npm - @ibgib/core-gib - Versions diffs - 0.0.49 → 0.0.50 - Mend

@ibgib/core-gib 0.0.49 → 0.0.50

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (46) hide show

package/src/common/secret/secret.respec.mts CHANGED Viewed

@@ -18,10 +18,14 @@ const maam = `[${import.meta.url}]`, sir = maam;
 import {
     extractErrorMsg, delay, getSaferSubstring,
-    getTimestampInTicks, getUUID, pretty,
+    getTimestampInTicks, getUUID, pretty, HashAlgorithm, clone,
 } from '@ibgib/helper-gib/dist/helpers/utils-helper.mjs';
-import { GLOBAL_LOG_A_LOT } from '../../ibgib-constants.mjs';
+import { GLOBAL_LOG_A_LOT } from '../../core-constants.mjs';
+import { getCheckIfPasswordProbablyCorrectInfo, passwordProbablyCorrect } from './secret-helper.mjs';
+import { hash16816 } from '../other/ibgib-helper.mjs';
+import { DEFAULT_PASSWORD_CHECK_SUBSTRING_LENGTH } from './secret-constants.mjs';
 /**
  * for verbose logging
  */
@@ -29,8 +33,143 @@ const logalot = GLOBAL_LOG_A_LOT; // change this when you want to turn off verbo
 const lcFile: string = `[${pathUtils.basename(import.meta.url)}]`;
-await respecfully(maam, `when testing stuff...`, async () => {
-    await ifWe(maam, `should happen to do...`, async () => {
-        iReckon(maam, true).asTo('42').isGonnaBe(false);
+const correctPasswords = [
+    'yo',
+    'hey this is a password',
+    'jwoiejf oiwejf oiewjf owiefhw9e8hf982y98y2398f 2398f oijsd oifj woeihfew9hg 9we8u98 u34793824798au s9d8u 9a8syg 98ywheg y98uy9*(*^*&#^ $(*&#@( *$& @(#*$&(* #@^T%(YIUdyf 98wye fuwehfiu hweiufh iugh iuh j'
+];
+const substringLength = DEFAULT_PASSWORD_CHECK_SUBSTRING_LENGTH;
+const recursionCount = 168;
+const algorithm: HashAlgorithm = 'SHA-256';
+const saltPrependedPerHash = '';
+const blockName = `CheckIfPasswordProbablyCorrect`;
+await respecfully(maam, blockName, async () => {
+    const lc = `${lcFile}[${blockName}]`;
+    if (logalot) { console.time(lc) }
+    await respecfully(maam, `checking passwords`, async () => {
+        await ifWe(maam, `ensure correct password always succeeds`, async () => {
+            // these are to mimic legitimate setting of hash16816 substring and
+            // subsequent legit correct password entries.  they should always
+            // succeed, i.e., the hash should always contain the substring.
+            const iterationsToCheck = 10;
+            let failed = false;
+            for (let i = 0; i < correctPasswords.length; i++) {
+                const password = correctPasswords[i];
+                const fullHash = await hash16816({
+                    s: password,
+                    algorithm,
+                    recursionCount,
+                    saltPrependedPerHash,
+                });
+                for (let num = 0; num < iterationsToCheck; num++) {
+                    const public_checkInfo = await getCheckIfPasswordProbablyCorrectInfo({
+                        password,
+                        substringLength,
+                        algorithm,
+                        saltPrependedPerHash,
+                        recursionCount
+                    });
+                    const { substring } = public_checkInfo;
+                    // manually check (requires us to know internals of
+                    // passwordProbablyCorrect fn)
+                    if (!fullHash.includes(substring)) {
+                        failed = true;
+                        break;
+                    }
+                    // check directly via the fn consumer will use
+                    const resProbablyCorrect = await passwordProbablyCorrect({
+                        password,
+                        checkInfo: clone(public_checkInfo),
+                    });
+                    if (!resProbablyCorrect) {
+                        failed = true;
+                        break;
+                    }
+                }
+            }
+            iReckon(sir, failed).asTo('failed').isGonnaBeFalse();
+        });
     });
+    if (logalot) { console.timeLog(lc) }
+    await respecfully(maam, `bruteforcing check`, async () => {
+        await ifWe(maam, `try to brute force, we get a collision`, async () => {
+            /**
+             * I've done larger numbers than these, but would be a waste of time to
+             * do more now. change this as needed for custom testing.
+             */
+            const numBruteForceTests = 3;
+            /**
+             * i just want to average the iterations required to tweak what i should
+             * be using as a substringLength.
+             */
+            let totalAttemptsForFalseCollisions = 0;
+            for (let i = 0; i < numBruteForceTests; i++) {
+                const correctPassword = correctPasswords[i % correctPasswords.length];
+                const correctFullHash = await hash16816({
+                    s: correctPassword,
+                    algorithm,
+                    recursionCount,
+                    saltPrependedPerHash,
+                });
+                /**
+                 * when initially creating the secret, the user will store this
+                 * known substring in the `secretInfo.passwordProbablyCorrectSubstring`.
+                 * from the attacker's POV this substring is public knowledge, and
+                 * the attacker is going to try to brute force against this
+                 * substring. we want there to be at least one collistion that has
+                 * this substring.
+                 *
+                 * "public" as in the would-be brute forcer knows this (and other
+                 * check info) as public metadata
+                 */
+                const public_checkInfo = await getCheckIfPasswordProbablyCorrectInfo({
+                    password: correctPassword,
+                    substringLength,
+                    algorithm,
+                    recursionCount,
+                    saltPrependedPerHash,
+                });
+                const { substring: publicSubstring } = public_checkInfo;
+                /**
+                 * some arbitrarily "large" number (really this will be much higher
+                 * but we are testing in a respec here).
+                 */
+                const bruteForceAttempts = 1_000_000;
+                let foundFalseCollision = false;
+                for (let j = 0; j < bruteForceAttempts; j++) {
+                    const passwordAttempt = j.toString();
+                    const fullHashAttempt = await hash16816({
+                        s: passwordAttempt,
+                        algorithm,
+                        recursionCount,
+                        saltPrependedPerHash,
+                    });
+                    if (fullHashAttempt.includes(publicSubstring)) {
+                        // their invalid password attempt found a false collision
+                        foundFalseCollision = true;
+                        totalAttemptsForFalseCollisions += j;
+                        console.log(`j: ${j}`);
+                        console.log(`publicSubstring: ${publicSubstring}`);
+                        console.log(`fullHashAttempt: ${fullHashAttempt}`);
+                        console.log(`correctFullHash: ${correctFullHash}`);
+                        break;
+                    }
+                }
+                iReckon(maam, foundFalseCollision).asTo('foundFalseCollision').isGonnaBeTrue();
+                // not really for testing, but i want to see the average attempts required
+                let averageAttemptsPerFalseCollision = Math.floor(totalAttemptsForFalseCollisions / (i + 1));
+                console.log(`averageAttemptsPerFalseCollision: ${averageAttemptsPerFalseCollision}`);
+            }
+        });
+    });
+    if (logalot) { console.timeEnd(lc) }
 });

package/src/witness/space/metaspace/metaspace-base.mts CHANGED Viewed

@@ -25,7 +25,6 @@ import { RootData } from '../../../common/root/root-types.mjs';
 import {
     CiphertextData, CiphertextIbGib_V1, CiphertextRel8ns,
     EncryptionData_V1, EncryptionIbGib, EncryptionInfo_EncryptGib,
-    SecretData_V1, SecretIbGib_V1, SecretInfo_Password
 } from '../../../common/encrypt/encrypt-types.mjs';
 import { RobbotIbGib_V1 } from '../../../witness/robbot/robbot-types.mjs';
 import { AppIbGib_V1 } from '../../../witness/app/app-types.mjs';
@@ -55,7 +54,7 @@ import { IbGibCacheService } from '../../../common/cache/cache-types.mjs';
 import { BOOTSTRAP_DATA_KNOWN_SPACE_IDS_KEY, BOOTSTRAP_IBGIB_ADDR } from '../../../witness/space/bootstrap/bootstrap-constants.mjs';
 import { DEFAULT_LOCAL_SPACE_DESCRIPTION, DEFAULT_LOCAL_SPACE_POLLING_INTERVAL_MS, DEFAULT_MAX_RETRIES_GET_DEPENDENCY_GRAPH_OUTERSPACE, DEFAULT_MS_BETWEEN_RETRIES_GET_DEPENDENCY_GRAPH_OUTERSPACE, DEFAULT_SECONDS_VALID_LOCAL, PERSIST_OPTS_AND_RESULTS_IBGIBS_DEFAULT, SYNC_SPACE_REL8N_NAME } from '../../../witness/space/space-constants.mjs';
 import { IBGIB_BASE_DIR, IBGIB_BASE_SUBPATH, IBGIB_BIN_SUBPATH, IBGIB_DNA_SUBPATH, IBGIB_ENCODING, IBGIB_IBGIBS_SUBPATH, IBGIB_META_SUBPATH } from '../../../witness/space/filesystem-space/filesystem-constants.mjs';
-import { DEFAULT_ENCRYPTION_HASH_ALGORITHM, DEFAULT_ENCRYPTION_INITIAL_RECURSIONS, DEFAULT_ENCRYPTION_RECURSIONS_PER_HASH, DEFAULT_ENCRYPTION_SALT_STRATEGY, ENCRYPTION_REL8N_NAME, SECRET_REL8N_NAME } from '../../../common/encrypt/encrypt-constants.mjs';
+import { DEFAULT_ENCRYPTION_HASH_ALGORITHM, DEFAULT_ENCRYPTION_INITIAL_RECURSIONS, DEFAULT_ENCRYPTION_RECURSIONS_PER_HASH, DEFAULT_ENCRYPTION_SALT_STRATEGY, ENCRYPTION_REL8N_NAME, } from '../../../common/encrypt/encrypt-constants.mjs';
 import { ROBBOT_REL8N_NAME } from '../../../witness/robbot/robbot-constants.mjs';
 import { APP_REL8N_NAME } from '../../../witness/app/app-constants.mjs';
 import { AUTOSYNC_ALWAYS_REL8N_NAME } from '../../../common/other/other-constants.mjs';
@@ -72,6 +71,8 @@ import { ObservableWitness, } from '../../../common/pubsub/observable/observable
 import { SubjectWitness } from '../../../common/pubsub/subject/subject-types.mjs';
 import { SubscriptionWitness } from '../../../common/pubsub/subscription/subscription-types.mjs';
 import { fnObs } from '../../../common/pubsub/observer/observer-helper.mjs';
+import { SecretData_V1, SecretIbGib_V1, SecretInfo_Password } from '../../../common/secret/secret-types.mjs';
+import { SECRET_REL8N_NAME } from '../../../common/secret/secret-constants.mjs';
 const logalot = GLOBAL_LOG_A_LOT;

package/src/witness/space/metaspace/metaspace-types.mts CHANGED Viewed

@@ -22,13 +22,13 @@ import { RootData } from '../../../common/root/root-types.mjs';
 import {
     CiphertextData, CiphertextIbGib_V1, CiphertextRel8ns,
     EncryptionData_V1, EncryptionIbGib, EncryptionInfo_EncryptGib,
-    SecretData_V1, SecretIbGib_V1, SecretInfo_Password
 } from '../../../common/encrypt/encrypt-types.mjs';
 import { RobbotIbGib_V1, RobbotPromptResult } from '../../../witness/robbot/robbot-types.mjs';
 import { AppIbGib_V1, AppPromptResult } from '../../../witness/app/app-types.mjs';
 import { rel8ToSpecialIbGib, } from '../../../witness/space/space-helper.mjs';
 import { GetDependencyGraphOptions } from '../../../common/other/graph-helper.mjs';
 import { ObservableWitness, ObservableWitnessAny } from '../../../common/pubsub/observable/observable-types.mjs';
+import { SecretData_V1, SecretIbGib_V1 } from '../../../common/secret/secret-types.mjs';
 export interface CreateLocalSpaceOptions {
     allowCancel: boolean;