diff --git a/monkey/monkey_island/cc/server_utils/encryption/data_store_encryptor.py b/monkey/monkey_island/cc/server_utils/encryption/data_store_encryptor.py index bdcfb97d4..f2b989816 100644 --- a/monkey/monkey_island/cc/server_utils/encryption/data_store_encryptor.py +++ b/monkey/monkey_island/cc/server_utils/encryption/data_store_encryptor.py @@ -12,15 +12,15 @@ _encryptor = None class DataStoreEncryptor: _BLOCK_SIZE = 32 - _PASSWORD_FILENAME = "mongo_key.bin" + _KEY_FILENAME = "mongo_key.bin" - def __init__(self, password_file_dir): - password_file = os.path.join(password_file_dir, self._PASSWORD_FILENAME) + def __init__(self, key_file_dir): + key_file = os.path.join(key_file_dir, self._KEY_FILENAME) - if os.path.exists(password_file): - self._load_existing_key(password_file) + if os.path.exists(key_file): + self._load_existing_key(key_file) else: - self._init_key(password_file) + self._init_key(key_file) self._key_base_encryptor = KeyBasedEncryptor(self._cipher_key) @@ -29,8 +29,8 @@ class DataStoreEncryptor: with open_new_securely_permissioned_file(password_file_path, "wb") as f: f.write(self._cipher_key) - def _load_existing_key(self, password_file): - with open(password_file, "rb") as f: + def _load_existing_key(self, key_file): + with open(key_file, "rb") as f: self._cipher_key = f.read() def enc(self, message: str): @@ -40,10 +40,10 @@ class DataStoreEncryptor: return self._key_base_encryptor.decrypt(enc_message) -def initialize_encryptor(password_file_dir): +def initialize_encryptor(key_file_dir): global _encryptor - _encryptor = DataStoreEncryptor(password_file_dir) + _encryptor = DataStoreEncryptor(key_file_dir) def get_encryptor(): diff --git a/monkey/monkey_island/cc/server_utils/encryption/key_based_encryptor.py b/monkey/monkey_island/cc/server_utils/encryption/key_based_encryptor.py index 49f67a34b..0331c7e70 100644 --- a/monkey/monkey_island/cc/server_utils/encryption/key_based_encryptor.py +++ b/monkey/monkey_island/cc/server_utils/encryption/key_based_encryptor.py @@ -10,6 +10,14 @@ from monkey_island.cc.server_utils.encryption.i_encryptor import IEncryptor logger = logging.getLogger(__name__) +# KBE is an encryption method which use random key of specific length +# and AES block cipher to encrypt/decrypt the data. The key is more complex +# one and hard to remember than user provided one. This class provides more secure way of +# encryption compared to PBE because of the random and complex key. +# We can merge the two into the one encryption method but then we lose the entropy +# of the key with whatever key derivation function we use. +# Note: password != key + class KeyBasedEncryptor(IEncryptor): diff --git a/monkey/monkey_island/cc/server_utils/encryption/password_based_encryption.py b/monkey/monkey_island/cc/server_utils/encryption/password_based_encryption.py index da4736e16..d699c4e5a 100644 --- a/monkey/monkey_island/cc/server_utils/encryption/password_based_encryption.py +++ b/monkey/monkey_island/cc/server_utils/encryption/password_based_encryption.py @@ -8,6 +8,14 @@ from monkey_island.cc.server_utils.encryption.i_encryptor import IEncryptor logger = logging.getLogger(__name__) +# PBE as implemented takes low-entropy, user provided password and it adds some +# entropy to it and encrypts/decrypts the data. This implementation uses AES256-CBC +# and it is less secure encryption then KeyBasedEncryptor. +# The security of it depends on what will the user provide as password. +# We can merge the two into the one encryption method but then we lose the entropy +# of the key with whatever key derivation function we use. +# Note: password != key + class PasswordBasedEncryptor(IEncryptor):