safedb 0.01.0001

data/lib/modules/cryptology/cipher.rb

@@ -0,0 +1,207 @@
+#!/usr/bin/ruby
+# coding: utf-8
+
+module SafeDb
+
+  module ToolBelt
+
+    require "base64"
+
+    # {SafeDb::Cipher} is a base class that enables cipher varieties
+    # to be plugged and played with minimal effort. This Cipher implements much
+    # of the use case functionality - all extension classes need to do, is
+    # to subclass and implement only the core behaviour that define its identity.
+    #
+    # == Double Encryption | Cipher Parent vs Cipher Child
+    #
+    # Double encryption first with a symmetric and then an asymmetric one fulfills
+    # the +safe+ promise of making the stored ciphertext utterly worthless.
+    #
+    # The child ciphers implement the inner symmetric encyption whilst the parent
+    # implements the outer asymmetric encryption algorithm.
+    #
+    # The process is done twice resulting in two stores that are mirrored in structure.
+    # The front end store holds doubly encrypted keys whist the backend store holds
+    # the doubly encrypted secrets.
+    #
+    # Attackers wouldn't be able to distinguish one from the other. Even if they
+    # theoretically cracked the asymmetric encryption - they would then be faced
+    # with a powerful symmetric encryption algorithm which could be any one of the
+    # leading ciphers such as TwoFish or the Advanced Encryption Standard (AES).
+    #
+    # == Ciphers at 3 Levels
+    #
+    # Ciphers are implemented at three distinct levels.
+    #
+    # <b>Low Level Ciphers</b>
+    #
+    # Low level ciphers are given text to encrypt and an instantiated dictionary
+    # in which to place the encryption parameters such as keys and initialization
+    # vectors (iv)s.
+    #
+    # Some more specific ciphers can handle authorization data for example the
+    # Galois Counter Mode (GCM) cipher.
+    #
+    # Low level ciphers know nothing about text IO nor reading and writing to
+    # persistence structures like files, queues and databases.
+    #
+    # <b>Mid Level Ciphers</b>
+    #
+    # Mid level ciphers talk to the low level ciphers and bring in input and output
+    # textual formats like SafeDb's two-part block structures.
+    #
+    # Mid level ciphers still know nothing of persistence structures like files,
+    # queues and databases.
+    #
+    # <b>Use Case Level Ciphers</b>
+    #
+    # The ciphers operating at the use case level talk to mid level ciphers. They
+    # interact with the <b>safe store API</b> which brings persistence
+    # functions such as <b>read/write</b> as well as remoting functions such as
+    # <b>push/pull</b>.
+    #
+    # Use Case level ciphers interact with the latest crypt technologies due to
+    # interface separation. Also they talk classes implementing persistence stores
+    # allowing assets liek Git, S3, DropBox, simple files, SSH filesystems, Samba
+    # to hold locked key and material crypts.
+    #
+    # Databases stores will be introduced soon allowing safe to plug in and
+    # exploit database managers like Mongo, Hadoop, MySQL, Maria, and PostgreSQL.
+    #
+    # Plugging into DevOps orchestration platforms like Terraform, Ansible, Chef
+    # and Puppet will soon be available. Add this with integrations to other credential
+    # managers like HashiCorp's Vault, Credstash, Amazon KMS, Git Secrets, PGP,
+    # LastPass, KeePass and KeePassX.
+    #
+    # == How to Implement a Cipher
+    #
+    # Extend this base class to inherit lots of +unexciting+ functionality
+    # that essentially
+    #
+    # - manages the main encryption and decryption use case flow
+    # - +concatenates+ the symmetric encryption meta data with ciphertext +after encryption+
+    # - _splits_ and objectifies the key/value metadata plus ciphertext +before decryption+
+    # - +handles file read/writes+ in conjunction with the store plugins
+    # - handles +exceptions+ and +malicious input detection+ and incubation
+    # - +_performs the asymmetric encryption_+ of the cipher's symmetrically encrypted output
+    #
+    # == What Behaviour Must Ciphers Implement
+    #
+    # Ciphers bring the cryptographic mathematics and implementation algorithms
+    # to the table. So when at home they must implement
+    #
+    # - <tt>do_symmetric_encryption(plain_text)</tt> - resulting in ciphertext
+    # - <tt>do_symmetric_decryption(ciphertext, encryption_dictionary)</tt> &raquo; plaintext
+    #
+    # and also set the <tt>@dictionary</tt> hash (map) of pertinent
+    # key/value pairs including the encryption algorithm, the encryption key and
+    # the ciphertext signature to thwart any at-rest tampering.
+    #
+    # That's It. Cipher children can rely on the {SafeDb::Cipher} parent to
+    # do the nitty gritty of file-handling plus managing stores and paths.
+    class Cipher
+
+      # Ciphers use <b>symmetric algorithms</b> to encrypt the given text, which
+      # is then wrapped up along with the encryption key and other <b>metadata</b>
+      # pertinent to the algorithm, they then encrypt this bundle with the
+      # <b>public key</b> provided and return the text that can safely be stored in
+      # a text file.
+      #
+      # Ciphers should never interact with the filesystem which makes them
+      # reusable in API and remote store scenarios.
+      #
+      # Binary files should be converted into the base64 format before being
+      # presented to ciphers.
+      #
+      # Every component in the pipeline bears the responsibility for nullifying
+      # and rejecting malicious content.
+      #
+      # @param public_key [OpenSSL::PKey::RSA]
+      #    an {OpenSSL::PKey::RSA} public key. The unique selling point of
+      #    asymmetric encryption is it can be done without recourse to the heavily
+      #    protected private key. Thus the encryption process can continue with
+      #    just a public key as long as its authenticity is assured.
+      #
+      # @param payload_text [String]
+      #    plaintext (or base64 encoded) text to encrypt
+      #
+      # @return [String] doubly (symmetric and asymmetric) encrypted cipher text
+      def self.encrypt_it public_key, payload_text
+
+        crypt_data = {}
+        crypted_payload = Base64.encode64( Aes256.do_encrypt( crypt_data, payload_text ) )
+        unified_material = CryptIO.inner_crypt_serialize crypt_data, crypted_payload
+
+        outer_crypt_key = Engineer.strong_key( 128 )
+        crypted_cryptkey = Base64.encode64( public_key.public_encrypt( outer_crypt_key ) )
+
+        crypted_material = Base64.encode64(Blowfish.encryptor unified_material, outer_crypt_key)
+
+        return CryptIO.outer_crypt_serialize( crypted_cryptkey, crypted_material )
+
+      end
+
+
+      # This method takes and <b><em>safe formatted</em></b> cipher-text block
+      # generated by {self.encrypt_it} and returns the original message that has effectively
+      # been doubly encrypted using a symmetric and asymmetric cipher. This type of
+      # encryption is standard best practice when serializing secrets.
+      #
+      # safe cipher-text blocks <b><em>look like a two(2) part bundle</em></b>
+      # but they are <b><em>actually a three(3) part bundle</em></b> because the second
+      # part is in itself an amalgam of two distinct objects, serialized as text blocks.
+      #
+      # <b>The 3 SafeDb Blocks</b>
+      #
+      # Even though the incoming text <b><em>appears to contain two (2) blocks</em></b>,
+      # it <b><em>actually contains three (3)</em></b>.
+      #
+      # - a massive symmetric encryption key (locked by an asymmetric keypair)
+      # - a dictionary denoting the algorithm and parameters used to encrypt the 3rd block
+      # - the true message whose encryption is parametized by the dictionary (in 2nd block)
+      #
+      # The second and third block are only revealed by asymmetrically decrypting
+      # the key in the first block and using it to symmetrically decrypt what appears
+      # to be a unified second block.
+      #
+      # @param private_key [OpenSSL::PKey::RSA]
+      #    the <b>asymmetric private key</b> whose corresponding public key was
+      #    employed during the encryption of a super-strong 128 character symmetric
+      #    key embalmed by the first ciphertext block.
+      #
+      # @param os_block_text [String]
+      #    the locked cipher text is the safe formatted block which comes
+      #    in two main chunks. First is the <b>long strong</b> symmetric encryption
+      #    key crypted with the public key portion of the private key in the first
+      #    parameter.
+      #
+      #    The second chunk is the symmetrically crypted text that was locked with
+      #    the encryption key revealed in the first chunk.
+      #
+      # @return [String]
+      #    the doubly encrypted plain text that is locked by a symmetric key and
+      #    that symmetric key itself locked using the public key portion of the
+      #    private key whose crypted form is presented in the first parameter.
+      def self.decrypt_it private_key, os_block_text
+
+        first_block = Base64.decode64( CryptIO.outer_crypt_deserialize os_block_text, true  )
+        trail_block = Base64.decode64( CryptIO.outer_crypt_deserialize os_block_text, false )
+
+        decrypt_key = private_key.private_decrypt first_block
+        inner_block = Blowfish.decryptor( trail_block, decrypt_key )
+
+        crypt_props = Hash.new
+        cipher_text = CryptIO.inner_crypt_deserialize( crypt_props, inner_block )
+
+        return Aes256.do_decrypt( crypt_props, cipher_text )
+
+      end
+
+
+    end
+
+
+  end
+
+
+end

data/lib/modules/cryptology/collect.rb

@@ -0,0 +1,138 @@
+#!/usr/bin/ruby
+
+module SafeDb
+
+  module ToolBelt
+
+    require 'io/console'
+
+    # This class will be refactored into an interface implemented by a set
+    # of plugins that will capture sensitive information from users from an
+    # Ubuntu, Windows, RHEL, CoreOS, iOS or CentOS command line interface.
+    #
+    # An equivalent REST API will also be available for bringing in sensitive
+    # information in the most secure (but simple) manner.
+    class Collect
+
+
+      # <tt>Collect something sensitive from the command line</tt> with a
+      # minimum length specified in the first parameter. This method can't
+      # know whether the information is a password, a pin number or whatever
+      # so it takes the integer minimum size at its word.
+      #
+      # <b>Question 5 to App Config | What is the Secret?</b>
+      #
+      # The client may need to acquire the secret if the answer to question 4 indicates the need
+      # to instantiate the keys and encrypt the application's plaintext database. The application
+      # should facilitate communication of the secret via
+      #
+      # - an environment variable
+      # - the system clipboard (cleared after reading)
+      # - a file whose path is a command parameter
+      # - a file in a pre-agreed location
+      # - a file in the present directory (with a pre-agreed name)
+      # - a URL from a parameter or pre-agreed
+      # - the shell's secure password reader
+      # - the DConf / GConf or GSettings configuration stores
+      # - a REST API
+      # - password managers like LastPass, KeePassX or 1Pass
+      # - the Amazon KMS (Key Management Store)
+      # - vaults from Ansible, Terraform and Kubernetes
+      # - credential managers like GitSecrets and Credstash
+      #
+      # @param min_size [Integer] the minimum size of the collected secret
+      #    whereby one (1) is the least we can expect. The maximum bound is
+      #    not constrained here so will fall under what is allowed by the
+      #    interface, be it a CLI, Rest API, Web UI or Mobile App.
+      #
+      # @param prompt_twice [Boolean] indicate whether the user should be
+      #    prompted twice. If true the prompt_2 text must be provided and
+      #    converse is also true. A true value asserts that both times the
+      #    user enters the same (case sensitive) string.
+      #
+      # @param prompt_1 [String] the text (aide memoire) used to prompt the user
+      #
+      # @param prompt_2 [String] if the prompt twice boolean is TRUE, this
+      #    second prompt (aide memoire) must be provided.
+      #
+      # @return [String] the collected string text ( watch out for non-ascii chars)
+      # @raise [ArgumentError] if the minimum size is less than one
+      def self.secret_text min_size, prompt_twice, prompt_1, prompt_2=nil
+
+        assert_min_size min_size
+
+        sleep(1)
+        puts "\n#{prompt_1} : "
+        first_secret = STDIN.noecho(&:gets).chomp
+
+        assert_input_text_size first_secret.length, min_size
+        return first_secret unless prompt_twice
+
+        sleep(1)
+        puts "\n#{prompt_2} : "
+        check_secret = STDIN.noecho(&:gets).chomp
+
+        assert_same_size_text first_secret, check_secret
+        
+        return first_secret
+
+      end
+
+
+      # --
+      # -- Raise an exception if asked to collect text that is less
+      # -- than 3 characters in length.
+      # --
+      def self.assert_min_size min_size
+
+        min_length_msg = "\n\nCrypts with 2 (or less) characters open up exploitable holes.\n\n"
+        raise ArgumentError.new min_length_msg if min_size < 3
+
+      end
+
+
+      # --
+      # -- Output an error message and then exit if the entered input
+      # -- text size does not meet the minimum requirements.
+      # --
+      def self.assert_input_text_size input_size, min_size
+
+        if( input_size < min_size  )
+
+          puts
+          puts "Input is too short. Please enter at least #{min_size} characters."
+          puts
+
+          exit
+
+        end
+
+      end
+
+
+      # --
+      # -- Assert that the text entered the second time is exactly (case sensitive)
+      # -- the same as the text entered the first time.
+      # --
+      def self.assert_same_size_text first_text, second_text
+        
+        unless( first_text.eql? second_text )
+
+          puts
+          puts "Those two bits of text are not the same (in my book)!"
+          puts
+
+          exit
+
+        end
+
+      end
+
+
+    end
+
+
+  end
+
+
+end

data/lib/modules/cryptology/crypt.io.rb

@@ -0,0 +1,225 @@
+#!/usr/bin/ruby
+# coding: utf-8
+
+module SafeDb
+
+  module ToolBelt
+
+  # CryptIO concentrates on injecting and ingesting crypt properties into and
+  # out of a key/value dictionary as well as injecting and ingesting cryptographic
+  # materials into and out of text files.
+  #
+  # == Cryptographic Properties
+  #
+  # A crypt properties dictionary acts as <b>output from every encryption event</b>
+  # and <b>input to every decryption event</b>. The most common properties include
+  #
+  # - the symmetric key used for the encryption and decryption
+  # - the iv (initialization vector) that adds another dimension of strength
+  # - authorization data that thwarts switch attacks by tying context to content
+  # - the cipher algorithm, its implementation and its encryption strength
+  # - the various glue strings that allow related ciphertext to occupy a file
+  #
+  # == Why Pad?
+  #
+  # Many ciphers (like Blowfish) constrains plain text lengths to multiples
+  # of 8 (or 16) and a common <b>right pad with spaces</b> strategy is employed
+  # as a workaround. safe does it diferently.
+  #
+  # == Why isn't Space Padding Used?
+  #
+  # If safe padded plaintext (ending in one or more spaces) with
+  # spaces, the decrypt phase (after right stripping spaces) would return
+  # plain text string <b>shorter than the original</b>.
+  #
+  # == Why Unusual Padding and Separators
+  #
+  # Why does safe employ unusual strings for padding and separation.
+  #
+  # The separator string must be unusual to make it unlikely for it to occur in any
+  # of the map's key value pairs nor indeed the chunk of text being glued. Were
+  # this to happen, the separate and reconstitute phase may not accurately return
+  # the same two entities we are employed to unite.
+  #
+  # == So How is Padding Done?
+  #
+  # Instead of single space padding - safe uses an unlikely 7 character
+  # padder which is repeated until the multiple is reached.
+  #
+  # <tt><-|@|-></tt>
+  #
+  # == So How is Padding Done?
+  #
+  # The <b>padder length must be a prime number</b> or infinite loops could occur.
+  #
+  #    If the padder string is likely to occur in the plain text, another
+  #    padder (or strategy) should and could be employed.
+  #
+  class CryptIO
+
+
+    # The safe text padder. See the class description for an analysis
+    # of the use of this type of padder.
+    TEXT_PADDER = "<-|@|->"
+
+    # An unusual string that glues together an encryption dictionary and
+    # a chunk of base64 encoded and encrypted ciphertext.
+    # The string must be unusual enough to ensure it does not occur within
+    # the dictionary metadata keys or values.
+    INNER_GLUE_STRING = "\n<-|@| <  || safe inner crypt material axis ||  > |@|->\n\n"
+
+    # An unusual string that glues together the asymmetrically encrypted outer
+    # encryption key  with the outer crypted text.
+    OUTER_GLUE_STRING = "\n<-|@| <  || safe outer crypt material axis ||  > |@|->\n\n"
+
+    # Text header for key-value pairs hash map that will be serialized.
+    DICT_HEADER_NAME = "crypt.properties"
+
+    # Name for the class of cipher employed.
+    DICT_CIPHER_NAME = "cipher.class"
+
+    # Name for the {Base64} encoded symmetric (lock/unlock) crypt key.
+    DICT_CRYPT_KEY = "encryption.key"
+
+    # Dictionary name for the encryption iv (initialization vector)
+    DICT_CRYPT_IV = "encryption.iv"
+
+    # Dictionary name for the Base64 (urlsafe) encoded plaintext digest.
+    DICT_TEXT_DIGEST = "plaintext.digest"
+
+
+    # Serialize and then unify a hash map and a textual chunk using
+    # a known but unusual separator string in a manner that protects
+    # content integrity during the serialize / deserialize process.
+    #
+    # This crypt serialization uses a specific "inner glue" as the
+    # string that separates the serialized key/value dictionary and
+    # the encoded textual block.
+    #
+    # @param hash_map [String]
+    #    this hash (dictionary) will be serialized into INI formatted text
+    #    using behaviour from {Hash} and {IniFile}.
+    #
+    # @param text_chunk [String]
+    #    the usually Base64 encrypted textual block to be glued at the
+    #    bottom of the returned block.
+    #
+    # @return [String] serialized and glued together result of map plus text
+    #
+    # @raise [ArgumentError]
+    #    if the dictionary hash_map is either nil or empty.
+    def self.inner_crypt_serialize hash_map, text_chunk
+
+      nil_or_empty_hash = hash_map.nil? || hash_map.empty?
+      raise ArgumentError, "Cannot serialize nil or empty properties." if nil_or_empty_hash
+      ini_map = IniFile.new
+      ini_map[ DICT_HEADER_NAME ] = hash_map
+      return ini_map.to_s + INNER_GLUE_STRING + text_chunk
+
+    end
+
+
+    # Deserialize an safe formatted text which contains an
+    # encryption properties dictionary (serialized in INI format)
+    # and a Base64 encoded crypt block which is the subject of the
+    # encryption dictionary.
+    #
+    # The crypt serialization used a specific "inner glue" as the
+    # string that separates the serialized key/value dictionary and
+    # the encoded textual block. We now employ this glue to split
+    # the serialized dictionary from the textual block.
+    #
+    # @param hash_map [String]
+    #    send an instantiated hash (dictionary) which will be populated
+    #    by this deserialize operation. The dictionary propeties can
+    #    then be used to decrypt the returned ciphertext.
+    #
+    # @param text_block [String]
+    #    the first of a two-part amalgamation is a hash (dictionary) in
+    #    INI serialized form and the second part is a Base64 encrypted
+    #    textual block.
+    #
+    #    The deserialized key/value pairs will be stuffed into the
+    #    non nil (usually empty) hash map in the first parameter and
+    #    the block (in the 2nd part) will be Base64 decoded and
+    #    returned by this method.
+    #
+    # @return [String]
+    #    The encoded block in the 2nd part of the 2nd parameter will be
+    #    Base64 decoded and returned.
+    #
+    # @raise [ArgumentError]
+    #    if the dictionary hash_map is either nil or empty. Also if
+    #    the inner glue tying the two parts together is missing an
+    #    {ArgumentError} will be thrown.
+    def self.inner_crypt_deserialize hash_map, text_block
+
+      raise ArgumentError, "Cannot populate a nil hash map." if hash_map.nil?
+      assert_contains_glue text_block, INNER_GLUE_STRING
+
+      serialized_map = text_block.split(INNER_GLUE_STRING).first.strip
+      encoded64_text = text_block.split(INNER_GLUE_STRING).last.strip
+      ini_props_hash = IniFile.new( :content => serialized_map )
+      encrypt_values = ini_props_hash[DICT_HEADER_NAME]
+
+      hash_map.merge!( encrypt_values )
+      return Base64.decode64( encoded64_text )
+
+    end
+
+
+    # Using an outer divider (glue) - attach the asymmetrically encrypted outer
+    # encryption key  with the outer encrypted text.
+    #
+    # @param crypt_material_x [String] asymmetrically encrypted (encoded) outer encryption key
+    # @param crypt_material_y [String] symmetrically encrypted inner metadata and payload crypt
+    #
+    # @return [String] concatenated result of the two crypt materials and divider string
+    def self.outer_crypt_serialize crypt_material_x, crypt_material_y
+      return crypt_material_x + OUTER_GLUE_STRING + crypt_material_y
+    end
+
+
+    # Given two blocks of text that were bounded together by the
+    # {self.outer_crypt_serialize} method we must return either the
+    # first block (true) or the second (false).
+    #
+    # @param crypt_material [String]
+    #    large block of text in two parts that is divided by the
+    #    outer glue string.
+    #
+    # @param top_block [Boolean]
+    #    if true the top (of the two) blocks will be returned
+    #    otherwise the bottom block is returned.
+    #
+    # @return [String] either the first or second block of text
+    #
+    # @raise [ArgumentError]
+    #    If the outer glue string tying the two parts together is
+    #    missing an {ArgumentError} will be thrown.
+    def self.outer_crypt_deserialize os_material, top_block
+
+      assert_contains_glue os_material, OUTER_GLUE_STRING
+      return os_material.split(OUTER_GLUE_STRING).first.strip if top_block
+      return os_material.split(OUTER_GLUE_STRING).last.strip
+
+    end
+
+
+    private
+
+    def self.assert_contains_glue os_crypted_block, glue_string
+
+      no_glue_msg = "\nGlue string not in safe cipher block.\n#{glue_string}\n"
+      raise ArgumentError, no_glue_msg unless os_crypted_block.include? glue_string
+
+    end
+
+
+  end
+
+
+  end
+
+
+end

data/lib/modules/cryptology/engineer.rb

@@ -0,0 +1,99 @@
+#!/usr/bin/ruby
+
+module SafeDb
+
+  module ToolBelt
+
+
+  require 'securerandom'
+
+  # This class will be refactored into an interface implemented by a set
+  # of plugins that will capture sensitive information from users from an
+  # Ubuntu, Windows, RHEL, CoreOS, iOS or CentOS command line interface.
+  #
+  # An equivalent REST API will also be available for bringing in sensitive
+  # information in the most secure (but simple) manner.
+  class Engineer
+
+
+    # --
+    # -- Get a viable machine password taking into account the human
+    # -- password length and the specified mix_ratio.
+    # --
+    # -- machine password length = human password length * mix_ratio - 1
+    # --
+    def self.machine_key human_password_length, mix_ratio
+
+      machine_raw_secret = strong_key( human_password_length * ( mix_ratio + 1) )
+      return machine_raw_secret[ 0..( human_password_length * mix_ratio - 1 ) ]
+
+    end
+
+
+    # --
+    # -- Engineer a raw password that is similar (approximate) in
+    # -- length to the integer parameter.
+    # --
+    def self.strong_key approx_length
+
+      non_alphanum = SecureRandom.urlsafe_base64(approx_length);
+      return non_alphanum.delete("-_")
+
+    end
+
+
+    # Amalgamate the parameter passwords using a specific mix ratio. This method
+    # produces cryptographically stronger secrets than algorithms that simply
+    # concatenate two string keys together. If knowledge of one key were gained, this
+    # amalgamation algorithm still provides extremely strong protection even when
+    # one of the keys has a single digit length.
+    #
+    # This +length constraint formula+ binds the two input strings together with
+    # the integer mix ratio.
+    #
+    # <tt>machine password length = human password length * mix_ratio - 1</tt>
+    #
+    # @param human_password [String] the first password (shorter one) to amalgamate
+    # @param machine_password [String] the second password (longer one) to amalgamate
+    # @param mix_ratio [Fixnum] the mix ratio that must be respected by the
+    #    previous two parameters.
+    # @return [String] an amalgamated (reproducible) union of the 2 parameter passwords
+    #
+    # @raise [ArgumentError] if the length constraint assertion does not hold true
+    def self.get_amalgam_password human_password, machine_password, mix_ratio
+
+      size_error_msg = "Human pass length times mix_ratio must equal machine pass length."
+      lengths_are_perfect = human_password.length * mix_ratio == machine_password.length
+      raise ArgumentError.new size_error_msg unless lengths_are_perfect
+
+      machine_passwd_chunk = 0
+      amalgam_passwd_index = 0
+      amalgamated_password = ""
+
+      human_password.each_char do |passwd_char|
+
+        amalgamated_password[amalgam_passwd_index] = passwd_char
+        amalgam_passwd_index += 1
+
+        for i in 0..(mix_ratio-1) do
+          machine_pass_index = machine_passwd_chunk * mix_ratio + i
+          amalgamated_password[amalgam_passwd_index] = machine_password[machine_pass_index]
+          amalgam_passwd_index += 1
+        end
+
+        machine_passwd_chunk += 1
+
+      end
+
+      return amalgamated_password
+
+    end
+
+
+  end
+
+
+  end
+
+
+end