opensecret 0.0.962 → 0.0.988

data/lib/keytools/binary.map.rb

@@ -0,0 +1,245 @@
+#!/usr/bin/ruby
+
+module OpenKey
+
+  class BinaryMap
+
+
+    require 'openssl'
+    require "base64"
+    require "bcrypt"
+
+
+    CHARACTERS_64 = [
+      "a", "9", "W", "B", "f", "K", "O", "z",
+      "3", "s", "1", "5", "c", "n", "E", "J",
+      "L", "A", "l", "6", "I", "w", "o", "g",
+      "k", "N", "t", "Y", "S", "/", "T", "b",
+      "V", "R", "H", "0", "@", "Z", "8", "F",
+      "G", "j", "u", "m", "M", "h", "4", "p",
+      "q", "d", "7", "v", "e", "2", "U", "X",
+      "r", "C", "y", "Q", "D", "x", "P", "i"
+    ]
+
+    def self.tmp_holder
+
+
+      bcrypt_packed_key = [ bcrypt_key.to_s ].pack("B*")
+      pbkdf2_packed_key = [ pbkdf2_key.to_s ].pack("B*")
+
+      bcrypt_un_pack_ed = bcrypt_packed_key.unpack("B*")[0]
+      pbkdf2_un_pack_ed = pbkdf2_packed_key.unpack("B*")[0]
+
+      bcrypt_they_match = bcrypt_key.to_s.eql? bcrypt_un_pack_ed
+      pbkdf2_they_match = pbkdf2_key.to_s.eql? pbkdf2_un_pack_ed
+
+      puts ""
+      puts "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
+      puts "The actual binary thing => [ #{bcrypt_key.to_s} ]"
+      puts "Theactual unpacked ting => [ #{bcrypt_un_pack_ed} ]"
+      puts "Lengthof packed version => [ #{bcrypt_packed_key.length} ]"
+      puts "Byte size Length of Pck => [ #{bcrypt_packed_key.bytesize} ]"
+      puts "The packed keys version => [ #{bcrypt_packed_key} ]"
+      puts ""
+      puts "Length unpacked version => [ #{bcrypt_un_pack_ed.length} ]"
+      puts "Bytesize of Unpacked Vn => [ #{bcrypt_un_pack_ed.bytesize} ]"
+      puts ""
+      puts "Is full circle correct? => [ #{bcrypt_they_match} ]"
+      puts ""
+      puts bcrypt_key.to_s
+      puts bcrypt_un_pack_ed
+      puts ""
+      puts "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
+      puts ""
+      puts "The actual binary thing => [ #{pbkdf2_key.to_s} ]"
+      puts "Theactual unpacked ting => [ #{pbkdf2_un_pack_ed} ]"
+      puts "Lengthof packed version => [ #{pbkdf2_packed_key.length} ]"
+      puts "Byte size Length of Pck => [ #{pbkdf2_packed_key.bytesize} ]"
+      puts "The packed keys version => [ #{pbkdf2_packed_key} ]"
+      puts ""
+      puts "Length unpacked version => [ #{pbkdf2_un_pack_ed.length} ]"
+      puts "Bytesize of Unpacked Vn => [ #{pbkdf2_un_pack_ed.bytesize} ]"
+      puts ""
+      puts "Is full circle correct? => [ #{pbkdf2_they_match} ]"
+      puts ""
+      puts pbkdf2_key.to_s
+      puts pbkdf2_un_pack_ed
+      puts ""
+
+      char_index = 1
+      zero_count = 0
+      one_count = 0
+
+      pbkdf2_key.to_s.each_char do |string_bit|
+        puts "Bit number [ #{char_index} ] is a [ #{string_bit} ]" if char_index % 4 == 0
+        char_index += 1
+        zero_count += 1 if string_bit.eql? "0"
+        one_count += 1 if string_bit.eql? "1"
+      end
+
+      puts "There are [ #{zero_count} ] zeroes."
+      puts "There are [ #{one_count} ] ones."
+
+
+
+
+    end
+
+
+
+    def self.bcrypter
+
+generated_salt = BCrypt::Engine.generate_salt( 12 )
+
+
+my_password = BCrypt::Password.new( BCrypt::Engine.hash_secret( "my password text", generated_salt ) )
+
+
+## my_password = BCrypt::Password.create( "my password", :cost => 12 )
+
+salt_begin_index = my_password.to_s.rindex( "$" ) + 1
+salt_hash_length = my_password.to_s.length - salt_begin_index
+
+
+
+#=> "$2a$10$vI8aWBnW3fID.ZQ4/zo1G.q1lRps.9cGLcZEiGDMVr5yUP1KUOYTa"
+
+# Salt is 22 characters
+# Key is 31 characters
+# total is 53 characters
+
+good_password = my_password == "my password text"
+bad_password = my_password == "my password  text"
+
+puts ""
+puts "Bcrypt password is #{my_password}"
+puts "Bcrypt COST is => #{BCrypt::Engine.cost}"
+puts "Length of salt plus hash is #{salt_hash_length}"
+puts "Salt begin index is #{salt_begin_index}"
+puts "Generated Salt is #{generated_salt}"
+puts "The Good Password? #{good_password}"
+puts "The BadBoy Password? #{bad_password}"
+puts ""
+
+
+  end
+
+
+## Bcrypt password is $2a$12$nkyYKCwljFRtcif6FCXn3ey29P8mGMeY6YGNEaoBYmkScgyYrbusC
+## Bcrypt COST is => 10
+## Length of salt plus hash is 53
+## Salt begin index is 7
+## Generated Salt is $2a$12$nkyYKCwljFRtcif6FCXn3e
+## The Good Password? true
+## The BadBoy Password? false
+
+
+
+    def self.salter
+
+      original_pass = "abcdefghijklmnopqrstuvwxyz@0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ+"
+
+      for n in 0 .. 63
+        the_pass = original_pass + original_pass[0..n]
+        puts "==========================================="
+        puts "Pass #{n} => #{the_pass}"
+        puts "Password LENGTH => #{the_pass.length}"
+        puts "==========================================="
+        password_cruncher the_pass
+      end
+      
+    end
+
+    def self.password_cruncher the_password
+
+
+raise RuntimeError, "Only 72 characters change the resultant key. Strings with 73, 74, 75 (etc) characters produce the same key as the truncated 72 character input." if the_password.length > 72
+
+preamble = "$2a$12$"
+salt_chars = "nkyYKCwljFRtcif6FCXn3e"
+
+cost_length = "12".length
+expected_pre_len = 5 + cost_length
+non_key_length = expected_pre_len + 22
+raise RuntimeError, "Preamble length not expected" unless preamble.length == expected_pre_len
+raise RuntimeError, "Salt length not expected" unless salt_chars.length == 22
+
+generated_salt = preamble + salt_chars
+
+my_password = BCrypt::Password.new( BCrypt::Engine.hash_secret( the_password, generated_salt ) ).to_s
+
+salt_begin_index = my_password.rindex( "$" ) + 1
+salt_hash_length = my_password.length - salt_begin_index
+
+actual_key = my_password.gsub( generated_salt, "" )
+raise RuntimeError, "Key length not expected" unless actual_key.length == 31
+
+also_key = my_password[ non_key_length .. -1 ]
+raise RuntimeError, "Key strings not matching" unless actual_key.eql? also_key
+
+
+puts "Bcrypt password is #{my_password}"
+puts "Bcrypt COST is => #{BCrypt::Engine.cost}"
+puts "Length of salt plus hash is #{salt_hash_length}"
+puts "Salt begin index is #{salt_begin_index}"
+puts "Generated Salt is #{generated_salt}"
+puts "Actual Key 1 => #{actual_key}"
+puts "Actual Key 2 => #{also_key}"
+puts "KEY Length is => [ #{also_key.length} ]"
+puts ""
+
+
+  end
+
+
+
+    def self.crypter
+
+cipher = OpenSSL::Cipher.new 'AES-128-CBC'
+cipher.encrypt
+iv = cipher.random_iv
+
+pwd = 'some hopefully not to easily guessable password'
+salt = OpenSSL::Random.random_bytes 16
+iter = 20000
+key_len = cipher.key_len
+digest = OpenSSL::Digest::SHA512.new
+
+key = OpenSSL::PKCS5.pbkdf2_hmac(pwd, salt, 1000000, 16, digest)
+
+puts ""
+puts "The generated salt has a length of [#{salt.length}]"
+puts "The salt generated is => #{salt}"
+puts "The generated key has a length of [#{key.length}]"
+puts "The Key generated is => #{key}"
+puts "The Key in Base64 is => #{Base64.encode64(key)}"
+puts ""
+
+cipher.key = key
+
+##### Now encrypt the data:
+
+### encrypted = cipher.update document
+### encrypted << cipher.final
+
+    end
+
+    
+    def self.binary
+
+      for n in 0 .. 128
+        six_bit_binary = "%06d" % [ n.to_s(2) ]
+        puts "#{n} in binary is => #{six_bit_binary}"
+      end
+
+    end
+
+##    BinaryMap.binary
+##    BinaryMap.crypter
+##    BinaryMap.bcrypter
+##    BinaryMap.salter
+
+  end
+
+
+end

data/lib/keytools/digester.rb

@@ -0,0 +1,245 @@
+#!/usr/bin/ruby
+
+module OpenKey
+
+  # If you have a possibly weak human password that you need to either store
+  # or derive a symmetric encryption key from - you use this digester.
+  #
+  # You can safely store the resulting key confident that no known method exists
+  # of deriving the original password from the key. The digester uses the
+  # most recent SHA512 bit hashing algorithm - twice - to mince the key into
+  # something worthless to everyone, but the password originator.
+  #
+  # This key digester knows how to apply one-way functions that dessimate a
+  # (possibly weak) human generated (password) string.
+  #
+  # It should be initialized with a nonce like the count of nanoseconds
+  # since the current second (for low throughput systems).
+  #
+  # ==How to Use the Digester
+  #
+  # <b><em>Generating the Hashed Key</em></b>
+  #
+  # To use the digester you instantiate it with a nonce and then call
+  # the generate method with a possibly weak human key that is required
+  # to contain a minimum of 6 characters.
+  #
+  # The 6 characters excludes any leading or trailing whitespace.
+  #    keydigester = Digester.new "nonce"
+  #    the_key = keydigester.generate "human_k3y"
+  #    output_iv = keydigester.encrypted_iv
+  #
+  # You then read off the encrypted iv (initialization vector).
+  #
+  # <b><em>Re-generating the Hashed Key</em></b>
+  #
+  # To retrieve the same key (perhaps many moons later), you instantiate
+  # another Digester providing the same nonce you gave to the generate
+  # method. You then supply the encrypted iv that you pulled out during
+  # the generate step.
+  #    keydigester = Digester.new "nonce"
+  #    keydigester.encrypted_iv = "axbxcxdx1x2x3x4x"
+  #    the_key = keydigester.regenerate "human_k3y"
+  #
+  # Now when you regenerate the key - you have the original.
+  #
+  #
+  # @example
+  #    keydigester = Digester.new "nonce"
+  #    the_key = keydigester.generate "human_k3y"
+  #    output_iv = keydigester.encrypted_iv
+  #
+  #    keydigester = Digester.new "nonce"
+  #    keydigester.encrypted_iv = "axbxcxdx1x2x3x4x"
+  #    the_key = keydigester.regenerate "human_k3y"
+  class Digester
+
+    attr_accessor :encrypted_iv
+
+    # The golden ratio is the relationship between the human password and the
+    # strengthening amalgam. Two is perhaps too small, three or four is perfect
+    # to strengthen human generated keys whose median tends to gravitate at
+    # around 12 characters.
+    AMALGAM_GOLDEN_RATIO = 3
+
+    # The inner nonce provides a salt of sorts to help with randomizing the
+    # keys and protecting them from pre-configured rainbow tables.
+    INNER_NONCE = "9]w/t$=ON@mUf(+_SoY"
+
+    # The minimum length tolerated for the assumed human provided password.
+    # This number excludes any leading or trailing whitespace which should
+    # be removed before length examination is performed.
+    MIN_HUMAN_KEY_LENGTH = 6
+
+
+    # Initialize this key digester with a nonce like the count of nanoseconds
+    # since the current second (for low throughput systems).
+    #
+    # Note that the same nonce must be provided in order to produce the same
+    # key from calling either {Digester.generate} or {Digester.regenerate}.
+    #
+    # @param the_nonce [String]
+    #    the nonce can be the count of nanoseconds since the current second
+    #    (for low throughput systems).
+    #
+    # @raise [ArgumentError]
+    #    raise an error if the nonce is empty, or consists only of whitespace
+    #    or is too short.
+    def initialize the_nonce
+
+      @nonce = the_nonce.strip.reverse
+
+      raise ArgumentError, "The nonce contains only whitespace." if @nonce.empty?
+      raise ArgumentError, "The nonce is too short." if @nonce.length < MIN_HUMAN_KEY_LENGTH
+
+    end
+
+
+    # Generate a viciously unretrievable nor reversable string from a possible
+    # weak key provided by a human being.
+    #
+    # Due to the fickle nature of human beings we use an amalgam key to frustrate
+    # attempts to derive the original through rainbow tables and replay attacks.
+    #
+    # <b>Getting the Initialization Vector</b>
+    #
+    # After calling this method the encrypted initialization vector generated
+    # must be stored and re-provided to the {Digester.regenerate} method as
+    # and when required.
+    #
+    # @example
+    #    keydigester = Digester.new "nonce"
+    #    the_key = keydigester.generate "human_k3y"
+    #    output_iv = keydigester.encrypted_iv
+    #
+    # @param human_p4ss [String]
+    #
+    #    the key provided by a human being which cannot be less than six
+    #    characters in length. Between 24 and 32 apparently random characters
+    #    involving upper case letters, digits and punctuators.
+    #
+    #    Leading and trailing whitespace is removed from the string if found.
+    #
+    # @raise [ArgumentError] if the (possibly) human sourced password is too short
+    def generate human_p4ss
+
+      human_key = human_p4ss.strip.reverse
+      raise ArgumentError, "The password contains only whitespace." if human_key.empty?
+      raise ArgumentError, "The password is too short." if human_key.length < MIN_HUMAN_KEY_LENGTH
+
+      machine_key = OpenSecret::ToolBelt::Engineer.machine_key human_key.length, AMALGAM_GOLDEN_RATIO
+      snippet = human_key[ human_key.length - MIN_HUMAN_KEY_LENGTH .. -1 ]
+
+      iv_key = [ INNER_NONCE, snippet, @nonce ].join
+      @encrypted_iv = machine_key.encrypt_url_encode( iv_key )
+
+      return hashed_outcome human_key, machine_key
+
+    end
+
+    
+    # Regenerate the viciously unretrievable nor reversable string that has been
+    # generated from a possible weak key provided by a human being.
+    #
+    # The difference between this and the {Digester.generate} method is that
+    # the encrypted initialization vector is provided here. This must first be
+    # decrypted before being fed back into the numerical mincer.
+    #
+    # The same nonce must also be provided in the constructor.
+    #
+    # <b>Setting the Initialization Vector</b>
+    #
+    # Before calling this method the encrypted initialization vector generated
+    # by the generate method needs to be faithfully returned.
+    #
+    # @example
+    #
+    #    keydigester = Digester.new "nonce"
+    #    keydigester.encrypted_iv = "axbxcxdx1x2x3x4x"
+    #    the_key = keydigester.regenerate "human_k3y"
+    #
+    # @param human_p4ss [String]
+    #
+    #    the key provided by a human being which cannot be less than six
+    #    characters in length. Between 24 and 32 apparently random characters
+    #    involving upper case letters, digits and punctuators.
+    #
+    #    Leading and trailing whitespace is removed from the string if found.
+    #
+    # @raise [ArgumentError]
+    #    If the human sourced password is too short.
+    #    Or if it consists solely of whitespace.
+    def regenerate human_p4ss
+
+      human_key = human_p4ss.strip.reverse
+      raise ArgumentError, "The password contains only whitespace." if human_key.empty?
+      raise ArgumentError, "The password is too short." if human_key.length < MIN_HUMAN_KEY_LENGTH
+
+      snippet = human_key[ human_key.length - MIN_HUMAN_KEY_LENGTH .. -1 ]
+      iv_key = [ INNER_NONCE, snippet, @nonce ].join
+      machine_key = @encrypted_iv.url_decode_decrypt( iv_key )
+
+      return hashed_outcome human_key, machine_key
+
+    end
+
+    
+    # This digester alphanumeric hasher employs the SHA512 digest algorithm
+    # to gnash the parameter key and then Base64 encode the result.
+    #
+    # This method removes any non alpha-numeric characeters after a url safe
+    # base 64 encoding and thus guarantees that the resultant string will
+    # not contain
+    #
+    # - any equals signs
+    # - any hyphens
+    # - any underscores
+    #
+    # It is safe to use this method when a result must be stored in environment
+    # variables or other forms (like INI) where an equals sign is frowned upon.
+    #
+    # That said, this method should not be used if one wants to return to the
+    # pre base64 encoded character sequence. By mashing away the non-alphanums
+    # it mashes away any realistic hope of a determinant return to the raw
+    # hashed value.
+    #
+    # @param hash_me [String]
+    #    use a one-way function to mush me into a form that is repeatable but
+    #    non-returnable to the original input.
+    #
+    # @return [String]
+    #    The SHA512 mashed version of the parameter key which is Base64 encoded
+    #    (using the url safe variant) and the result stripped of any non alpha
+    #    numeric characters.
+    #
+    def self.alphanum_hash hash_me
+      return self.alphanum_encoder( OpenSSL::Digest::SHA512.digest( hash_me ) )
+    end
+
+
+    def self.mash hash_me, max_length
+      raise ArgumentError, "Max length #{max_length} is unacceptable." if max_length < 32
+      return self.alphanum_encoder( OpenSSL::Digest::SHA512.digest( hash_me ) )[0 .. (max_length-1)]
+    end
+
+
+    private
+
+
+    def self.alphanum_encoder encode_this
+      return Base64.urlsafe_encode64( encode_this ).delete("=\\-_")
+    end
+
+
+    def hashed_outcome the_human_key, the_machine_key
+      amalgam_key = OpenSecret::ToolBelt::Amalgam.passwords the_human_key, the_machine_key, AMALGAM_GOLDEN_RATIO
+      level1_hash = Digester.alphanum_encoder( OpenSSL::Digest::SHA512.digest( amalgam_key ) )
+      level2_hash = Digester.alphanum_encoder( OpenSSL::Digest::SHA512.digest( @nonce + level1_hash ) )
+      return level2_hash
+    end
+
+
+  end
+
+
+end