Island: Add explanation for KBE and PBE

KeyBasedEncryptor and PasswordBasedEncryptor
This commit is contained in:
Ilija Lazoroski 2021-09-23 12:44:05 +02:00
parent a661dc4fe6
commit 1b91616778
3 changed files with 26 additions and 10 deletions

View File

@ -12,15 +12,15 @@ _encryptor = None
class DataStoreEncryptor: class DataStoreEncryptor:
_BLOCK_SIZE = 32 _BLOCK_SIZE = 32
_PASSWORD_FILENAME = "mongo_key.bin" _KEY_FILENAME = "mongo_key.bin"
def __init__(self, password_file_dir): def __init__(self, key_file_dir):
password_file = os.path.join(password_file_dir, self._PASSWORD_FILENAME) key_file = os.path.join(key_file_dir, self._KEY_FILENAME)
if os.path.exists(password_file): if os.path.exists(key_file):
self._load_existing_key(password_file) self._load_existing_key(key_file)
else: else:
self._init_key(password_file) self._init_key(key_file)
self._key_base_encryptor = KeyBasedEncryptor(self._cipher_key) self._key_base_encryptor = KeyBasedEncryptor(self._cipher_key)
@ -29,8 +29,8 @@ class DataStoreEncryptor:
with open_new_securely_permissioned_file(password_file_path, "wb") as f: with open_new_securely_permissioned_file(password_file_path, "wb") as f:
f.write(self._cipher_key) f.write(self._cipher_key)
def _load_existing_key(self, password_file): def _load_existing_key(self, key_file):
with open(password_file, "rb") as f: with open(key_file, "rb") as f:
self._cipher_key = f.read() self._cipher_key = f.read()
def enc(self, message: str): def enc(self, message: str):
@ -40,10 +40,10 @@ class DataStoreEncryptor:
return self._key_base_encryptor.decrypt(enc_message) return self._key_base_encryptor.decrypt(enc_message)
def initialize_encryptor(password_file_dir): def initialize_encryptor(key_file_dir):
global _encryptor global _encryptor
_encryptor = DataStoreEncryptor(password_file_dir) _encryptor = DataStoreEncryptor(key_file_dir)
def get_encryptor(): def get_encryptor():

View File

@ -10,6 +10,14 @@ from monkey_island.cc.server_utils.encryption.i_encryptor import IEncryptor
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
# KBE is an encryption method which use random key of specific length
# and AES block cipher to encrypt/decrypt the data. The key is more complex
# one and hard to remember than user provided one. This class provides more secure way of
# encryption compared to PBE because of the random and complex key.
# We can merge the two into the one encryption method but then we lose the entropy
# of the key with whatever key derivation function we use.
# Note: password != key
class KeyBasedEncryptor(IEncryptor): class KeyBasedEncryptor(IEncryptor):

View File

@ -8,6 +8,14 @@ from monkey_island.cc.server_utils.encryption.i_encryptor import IEncryptor
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
# PBE as implemented takes low-entropy, user provided password and it adds some
# entropy to it and encrypts/decrypts the data. This implementation uses AES256-CBC
# and it is less secure encryption then KeyBasedEncryptor.
# The security of it depends on what will the user provide as password.
# We can merge the two into the one encryption method but then we lose the entropy
# of the key with whatever key derivation function we use.
# Note: password != key
class PasswordBasedEncryptor(IEncryptor): class PasswordBasedEncryptor(IEncryptor):