())
kmat = hkdf.derive(self)
aes_key = SecretKey(kmat[:32])
hmac_key = SecretKey(kmat[32:])
return SSSSDerivedKeys(aes_key, hmac_key)
def get_derived_key(shared_key: bytes,
data: bytes = None,
lenght: int = 32,
salt: int = None,
algorithm: hashes = None) -> bytes:
"""
Creates a derived key
A common key between a server and client
:param shared_key: key received from the other party
:type shared_key: bytes
:param data: data to include in the derived key
:type data: bytes
:param lenght: lenght of the key
:type lenght: int
:param salt: iterations used
:type salt: int
:param algorithm: type of algorithm that was used to create the public key
:type algorithm: cryptography.hazmat.primitives.hashes
:return:
"""
if not bool(algorithm):
algorithm = hashes.SHA256()
derived_key = HKDF(algorithm=algorithm,
length=lenght,
salt=salt,
info=data,
backend=default_backend())
return derived_key.derive(shared_key)
def symmetric_key_gen(self):
if (self.digest == "SHA256"):
alg = hashes.SHA256()
elif (self.digest == "SHA384"):
alg = hashes.SHA384()
elif (self.digest == "MD5"):
alg = hashes.MD5()
elif (self.digest == "SHA512"):
alg = hashes.SHA512()
elif (self.digest == "BLAKE2"):
alg = hashes.BLAKE2b(64)
kdf = HKDF(algorithm=alg,
length=32,
salt=None,
info=b'handshake data',
backend=default_backend())
key = kdf.derive(self.shared_key)
if self.symmetric_cipher == 'AES':
self.symmetric_key = key[:16]
elif self.symmetric_cipher == '3DES':
self.symmetric_key = key[:8]
elif self.symmetric_cipher == 'ChaCha20':
self.symmetric_key = key[:32]
def get_encrypted_message(self):
if not self.shared_key:
return {"IV": "", "Ciphertext": ""}
# Derive the key
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.kdf.hkdf import HKDF
hkdf = HKDF(algorithm=hashes.SHA256(),
length=32,
salt=None,
info=b'ecdhexercise',
backend=default_backend())
from os import urandom
IV = urandom(16)
aes_key = hkdf.derive(self.shared_key)
"""
Single block AES in CTR mode. Use a new random IV and return this as well.
"""
message = b'\x87\x95\x9c\x9cP\x94\x9f\x9e\x95QP\x89\x9f\xa5W\xa6\x95P\x93' \
b'\x9f\x9d\xa0\x9c\x95\xa4\x95\x94P\xa4\x98\x95P\x95\xa8\xa4' \
b'\xa2\x91P\x95\xa8\x95\xa2\x93\x99\xa3\x95P\x91\x9e\x94P\xa0' \
b'\x95\xa2\x96\x9f\xa2\x9d\x95\x94P\x91\x9ePustxP\x95\xa8\x93' \
b'\x98\x91\x9e\x97\x95P\xa5\xa3\x99\x9e\x97P\xa4\x98\x95P~y' \
b'\x83\x84P\x80]befPs\xa5\xa2\xa6\x95Q'
cipher = Cipher(algorithms.AES(aes_key),
modes.CTR(IV),
backend=default_backend())
encryptor = cipher.encryptor()
ciphertext = encryptor.update(bytes([b - 48 % 255 for b in message
])) + encryptor.finalize()
return {"IV": IV, "Ciphertext": ciphertext}
def verify_finish(config: Config, context: dict, encrypted_data: bytes) -> List[dict]:
"""pair_verify M3 and M4"""
session_key = context.get('session_key')
accessory_curve25519_public_key = context.get('accessory_curve25519_public_key')
ios_device_curve25519_public_key = context.get('ios_device_curve25519_public_key')
if not session_key or not accessory_curve25519_public_key or not ios_device_curve25519_public_key:
return _error(TlvState.m4, TlvError.authentication,
'verify_finished call before successful verify_start')
chacha = ChaCha20Poly1305(session_key)
try:
data = chacha.decrypt(NONCE_VERIFY_M3, encrypted_data, None)
except InvalidTag:
return _error(TlvState.m4, TlvError.authentication, 'invalid auth tag during chacha decryption')
try:
tlv = tlv_parser.decode(data)[0]
except ValueError:
return _error(TlvState.m4, TlvError.authentication, 'unable to decode decrypted tlv data')
ios_device_ltpk = config.get_pairing(tlv[TlvCode.identifier])[1]
if not ios_device_ltpk:
return _error(TlvState.m4, TlvError.authentication,
'unable to find requested ios device in config file')
ios_device_info = ios_device_curve25519_public_key + tlv[TlvCode.identifier].encode() + \
accessory_curve25519_public_key
if not _verify_ed25519(ios_device_ltpk, message=ios_device_info, signature=tlv[TlvCode.signature]):
return _error(TlvState.m4, TlvError.authentication,
'ios_device_info ed25519 signature verification is failed')
context['paired'] = True
context['ios_device_pairing_id'] = tlv[TlvCode.identifier]
hkdf = HKDF(algorithm=SHA512(), length=32, salt=SALT_CONTROL, info=INFO_CONTROL_WRITE, backend=default_backend())
context['decrypt_key'] = hkdf.derive(context['shared_secret'])
hkdf = HKDF(algorithm=SHA512(), length=32, salt=SALT_CONTROL, info=INFO_CONTROL_READ, backend=default_backend())
context['encrypt_key'] = hkdf.derive(context['shared_secret'])
return [{
TlvCode.state: TlvState.m4,
}]
def _kdf_derive(key):
kdf = HKDF(algorithm=hashes.SHA256(),
length=32,
salt=None,
info=None,
backend=default_backend())
return kdf.derive(key.encode('utf-8'))
def hkdf(ikm, salt=b"", info=b""):
hkdf = HKDF(algorithm=hashes.SHA256(),
length=64,
salt=salt,
info=info,
backend=default_backend())
return hkdf.derive(ikm)
def derive_key(self, secret, info):
hkdf = HKDF(
algorithm=hashes.SHA256(),
length=16,
salt=None,
info=info,
)
return hkdf.derive(secret)
def derive_servicex_master_key(password):
# Key length, salt, and info fixed as part of protocol
hkdf = HKDF(algorithm=hashes.SHA256(),
length=32,
salt=b"servicex",
info=b"master jwt",
backend=default_backend())
return hkdf.derive(password)
def hkdf_derive(input: bytes, salt: str, info: str) -> bytes:
hkdf = HKDF(
algorithm=hashes.SHA512(),
length=32,
salt=salt.encode(),
info=info.encode(),
backend=backend,
)
return hkdf.derive(input)
def handshake(self):
backend = default_backend()
infoA = self.username
infoB = InfoBank
hkdfA = HKDF(algorithm=hashes.SHA256(),length=32,salt=None,info=infoA,backend=backend)
hkdfB = HKDF(algorithm=hashes.SHA256(),length=32,salt=None,info=infoB,backend=backend)
q = SPAKE2_B(self.password)
msg_out = q.start()
self.send(msg_out)
msg_in = self.recv() # this is message A->B
key = q.finish(msg_in)
expected_confirm_A = hkdfA.derive(key)
confirm_B = hkdfB.derive(key)
self.send(confirm_B)
confirm_A = self.recv()
assert confirm_A == expected_confirm_A
return key
def ecdh(key, peer_key, file, type, key_length):
hkdf = HKDF(hashes.SHA256(), key_length, None, None, default_backend())
try:
key = hkdf.derive(get_ecdh(key, peer_key, type))
with open(file, 'wb') as fd:
fd.write(key)
print('Shared key was wrote in', file)
except FileNotFoundError as e:
print(e)
def test_derive_short_output(self, backend):
hkdf = HKDF(
hashes.SHA256(),
4,
salt=None,
info=None,
backend=backend
)
assert hkdf.derive(b"\x01" * 16) == b"gJ\xfb{"
def hkdf_derive_test(backend, algorithm, params):
hkdf = HKDF(
algorithm,
int(params["l"]),
salt=binascii.unhexlify(params["salt"]) or None,
info=binascii.unhexlify(params["info"]) or None,
backend=backend
)
okm = hkdf.derive(binascii.unhexlify(params["ikm"]))
assert okm == binascii.unhexlify(params["okm"])
def keygen():
backend = default_backend()
salt = os.urandom(16)
info = b"hkdf-example"
hkdf = HKDF(
algorithm=hashes.SHA256(),
length=32,
salt=salt,
info=info,
backend=backend
)
key = hkdf.derive(b"This is the symetric key!")
return key
def test_derive_long_output(self, backend):
vector = load_vectors_from_file(
os.path.join("KDF", "hkdf-generated.txt"), load_nist_vectors
)[0]
hkdf = HKDF(
hashes.SHA256(),
int(vector["l"]),
salt=vector["salt"],
info=vector["info"],
backend=backend
)
ikm = binascii.unhexlify(vector["ikm"])
assert hkdf.derive(ikm) == binascii.unhexlify(vector["okm"])
def derive_key(secret, namespace, size=32):
"""HKDF-derive key material from the given master secret.
This applies standard HKDF with our application-specific defaults, to
produce derived key material of the requested length.
"""
kdf = HKDF(
algorithm=hashes.SHA256(),
length=size,
salt=b"",
info=hkdf_namespace(namespace),
backend=backend
)
return kdf.derive(secret)
def rotateip(ip, salt=None):
"""
rotate ip to another address
if 'salt' is given, the ip will be
* salted with secret
* hashed with SHA-256
* combined to a new IP
otherwise, the ip will be rotated to 0.0.0.0
>>> rotateip("127.0.0.1")
'0.0.0.0'
>>> x = rotateip("127.0.0.1", salt=b"secret")
>>> y = rotateip("127.0.0.1", salt=b"secret2")
>>> x == y
False
"""
def tokenize(a, n):
return map(lambda i: a[i:i+n], range(0, len(a), n))
def xor(t):
x, y = t
return x ^ y
if salt is None:
return "0.0.0.0"
hkdf = HKDF(algorithm=hashes.SHA256(), length=8, salt=salt,
info=b"ip-hashing", backend=default_backend())
hashed = hkdf.derive(ip.encode())
# for some reason, minimum derived key size is 8, so we need to further
# reduce the key
hashed = map(xor, zip(*tokenize(hashed, 4)))
return ".".join(map(str, hashed))
def get_filename_and_key(self, upath, ext=None):
path = upath.encode('utf-8')
nonpath = b"//\x00" # cannot occur in path, which is normalized
# Generate per-file key material via HKDF
info = path
if ext is not None:
info += nonpath + ext
hkdf = HKDF(algorithm=hashes.SHA256(),
length=3*32,
salt=self.salt_hkdf,
info=info,
backend=backend)
data = hkdf.derive(self.key)
# Generate key
key = data[:32]
# Generate filename
h = hmac.HMAC(key=data[32:], algorithm=hashes.SHA512(), backend=backend)
h.update(info)
fn = h.finalize().encode('hex')
return os.path.join(self.path, fn), key
def deriveKey(mode, salt, key=None, dh=None, keyid=None, authSecret=None, padSize=2):
def buildInfo(base, context):
return b"Content-Encoding: " + base + b"\0" + context
def deriveDH(mode, keyid, dh):
def lengthPrefix(key):
return struct.pack("!H", len(key)) + key
if keyid is None:
raise Exception(u"'keyid' is not specified with 'dh'")
if not keyid in keys:
raise Exception(u"'keyid' doesn't identify a key: " + keyid)
if not keyid in labels:
raise Exception(u"'keyid' doesn't identify a key label: " + keyid)
if mode == "encrypt":
senderPubKey = keys[keyid].get_pubkey()
receiverPubKey = dh
elif mode == "decrypt":
senderPubKey = dh
receiverPubKey = keys[keyid].get_pubkey()
else:
raise Exception(u"unknown 'mode' specified: " + mode);
if type(labels[keyid]) == type(u""):
labels[keyid] = labels[keyid].encode("utf-8")
return (keys[keyid].get_ecdh_key(dh),
labels[keyid] + b"\0" +
lengthPrefix(receiverPubKey) + lengthPrefix(senderPubKey))
if salt is None or len(salt) != 16:
raise Exception(u"'salt' must be a 16 octet value")
context = b""
if key is not None:
secret = key
elif dh is not None:
(secret, context) = deriveDH(mode=mode, keyid=keyid, dh=dh)
elif keyid is not None:
secret = keys[keyid]
if secret is None:
raise Exception(u"unable to determine the secret")
if authSecret is not None:
hkdf_auth = HKDF(
algorithm=hashes.SHA256(),
length=32,
salt=authSecret,
info=buildInfo(b"auth", b""),
backend=default_backend()
)
secret = hkdf_auth.derive(secret)
if padSize == 2:
keyinfo = buildInfo(b"aesgcm", context)
nonceinfo = buildInfo(b"nonce", context)
elif padSize == 1:
keyinfo = b"Content-Encoding: aesgcm128"
nonceinfo = b"Content-Encoding: nonce"
else:
raise Exception(u"unable to set context for padSize=" + str(padSize))
hkdf_key = HKDF(
algorithm=hashes.SHA256(),
length=16,
salt=salt,
info=keyinfo,
backend=default_backend()
)
hkdf_nonce = HKDF(
algorithm=hashes.SHA256(),
length=12,
salt=salt,
info=nonceinfo,
backend=default_backend()
)
result = (hkdf_key.derive(secret), hkdf_nonce.derive(secret))
return result
def hkdf(secret, extra_secret, info, output_len):
hkdf = HKDF(algorithm=SHA512(), length=output_len, salt=extra_secret, info=info, backend=backend)
derived = hkdf.derive(secret)
assert len(derived) == output_len
return io.BytesIO(derived)
def _hkdf_expand(key, info):
backend = default_backend()
salt = '0' * len(key)
hkdf = HKDF(algorithm=hashes.SHA256(), length=32, salt=salt, info=info,
backend=backend)
return hkdf.derive(key)
def derive_key(key_material, salt, info):
algorithm = hashes.SHA512()
length = algorithm.digest_size
hkdf = HKDF(algorithm, length, salt, info, backend)
return hkdf.derive(key_material)
