def test_encrypt_decrypt_sym(self): # generate 256-bit key key = os.urandom(32) iv, cyphertext = crypto.encrypt_sym('data', key) self.assertTrue(cyphertext is not None) self.assertTrue(cyphertext != '') self.assertTrue(cyphertext != 'data') plaintext = crypto.decrypt_sym(cyphertext, key, iv) self.assertEqual('data', plaintext)
def test_encrypt_decrypt_sym(self): # generate 256-bit key key = os.urandom(32) iv, cyphertext = crypto.encrypt_sym('data', key) self.assertTrue(cyphertext is not None) self.assertTrue(cyphertext != '') self.assertTrue(cyphertext != 'data') plaintext = crypto.decrypt_sym(cyphertext, key, iv) self.assertEqual('data', plaintext)
def test_decrypt_with_wrong_key_fails(self): key = os.urandom(32) iv, cyphertext = crypto.encrypt_sym('data', key) self.assertTrue(cyphertext is not None) self.assertTrue(cyphertext != '') self.assertTrue(cyphertext != 'data') wrongkey = os.urandom(32) # 256-bits key # ensure keys are different in case we are extremely lucky while wrongkey == key: wrongkey = os.urandom(32) plaintext = crypto.decrypt_sym(cyphertext, wrongkey, iv) self.assertNotEqual('data', plaintext)
def test_decrypt_with_wrong_key_fails(self): key = os.urandom(32) iv, cyphertext = crypto.encrypt_sym('data', key) self.assertTrue(cyphertext is not None) self.assertTrue(cyphertext != '') self.assertTrue(cyphertext != 'data') wrongkey = os.urandom(32) # 256-bits key # ensure keys are different in case we are extremely lucky while wrongkey == key: wrongkey = os.urandom(32) plaintext = crypto.decrypt_sym(cyphertext, wrongkey, iv) self.assertNotEqual('data', plaintext)
def test_decrypt_with_wrong_iv_fails(self): key = os.urandom(32) iv, cyphertext = crypto.encrypt_sym('data', key) self.assertTrue(cyphertext is not None) self.assertTrue(cyphertext != '') self.assertTrue(cyphertext != 'data') # get a different iv by changing the first byte rawiv = binascii.a2b_base64(iv) wrongiv = rawiv while wrongiv == rawiv: wrongiv = os.urandom(1) + rawiv[1:] plaintext = crypto.decrypt_sym( cyphertext, key, iv=binascii.b2a_base64(wrongiv)) self.assertNotEqual('data', plaintext)
def test_decrypt_with_wrong_iv_fails(self): key = os.urandom(32) iv, cyphertext = crypto.encrypt_sym('data', key) self.assertTrue(cyphertext is not None) self.assertTrue(cyphertext != '') self.assertTrue(cyphertext != 'data') # get a different iv by changing the first byte rawiv = binascii.a2b_base64(iv) wrongiv = rawiv while wrongiv == rawiv: wrongiv = os.urandom(1) + rawiv[1:] plaintext = crypto.decrypt_sym( cyphertext, key, iv=binascii.b2a_base64(wrongiv)) self.assertNotEqual('data', plaintext)
def _encrypt_storage_secret(self, decrypted_secret): """ Encrypt the storage secret. An encrypted secret has the following structure: { '<secret_id>': { 'kdf': 'scrypt', 'kdf_salt': '<b64 repr of salt>' 'kdf_length': <key length> 'cipher': 'aes256', 'length': <secret length>, 'secret': '<encrypted b64 repr of storage_secret>', } } :param decrypted_secret: The decrypted storage secret. :type decrypted_secret: str :return: The encrypted storage secret. :rtype: dict """ # generate random salt salt = os.urandom(self.SALT_LENGTH) # get a 256-bit key key = scrypt.hash(self._passphrase_as_string(), salt, buflen=32) iv, ciphertext = encrypt_sym(decrypted_secret, key) encrypted_secret_dict = { # leap.soledad.crypto submodule uses AES256 for symmetric # encryption. self.KDF_KEY: self.KDF_SCRYPT, self.KDF_SALT_KEY: binascii.b2a_base64(salt), self.KDF_LENGTH_KEY: len(key), self.CIPHER_KEY: self.CIPHER_AES256, self.LENGTH_KEY: len(decrypted_secret), self.SECRET_KEY: '%s%s%s' % (str(iv), self.IV_SEPARATOR, binascii.b2a_base64(ciphertext)), } return encrypted_secret_dict
def _encrypt_storage_secret(self, decrypted_secret): """ Encrypt the storage secret. An encrypted secret has the following structure: { '<secret_id>': { 'kdf': 'scrypt', 'kdf_salt': '<b64 repr of salt>' 'kdf_length': <key length> 'cipher': 'aes256', 'length': <secret length>, 'secret': '<encrypted b64 repr of storage_secret>', } } :param decrypted_secret: The decrypted storage secret. :type decrypted_secret: str :return: The encrypted storage secret. :rtype: dict """ # generate random salt salt = os.urandom(self.SALT_LENGTH) # get a 256-bit key key = scrypt.hash(self._passphrase_as_string(), salt, buflen=32) iv, ciphertext = encrypt_sym(decrypted_secret, key) encrypted_secret_dict = { # leap.soledad.crypto submodule uses AES256 for symmetric # encryption. self.KDF_KEY: self.KDF_SCRYPT, self.KDF_SALT_KEY: binascii.b2a_base64(salt), self.KDF_LENGTH_KEY: len(key), self.CIPHER_KEY: self.CIPHER_AES256, self.LENGTH_KEY: len(decrypted_secret), self.SECRET_KEY: '%s%s%s' % ( str(iv), self.IV_SEPARATOR, binascii.b2a_base64(ciphertext)), } return encrypted_secret_dict
def encrypt(self, content): iv, ciphertext = encrypt_sym(content, self.masterkey) mac = self.gen_mac(iv, ciphertext) return ''.join((mac, iv, ciphertext))
def encrypt(self, content): iv, ciphertext = encrypt_sym(content, self.masterkey) mac = self.gen_mac(iv, ciphertext) return ''.join((mac, iv, ciphertext))
def test_raw_decrypt(benchmark, payload): key = payload(32) iv, ciphertext = encrypt_sym(payload(size), key) benchmark(decrypt_sym, ciphertext, key, iv)
def encrypt(self, content): iv, ciphertext = encrypt_sym(content, self.masterkey, EncryptionMethods.XSALSA20) mac = self.gen_mac(iv, ciphertext) return ''.join((mac, iv, ciphertext))