def test2(self):
ref = HKDF(b("XXXXXX"), 12, b("YYYY"), SHA1)
# Same output, but this time split over 2 keys
key1, key2 = HKDF(b("XXXXXX"), 6, b("YYYY"), SHA1, 2)
self.assertEqual((ref[:6], ref[6:]), (key1, key2))
# Same output, but this time split over 3 keys
key1, key2, key3 = HKDF(b("XXXXXX"), 4, b("YYYY"), SHA1, 3)
self.assertEqual((ref[:4], ref[4:8], ref[8:]), (key1, key2, key3))
def derive_keys(self):
self.rpik = HKDF(master=self.tek,
key_len=16,
salt=None,
hashmod=SHA256,
context="EN-RPIK".encode("UTF-8"))
log.log("CRYPTO: RPIK: %s" % self.rpik.hex())
self.aemk = HKDF(master=self.tek,
key_len=16,
salt=None,
hashmod=SHA256,
context="EN-AEMK".encode("UTF-8"))
log.log("CRYPTO: AEMK: %s" % self.aemk.hex())
def hap_hkdf(key, salt, info):
"""Just a shorthand."""
return HKDF(key,
HAP_CRYPTO.HKDF_KEYLEN,
salt,
HAP_CRYPTO.HKDF_HASH,
context=info)
def _derive_subkey(self, salt: bytes) -> bytes:
return HKDF(self.master_key,
self.KEY_SIZE,
salt,
SHA1Hash,
1,
context=self.info)
def test1(self):
for tv in self._test_vector:
secret, salt, info, exp = [ t2b(tv[x]) for x in (1,2,3,5) ]
key_len, hashmod = [ tv[x] for x in (4,0) ]
output = HKDF(secret, key_len, salt, hashmod, 1, info)
self.assertEqual(output, exp)
def __init__(self, tek: TEK):
self.key = HKDF(
tek.key,
16, # 16 byte key
b'',
SHA256,
num_keys=1,
context=('EN-RPIK').encode())
self.tek = tek
self.cipher = AES.new(self.key, AES.MODE_ECB)
def getKeys(node, kB):
# derive syncKeyBundle from kB
enc_key, hmac_key = HKDF(kB, 32, None, SHA256, 2,
"identity.mozilla.com/picl/v1/oldsync")
#print(enc_key.encode('hex'), hmac_key.encode('hex'))
keys = getRecord(node, (enc_key, hmac_key), "/storage/crypto/keys")
print "storage/crypto/keys: ", keys
return (keys['default'][0].decode('base64'),
keys['default'][1].decode('base64'))
def test_verify(self, tv):
self._id = "Wycheproof HKDF Test #%d (%s, %s)" % (tv.id, tv.comment, tv.filename)
try:
key = HKDF(tv.ikm, tv.size, tv.salt, tv.hash_module, 1, tv.info)
except ValueError:
assert not tv.valid
else:
if key != tv.okm:
assert not tv.valid
else:
assert tv.valid
self.warn(tv)
def _keys(self, salt, password):
if password is not None:
dkey = PBKDF2(
password, salt, self._key_len + self._mac_key_len,
self.key_iterations, hmac_hash_module=SHA512
)
elif self._master_key is not None:
dkey = HKDF(
self._master_key, self._key_len + self._mac_key_len,
salt, SHA256
)
else:
raise ValueError('No password or key specified!')
return (dkey[:self._key_len], dkey[self._key_len:])
def _keys(self, salt, password):
'''
Derives encryption and authentication keys from a key or password.
If the password is not null, it will be used to create the keys.
:raises ValueError: if neither the key or password is set.
'''
if password is not None:
dkey = PBKDF2(password,
salt,
self._key_len + self._mac_key_len,
self.key_iterations,
hmac_hash_module=SHA512)
elif self._master_key is not None:
dkey = HKDF(self._master_key, self._key_len + self._mac_key_len,
salt, SHA256)
else:
raise ValueError('No password or key specified!')
return (dkey[:self._key_len], dkey[self._key_len:])
def test_hdkf(self):
derived = HKDF(b"secret", 32, b"", SHA256).hex()
self.assertEqual(
derived,
"2f34e5ff91ec85d53ca9b543683174d0cf550b60d5f52b24c97b386cfcf6cbbf")
k1 = PrivateKey(secret=bytes([2]))
self.assertEqual(k1.to_int(), 2)
k2 = PrivateKey(secret=bytes([3]))
self.assertEqual(k2.to_int(), 3)
self.assertEqual(encapsulate(k1, k2.public_key),
decapsulate(k1.public_key, k2))
self.assertEqual(
encapsulate(k1, k2.public_key).hex(),
"6f982d63e8590c9d9b5b4c1959ff80315d772edd8f60287c9361d548d5200f82",
)
def decrypt_public_account(self, index):
# on doit deja avoir appele get_info
sym_key = HKDF(
(str(self.key_point.x) + str(self.key_point.y)).encode(), 32, b'',
SHA256)
encrypted_account_eth = self.contract.caller(
).get_encrypted_public_account(index)
e_sk = encrypted_account_eth[0]
tag = encrypted_account_eth[1]
nonce = encrypted_account_eth[2]
aes = AES.new(sym_key, AES.MODE_CCM, nonce=nonce)
try:
self.public_account_private_key = aes.decrypt_and_verify(
e_sk, tag).decode()
self.is_member = True
return True
except ValueError:
return False
def AuthenticationHandshake():
client_challenge = bytes.fromhex(input("client challenge: ").strip())
assert len(client_challenge) == 8
user = input("username: "******"{user} not in database!\n".encode())
return
shared_secret = db[user].encode()
server_challenge = os.urandom(8)
print(f"server challenge: {server_challenge.hex()}")
client_credential = bytes.fromhex(input("client credential: ").strip())
session_key = HKDF(shared_secret, 16, client_challenge + server_challenge,
SHA256)
if ComputeCredential(session_key, client_challenge) == client_credential:
print(f"Welcome {user}")
if user == "Administrator":
print(flag)
else:
print("Login failed!")
def decapsulate(public_key: PublicKey, peer_private_key: PrivateKey) -> bytes:
shared_point = public_key.multiply(peer_private_key.secret)
master = public_key.format(compressed=False) + shared_point.format(
compressed=False)
derived = HKDF(master, AES_KEY_BYTES_LEN, b"", SHA256)
return derived # type: ignore
def generate_keys_hkdf(password, mySalt):
"""reads in salt from secre_build_output.txt and produces two keys"""
key1, key2 = HKDF(password, 16, mySalt, SHA512, 2)
return key1, key2
class ENCrypto:
def __init__(self, interval_length_minutes=10, tek_rolling_period=144):
self.tek = bytes([0] * 16)
self.tek_roll_interval_i = 0
self.rpik = bytes([0] * 16)
self.aemk = bytes([0] * 16)
self.rpi = bytes([0] * 16)
self.aem = bytes([0] * 16)
self.interval_length_minutes = interval_length_minutes
self.tek_rolling_period = tek_rolling_period
@staticmethod
def get_current_unix_epoch_time_seconds():
return int(time.time())
def en_interval_number(self, timestamp_seconds):
return timestamp_seconds // (60 * self.interval_length_minutes)
def get_encoded_current_en_interval_number(self):
return struct.pack(
"<I",
self.en_interval_number(
self.get_current_unix_epoch_time_seconds()))
def tek_should_roll(self):
current_roll_interval = (
self.en_interval_number(self.get_current_unix_epoch_time_seconds())
// self.tek_rolling_period) * self.tek_rolling_period
return current_roll_interval > self.tek_roll_interval_i
def roll_tek(self):
self.tek_roll_interval_i = (
self.en_interval_number(self.get_current_unix_epoch_time_seconds())
// self.tek_rolling_period) * self.tek_rolling_period
self.tek = get_random_bytes(16)
log.log("CRYPTO: Rolled TEK at i: %d (hex %s). New TEK: %s" %
(self.tek_roll_interval_i,
struct.pack("<I",
self.tek_roll_interval_i).hex(), self.tek.hex()))
def derive_keys(self):
self.rpik = HKDF(master=self.tek,
key_len=16,
salt=None,
hashmod=SHA256,
context="EN-RPIK".encode("UTF-8"))
log.log("CRYPTO: RPIK: %s" % self.rpik.hex())
self.aemk = HKDF(master=self.tek,
key_len=16,
salt=None,
hashmod=SHA256,
context="EN-AEMK".encode("UTF-8"))
log.log("CRYPTO: AEMK: %s" % self.aemk.hex())
def encrypt_rpi(self):
enin = self.get_encoded_current_en_interval_number()
padded_data = "EN-RPI".encode("UTF-8") + bytes([0x00] * 6) + enin
cipher = AES.new(self.rpik, AES.MODE_ECB)
self.rpi = cipher.encrypt(padded_data)
log.log("CRYPTO: padded data: %s --> RPI: %s" %
(padded_data.hex(), self.rpi.hex()))
def encrypt_aem(self, metadata, rpi):
cipher = AES.new(self.aemk,
AES.MODE_CTR,
nonce=bytes(0),
initial_value=rpi)
self.aem = cipher.encrypt(bytes(metadata))
log.log("CRYPTO: metadata: %s --> AEM: %s" %
(bytes(metadata).hex(), self.aem.hex()))
def kdf(secret, salt, info=b''):
return HKDF(secret, 32, salt, SHA512, 1, context=info)
def kdf_ntor(key, n):
return HKDF(key, n, T_KEY, SHA256, context=M_EXPAND)
def process(self, data):
from Crypto.Protocol.KDF import HKDF
return HKDF(data, self.args.size, self.args.salt, self.hash)
def encrypt_int(x, key_point):
sym_key = HKDF((str(key_point.x) + str(key_point.y)).encode(), 32, b'',
SHA256)
salsa20 = Salsa20.new(sym_key, bytes(8))
enc_x = salsa20.encrypt(hex(x).encode())
return enc_x
def derive_aem_key(tek):
return HKDF(master=tek,
key_len=16,
salt=None,
hashmod=SHA256,
context="EN-AEMK".encode("UTF-8"))
def decrypt_int(x, key_point):
sym_key = HKDF((str(key_point.x) + str(key_point.y)).encode(), 32, b'',
SHA256)
salsa20 = Salsa20.new(sym_key, bytes(8))
dec_x = int(salsa20.decrypt(x).decode(), 0)
return dec_x
def derive_key(key: bytes, salt: bytes) -> bytes:
'Derives a symmetric key from given master and salt.'
return HKDF(key, AES_KEY_SIZE, salt, SHA512)
pk_x = ECC_key.pointQ.x
pk_y = ECC_key.pointQ.y
db.execute(
"INSERT INTO eth_public_key (account_address, pk_x, pk_y) VALUES (?,?,?)",
[account_address, hex(pk_x), hex(pk_y)])
# retrieving of a list of public keys
address = [
account_address,
]
placeholders = ', '.join('?' for account in address)
public_keys = db.execute(
"SELECT * from eth_public_key WHERE account_address IN (%s)" %
placeholders, address).fetchall()
# ciphering of public account
public_account_private_key = '0x0d1f7c294e32490c48eaf6e9bbcc24380227334624bfad2f79736116a5408103'
cipher_account_list = []
for row in public_keys:
pk_x = int(row['pk_x'], 0)
pk_y = int(row['pk_y'], 0)
key_point = ECC.EccPoint(pk_x, pk_y) * int(public_account_private_key, 0)
sym_key = HKDF((str(key_point.x) + str(key_point.y)).encode(), 32, b'',
SHA256)
aes = AES.new(sym_key, AES.MODE_CCM)
nonce = aes.nonce
enc_private_key = aes.encrypt(public_account_private_key.encode())
tag = aes.digest()
encryption = {'private_key': enc_private_key, 'tag': tag, 'nonce': nonce}
cipher_account_list.append(encryption)
from Crypto.Cipher import AES
from Crypto.Hash import HMAC, SHA256
from Crypto.Protocol.KDF import HKDF
from Crypto.Util.Padding import pad, unpad
import json
# testcases from https://mozilla-services.readthedocs.io/en/latest/sync/storageformat5.html#record-encryption
master_key = "\xc7\x1a\xa7\xcb\xd8\xb8\x2a\x8f\xf6\xed\xa5\x5c\x39\x47\x9f\xd2"
key1, key2 = HKDF(master_key, 32, None, SHA256, 2,
"identity.mozilla.com/picl/v1/oldsync")
print(key1.encode('hex'), key2.encode('hex'))
encryption_key = "d3af449d2dc4b432b8cb5b59d40c8a5fe53b584b16469f5b44828b756ffb6a81".decode(
'hex')
hmac_key = "2c5d98092d500a048d09fd01090bd0d3a4861fc8ea2438bd74a8f43be6f47f02".decode(
'hex')
cleartext = "SECRET MESSAGE\x02\x02" # okcs #7 padding
iv = "375a12d6de4ef26b735f6fccfbafff2d".decode('hex')
aes = AES.new(encryption_key, AES.MODE_CBC, iv)
c = "c1c82acc436de625edf7feca3c9deb4c".decode('hex')
cn = aes.encrypt(cleartext)
assert cn == c
aes = AES.new(encryption_key, AES.MODE_CBC, iv)
print(aes.decrypt(c).encode('hex'))
cb64 = c.encode('base64').strip()
print(cb64)
local_hash = HMAC.new(hmac_key, digestmod=SHA256)
local_hash.update(cb64)
def _aes_128_gcm(self):
key_bytes = HKDF(self.key_material, 16, b'', SHA256)
return AES.new(key_bytes, AES.MODE_GCM, nonce=bytes(12))
