Security Issue - Secure Key Generation (Non vulnerability) #3
Description
Ideally all cryptography should be handled in the app with no memory leaks and no saving of information, to the FS or log or otherwise.
Currently using GPG which has the seed KDF printed to the ~/.bash_history or to other os/exec history, which in the event of a hack, would leak all keys used to encrypt secure files for said user. Therefore all key gen and file encryption should be handled "in house" without the use of GnuPG and bash.
tip here for decryption using AES: Just have to change the way the key is generated and handled using the chips public key and a passphrase etc. Like we do currently just handle the files without GPG....
import (
"crypto/aes"
"crypto/cipher"
"encoding/hex"
"fmt"
"io"
"os"
)
// AESDecrypter implements the cipher.BlockMode interface
type AESDecrypter struct{}
func (d *AESDecrypter) BlockSize() int { return aes.BlockSize }
func (d *AESDecrypter) Encrypt(dst, src []byte) {
block, _ := aes.NewCipher([]byte("thisismy32byteslongpassword"))
stream := cipher.NewCTR(block, dst)
stream.XORKeyStream(src, dst)
}
func (d *AESDecrypter) Decrypt(dst, src []byte) {
block, _ := aes.NewCipher([]byte("thisismy32byteslongpassword"))
stream := cipher.NewCTR(block, dst)
stream.XORKeyStream(src, dst)
}
func decryptFile(filename string) error {
file, err := os.Open(filename)
if err != nil {
return err
}
defer file.Close()
var buf bytes.Buffer
_, err = io.Copy(&buf, file)
if err != nil {
return err
}
encryptedData := buf.Bytes()
key, err := hex.DecodeString("your_secret_key_here")
if err != nil {
return err
}
iv := encryptedData[0:16]
data := encryptedData[16:]
block, err := aes.NewCipher(key)
if err != nil {
return err
}
mode := &AESDecrypter{block: block}
plaintext := make([]byte, len(data))
mode.Decrypt(plaintext, data)
err = ioutil.WriteFile("decrypted_"+filename, plaintext, 0644)
if err != nil {
return err
}
return nil
}