def decrypt_data(): aes_cipher = AESCipher(client.secret_key) encrypted_uri = self.handler.request.headers.get( 'X-Api-Encrypted-Uri') if encrypted_uri: request.uri = aes_cipher.decrypt(utf8(encrypted_uri)) logger.debug('decrypted uri %s' % request.uri) encrypted_headers = self.handler.request.headers.get( 'X-Api-Encrypted-Headers') if encrypted_headers: headers_str = aes_cipher.decrypt(utf8(encrypted_headers)) headers = dict(json.loads(headers_str)) logger.debug('raw headers %s' % request.headers) for k, v in headers.iteritems(): # 要全部使用 text_type,否则会出现有的为 str,有的为 unicode # 导致422错误 request.headers[text_type(k)] = text_type(v) logger.debug('decrypted headers %s' % request.headers) if request.body and len(request.body) > 0: logger.debug('解密 body') logger.debug(request.body) request.body = aes_cipher.decrypt(utf8(request.body))
def openWallet(): name = input('Wallet Name ("[new]" to create wallet): ') if name != '[new]': if not os.path.isfile('wallets/' + name + '.privkey'): print(color.E('\nWallet not found!\n')) openWallet() phrase = getpass.getpass('Passphrase: ') wallet = Wallet(name, phrase) wallet.getKey() if wallet.key: print(color.I('\nOpened wallet ' + wallet.name + '\n')) print('\nType "help" to view commands\n') walletPrompt(wallet) else: openWallet() else: name = input('New wallet name: ') phrase = getpass.getpass('New passphrase for wallet: ') if not os.path.isfile('wallets/' + name + '.privkey'): newkey = RSA.generate(3072) privkey = newkey.exportKey().decode('utf-8') with open('wallets/' + name + '.privkey', 'a') as privf: enc = AESCipher(phrase) encKey = enc.encrypt(privkey) privf.write(str(encKey)) print(color.I('Wallet created successfully!\n')) openWallet() else: print('Wallet with name "' + name + '" already exists!') openWallet()
def encrypt_data(body): # 如果请求的使用 AES 加密,则加密返回的数据 logger.debug('使用 AES 加密 body') aes_cipher = AESCipher(client.secret_key) body = aes_cipher.encrypt(utf8(body)) # 更新为加密后的数据 self.handler.clear_write_buffer() self.handler.write(body) self.handler.set_header('X-Api-Encrypt-Type', 'aes')
def getKey(self, cmd=False): if os.path.isfile('wallets/' + self.name + '.privkey'): with open('wallets/' + self.name + '.privkey', 'r', encoding='utf-8') as key: encKey = key.read() enc = AESCipher(self.phrase) try: self.key = enc.decrypt(encKey) except UnicodeDecodeError: print(color.E('\nIncorrect passphrase for wallet!\n')) else: self.key = False print(color.E('\nWallet not found!\n'))
def decrypt_data(self, body): try: aes_cipher = AESCipher(self.secret_key) if body and len(body) > 0: logger.debug('解密 body') logger.debug(body.encode('hex')) body = aes_cipher.decrypt(utf8(body)) # logger.debug(body.decode('hex')) except Exception as e: logger.error('解密数据出错') logger.error(e) logger.error(traceback.format_exc()) return None return body
def __init__(self, initiator): self.initiator = initiator self.main_pw = self.initiator.main_pw # control characters self.split_char = chr(27) + chr(28) + "%X" % struct.unpack( 'B', self.main_pw[-2:-1])[0] + "%X" % struct.unpack( 'B', self.main_pw[-3:-2])[0] + chr(31) self.client_pub = self.initiator.client_pub self.session_pw = urandom(16) self.cipher = AESCipher(self.session_pw, self.main_pw) self.authenticated = False self.buffer = "" self.latency = 10000 self.i = initiator.register() self.idchar = (str(self.i) if 10 <= self.i <= 99 else '0' + str(self.i)) self.cronjob = None self.cancel_job = None
def callback(message): logging.info("********** Start PubsubMessage ") message.ack() logging.info('Received message ID: {}'.format(message.message_id)) logging.info('Received message publish_time: {}'.format( message.publish_time)) if args.mode == 'decrypt': try: ac = AESCipher(key) logging.info("Loaded Key: " + ac.printKeyInfo()) decrypted_data = ac.decrypt(message.data, associated_data='') logging.info('Decrypted data ' + decrypted_data) logging.info("ACK message") message.ack() except Exception as e: logging.info("Unable to decrypt message; NACK pubsub message " + str(e)) message.nack() logging.info("End AES decryption") if args.mode == 'verify': try: logging.info("Starting HMAC") hmac = message.attributes.get('signature') hh = HMACFunctions(key) logging.info("Loaded Key: " + hh.printKeyInfo()) logging.info("Verify message: " + str(message.data)) logging.info(' With HMAC: ' + str(hmac)) hashed = hh.hash(message.data) if (hh.verify(message.data, base64.b64decode(hashed))): logging.info("Message authenticity verified") message.ack() else: logging.error("Unable to verify message") message.nack() except Exception as e: logging.info("Unable to verify message; NACK pubsub message " + str(e)) message.nack() logging.info("********** End PubsubMessage ")
def getcipher(Sessionid): Password = memcache.get(Sessionid + ".Password") IV = memcache.get(Sessionid + ".IV") if Password is None or IV is None: q = Endpoint.query(Endpoint.Sessionid == Sessionid) for rec in q.fetch(1): # logging.warning("Found") Password = str(rec.Password) IV = rec.IV memcache.add(Sessionid + ".Password", Password, 1800) memcache.add(Sessionid + ".IV", IV, 1800) #print("PASSWORD IS" + repr(Password)) #print("IV IS" + repr(IV)) try: cipher = AESCipher(Password, IV) return cipher except Exception: logging.warning("Not Found") return None
def encrypt_data(self): aes_cipher = AESCipher(self.secret_key) headers_str = json_util.dumps(self.request_data.headers) # 加密 Headers 和 url self.request_data.headers = { 'Content-Type': 'application/octet-stream', 'X-Api-Encrypted-Headers': aes_cipher.encrypt(utf8(headers_str)), 'X-Api-Encrypted-Uri': aes_cipher.encrypt(utf8(self.request_data.uri)) } self.request_data.uri = '/?_t=%d&_nonce=%s' % \ (int(time.time()), text_type(random.random())) # 设置一个新的 url url = self.api_server.strip() + self.request_data.uri if self.request_data.body is not None and len( self.request_data.body) > 0: self.request_data.body = aes_cipher.encrypt( utf8(self.request_data.body)) logger.debug(self.request_data.body) return url
def callback(message): logging.info("********** Start PubsubMessage ") logging.info('Received message ID: {}'.format(message.message_id)) logging.info('Received message publish_time: {}'.format( message.publish_time)) if args.mode == "verify": try: key_id = message.attributes['key_id'] service_account = message.attributes['service_account'] signature = message.attributes['signature'] m = hashlib.sha256() m.update(message.data) data_to_verify = m.digest() logging.info("Attempting to verify message: " + str(message.data)) logging.info("data_to_verify " + base64.b64encode(data_to_verify).decode('utf-8')) logging.info("Verify message with signature: " + str(signature)) logging.info(" Using service_account/key_id: " + service_account + " " + key_id) cert_url = 'https://www.googleapis.com/service_accounts/v1/metadata/x509/' + service_account r = requests.get(cert_url) pem = r.json().get(key_id) v = crypt.RSAVerifier.from_string(pem) if v.verify(data_to_verify, base64.b64decode(signature)): logging.info("Message integrity verified") message.ack() else: logging.info("Unable to verify message") message.nack() logging.info("********** End PubsubMessage ") except Exception as e: logging.info("Unable to verify message; NACK pubsub message " + str(e)) message.nack() if args.mode == "decrypt": try: key_id = message.attributes['key_id'] msg_service_account = message.attributes['service_account'] logging.info("Attempting to decrypt message: " + str(message.data)) logging.info(" Using service_account/key_id: " + msg_service_account + " " + key_id) if args.cert_service_account == None: logging.error( "********** cert_service_account must be specified to decrypt " ) message.nack() sys.exit() credentials = Credentials.from_service_account_file( args.cert_service_account) key_key_id = credentials._signer._key_id key_service_account_email = credentials.service_account_email if (msg_service_account != key_service_account_email): logging.info( "Service Account specified in command line does not match message payload service account" ) logging.info(msg_service_account + " --- " + args.cert_service_account) message.nack() return else: private_key = credentials._signer._key rs = RSACipher(private_key=private_key) try: logging.debug( 'Received message attributes["dek_wrapped"]: {}'. format(message.attributes['dek_wrapped'])) dek_wrapped = message.attributes['dek_wrapped'] logging.info('Wrapped DEK ' + dek_wrapped) dek_cleartext = rs.decrypt(dek_wrapped) logging.info('Decrypted DEK ' + dek_cleartext) dek = AESCipher(encoded_key=dek_cleartext) logging.info(dek.printKeyInfo()) plaintext = dek.decrypt(message.data, associated_data="") except ValueError: logging.error( "dek_wrapped not sent, attempting to decrypt with svc account rsa key" ) plaintext = rs.decrypt(message.data) except Exception as e: logging.error("Error Decrypting payload " + str(e)) message.nack() return logging.info("Decrypted Message payload: " + plaintext) message.ack() except Exception as e: logging.info("Unable to decrypt message; NACK pubsub message " + str(e)) message.nack() logging.info("********** End PubsubMessage ")
cleartext_message = { "data": "foo".encode(), "attributes": { 'epoch_time': int(time.time()), 'a': "aaa", 'c': "ccc", 'b': "bbb" } } # cleartext_message = canonicaljson.encode_canonical_json(cleartext_message) # logging.info("Canonical JSON message " + cleartext_message.decode('utf-8')) if args.mode == 'encrypt': logging.info("Starting AES encryption") ac = AESCipher(key) logging.info("Loaded Key: " + ac.printKeyInfo()) msg = ac.encrypt(json.dumps(cleartext_message).encode('utf-8'), associated_data='') logging.info("End AES encryption") logging.info("Start PubSub Publish") resp = publisher.publish(topic_name, data=msg.encode('utf-8')) logging.info("Published Message: " + str(msg)) logging.info("Published MessageID: " + resp.result()) logging.info("End PubSub Publish") if args.mode == 'sign': logging.info("Starting signature") hh = HMACFunctions(key) logging.info("Loaded Key: " + hh.printKeyInfo()) msg_hash = hh.hash(json.dumps(cleartext_message).encode('utf-8'))
if args.mode == "encrypt": logging.info( ">>>>>>>>>>> Start Encryption with locally generated key. <<<<<<<<<<<" ) ## Send pubsub messages using two different symmetric keys ## Note, i'm not using the expiringdict here...i'm just picking a DEK, sending N messages using it ## then picking another DEK and sending N messages with that one. ## The subscriber will use a cache of DEK values. If it detects a DEK in the metadata that doesn't ## match whats in its cache, it will use KMS to try to decode it and then keep it in its cache. for x in range(5): logging.info("Rotating symmetric key") # create a new TINK AES DEK and encrypt it with KMS. # (i.,e an encrypted tink keyset) cc = AESCipher(encoded_key=None) dek = cc.getKey() logging.info(cc.printKeyInfo()) logging.debug("Generated dek: " + dek) logging.info("Starting KMS encryption API call") encrypt_response = kms_client.encrypt( request={ 'name': name, 'plaintext': dek.encode('utf-8'), 'additional_authenticated_data': tenantID.encode('utf-8') }) dek_encrypted = base64.b64encode( encrypt_response.ciphertext).decode('utf-8')
def client_disconect(self): self.client.disconnect() return if __name__ == '__main__': parser = argparse.ArgumentParser(description='Poc of BEAST attack') parser.add_argument('host', help='hostname or IP address "localhost"') parser.add_argument('port', type=int, help='TCP port number') parser.add_argument('-v', "--verbose", help='debug mode, you need a large screen', action="store_true") args = parser.parse_args() if args.verbose: logging.basicConfig(level=logging.DEBUG) # this key is unsecure but we doesn't care for the Poc cbc = AESCipher('V38lKILOJmtpQMHp') server = Server(args.host, args.port) client = Client(args.host, args.port+1, cbc) spy = Proxy(args.host, args.port+1) exploit = BEAST(client, cbc) server.connection() spy.connection() exploit.run() spy.disconnect() server.disconnect()
def callback(message): if (args.mode == "verify"): try: logging.info("********** Start PubsubMessage ") logging.info('Received message ID: {}'.format(message.message_id)) logging.info('Received message publish_time: {}'.format( message.publish_time)) logging.info('Received message attributes["kms_key"]: {}'.format( message.attributes['kms_key'])) logging.debug( 'Received message attributes["sign_key_wrapped"]: {}'.format( message.attributes['sign_key_wrapped'])) logging.info('Received message attributes["signature"]: {}'.format( message.attributes['signature'])) signature = message.attributes['signature'] name = message.attributes['kms_key'] sign_key_wrapped = message.attributes['sign_key_wrapped'] try: unwrapped_key = cache[sign_key_wrapped] logging.info("Using Cached DEK") except KeyError: logging.info( ">>>>>>>>>>>>>>>> Starting KMS decryption API call") decrypted_message = kms_client.decrypt( request={ 'name': name, 'ciphertext': base64.b64decode(sign_key_wrapped.encode('utf-8')), 'additional_authenticated_data': tenantID.encode('utf-8') }) logging.info("Decrypted HMAC " + decrypted_message.plaintext.decode('utf-8')) unwrapped_key = HMACFunctions( encoded_key=decrypted_message.plaintext) logging.info(unwrapped_key.printKeyInfo()) cache[sign_key_wrapped] = unwrapped_key logging.info("End KMS decryption API call") logging.debug("Verify message: " + message.data.decode('utf-8')) logging.debug(' With HMAC: ' + signature) sig = unwrapped_key.hash(message.data) if (unwrapped_key.verify(message.data, base64.b64decode(sig))): logging.info("Message authenticity verified") message.ack() else: logging.error("Unable to verify message") message.nack() logging.debug("********** End PubsubMessage ") except Exception as e: logging.info("Unable to decrypt message; NACK pubsub message " + str(e)) message.nack() if (args.mode == "decrypt"): try: logging.info("********** Start PubsubMessage ") logging.info('Received message ID: {}'.format(message.message_id)) logging.info('Received message publish_time: {}'.format( message.publish_time)) logging.info('Received message attributes["kms_key"]: {}'.format( message.attributes['kms_key'])) logging.info( 'Received message attributes["dek_wrapped"]: {}'.format( message.attributes['dek_wrapped'])) dek_wrapped = message.attributes['dek_wrapped'] name = message.attributes['kms_key'] try: dek = cache[dek_wrapped] logging.info("Using Cached DEK") except KeyError: logging.info( ">>>>>>>>>>>>>>>> Starting KMS decryption API call") decrypted_message = kms_client.decrypt( request={ 'name': name, 'ciphertext': base64.b64decode( dek_wrapped.encode('utf-8')), 'additional_authenticated_data': tenantID.encode( 'utf-8') }) logging.info("Decrypted DEK " + decrypted_message.plaintext.decode('utf-8')) dek = AESCipher(encoded_key=decrypted_message.plaintext) logging.info(dek.printKeyInfo()) cache[dek_wrapped] = dek logging.debug("Starting AES decryption") decrypted_data = dek.decrypt(message.data, associated_data=tenantID) logging.debug("End AES decryption") logging.info('Decrypted data ' + decrypted_data) message.ack() logging.debug("ACK message") logging.info("********** End PubsubMessage ") except Exception as e: logging.info("Unable to decrypt message; NACK pubsub message " + str(e)) message.nack()
def __desencripta(self, dato): return AESCipher(self.__salt).decrypt(dato)
def callback(message): if (args.mode == "verify"): logging.info("********** Start PubsubMessage ") logging.info('Received message ID: {}'.format(message.message_id)) logging.info('Received message publish_time: {}'.format( message.publish_time)) logging.info('Received message attributes["kms_key"]: {}'.format( message.attributes['kms_key'])) logging.info( 'Received message attributes["sign_key_wrapped"]: {}'.format( message.attributes['sign_key_wrapped'])) logging.info('Received message attributes["signature"]: {}'.format( message.attributes['signature'])) signature = message.attributes['signature'] name = message.attributes['kms_key'] sign_key_wrapped = message.attributes['sign_key_wrapped'] try: unwrapped_key = cache[sign_key_wrapped] except KeyError: logging.info("Starting KMS decryption API call") name = message.attributes['kms_key'] unwrapped_key_struct = kms_client.decrypt( name=name, ciphertext=base64.b64decode( message.attributes['sign_key_wrapped']), additional_authenticated_data=tenantID.encode('utf-8')) unwrapped_key = unwrapped_key_struct.plaintext logging.info("End KMS decryption API call") logging.debug("Verify message: " + message.data.decode('utf-8')) logging.debug(' With HMAC: ' + signature) logging.debug(' With unwrapped key: ' + base64.b64encode(unwrapped_key).decode('utf-8')) cache[sign_key_wrapped] = unwrapped_key hh = HMACFunctions(unwrapped_key) sig = hh.hash(message.data) if (hh.verify(message.data, base64.b64decode(sig))): logging.info("Message authenticity verified") message.ack() else: logging.error("Unable to verify message") message.nack() logging.debug("********** End PubsubMessage ") if (args.mode == "decrypt"): logging.info("********** Start PubsubMessage ") logging.info('Received message ID: {}'.format(message.message_id)) logging.debug('Received message publish_time: {}'.format( message.publish_time)) logging.debug('Received message attributes["kms_key"]: {}'.format( message.attributes['kms_key'])) logging.debug('Received message attributes["dek_wrapped"]: {}'.format( message.attributes['dek_wrapped'])) dek_wrapped = message.attributes['dek_wrapped'] name = message.attributes['kms_key'] try: dek = cache[dek_wrapped] except KeyError: logging.info("Starting KMS decryption API call") name = message.attributes['kms_key'] unwrapped_key_struct = kms_client.decrypt( name=name, ciphertext=base64.b64decode(dek_wrapped), additional_authenticated_data=tenantID.encode('utf-8')) dek = unwrapped_key_struct.plaintext logging.info("End KMS decryption API call") logging.info('Received aes_encryption_key : {}'.format( base64.b64encode(dek).decode('utf-8'))) cache[dek_wrapped] = dek logging.debug("Starting AES decryption") ac = AESCipher(dek) decrypted_data = ac.decrypt(message.data, associated_data="") logging.debug("End AES decryption") logging.info('Decrypted data ' + decrypted_data) message.ack() logging.debug("ACK message") logging.info("********** End PubsubMessage ")