Island: Add explanation for KBE and PBE

KeyBasedEncryptor and PasswordBasedEncryptor

monkey/monkey_island/cc/server_utils/encryption/data_store_encryptor.py

@@ -12,15 +12,15 @@ _encryptor = None
 
 class DataStoreEncryptor:
     _BLOCK_SIZE = 32
-    _PASSWORD_FILENAME = "mongo_key.bin"
+    _KEY_FILENAME = "mongo_key.bin"
 
-    def __init__(self, password_file_dir):
+    def __init__(self, key_file_dir):
-        password_file = os.path.join(password_file_dir, self._PASSWORD_FILENAME)
+        key_file = os.path.join(key_file_dir, self._KEY_FILENAME)
 
-        if os.path.exists(password_file):
+        if os.path.exists(key_file):
-            self._load_existing_key(password_file)
+            self._load_existing_key(key_file)
         else:
-            self._init_key(password_file)
+            self._init_key(key_file)
 
         self._key_base_encryptor = KeyBasedEncryptor(self._cipher_key)
 
@@ -29,8 +29,8 @@ class DataStoreEncryptor:
         with open_new_securely_permissioned_file(password_file_path, "wb") as f:
             f.write(self._cipher_key)
 
-    def _load_existing_key(self, password_file):
+    def _load_existing_key(self, key_file):
-        with open(password_file, "rb") as f:
+        with open(key_file, "rb") as f:
             self._cipher_key = f.read()
 
     def enc(self, message: str):
@@ -40,10 +40,10 @@ class DataStoreEncryptor:
         return self._key_base_encryptor.decrypt(enc_message)
 
 
-def initialize_encryptor(password_file_dir):
+def initialize_encryptor(key_file_dir):
     global _encryptor
 
-    _encryptor = DataStoreEncryptor(password_file_dir)
+    _encryptor = DataStoreEncryptor(key_file_dir)
 
 
 def get_encryptor():

monkey/monkey_island/cc/server_utils/encryption/key_based_encryptor.py

@@ -10,6 +10,14 @@ from monkey_island.cc.server_utils.encryption.i_encryptor import IEncryptor
 
 logger = logging.getLogger(__name__)
 
+# KBE is an encryption method which use random key of specific length
+# and AES block cipher to encrypt/decrypt the data. The key is more complex
+# one and hard to remember than user provided one. This class provides more secure way of
+# encryption compared to PBE because of the random and complex key.
+# We can merge the two into the one encryption method but then we lose the entropy
+# of the key with whatever key derivation function we use.
+# Note: password != key
+
 
 class KeyBasedEncryptor(IEncryptor):
 

monkey/monkey_island/cc/server_utils/encryption/password_based_encryption.py

@@ -8,6 +8,14 @@ from monkey_island.cc.server_utils.encryption.i_encryptor import IEncryptor
 
 logger = logging.getLogger(__name__)
 
+# PBE as implemented takes low-entropy, user provided password and it adds some
+# entropy to it and encrypts/decrypts the data. This implementation uses AES256-CBC
+# and it is less secure encryption then KeyBasedEncryptor.
+# The security of it depends on what will the user provide as password.
+# We can merge the two into the one encryption method but then we lose the entropy
+# of the key with whatever key derivation function we use.
+# Note: password != key
+
 
 class PasswordBasedEncryptor(IEncryptor):