xypriss-security
Version:
XyPriss Security is an advanced JavaScript security library designed for enterprise applications. It provides military-grade encryption, secure data structures, quantum-resistant cryptography, and comprehensive security utilities for modern web applicatio
374 lines (368 loc) • 15 kB
JavaScript
;
var crypto = require('crypto');
var hashUtils = require('./hash-utils.js');
var hashEntropy = require('./hash-entropy.js');
var randomCore = require('../random/random-core.js');
require('../random/random-types.js');
require('../random/random-sources.js');
require('nehonix-uri-processor');
require('../../utils/memory/index.js');
require('../../types.js');
require('../random/random-security.js');
var argon2 = require('argon2');
function _interopNamespaceDefault(e) {
var n = Object.create(null);
if (e) {
Object.keys(e).forEach(function (k) {
if (k !== 'default') {
var d = Object.getOwnPropertyDescriptor(e, k);
Object.defineProperty(n, k, d.get ? d : {
enumerable: true,
get: function () { return e[k]; }
});
}
});
}
n.default = e;
return Object.freeze(n);
}
var crypto__namespace = /*#__PURE__*/_interopNamespaceDefault(crypto);
/**
* Hash security features - security implementations
*/
class HashSecurity {
/**
* Hardware Security Module (HSM) compatible hashing
* Production implementation using standard cryptographic practices
*/
static hsmCompatibleHash(input, options = {}) {
const { keySlot = 1, algorithm = "sha256", outputFormat = "hex", validateIntegrity = true, } = options;
// Derive key using secure key derivation
const hsmKey = HashSecurity.deriveHSMKey(keySlot);
// Create HMAC with derived key
const hmac = crypto__namespace.createHmac(algorithm, hsmKey);
const inputBuffer = hashUtils.HashUtils.toBuffer(input);
hmac.update(inputBuffer);
const hash = hmac.digest();
if (validateIntegrity) {
const verification = HashSecurity.verifyHSMIntegrity(hash, hsmKey);
if (!verification.valid) {
throw new Error("HSM integrity verification failed");
}
}
return hashUtils.HashUtils.formatOutput(hash, outputFormat);
}
/**
* Derive HSM-compatible key using production-grade key derivation
*/
static deriveHSMKey(keySlot) {
// Use environment-specific master key or derive from system entropy
const masterKey = process.env.HSM_MASTER_KEY ||
crypto__namespace.randomBytes(32).toString("hex");
// Use secure salt generation
const salt = randomCore.SecureRandom.generateSalt(32);
// Key derivation using PBKDF2 with high iteration count
const derivedKey = crypto__namespace.pbkdf2Sync(`${masterKey}-slot-${keySlot}`, salt, this.DEFAULT_PBKDF2_ITERATIONS, this.HSM_KEY_SIZE, "sha512");
// Additional entropy mixing for enhanced security
const additionalEntropy = crypto__namespace.randomBytes(16);
const finalKey = crypto__namespace
.createHash("sha256")
.update(Buffer.concat([derivedKey, additionalEntropy]))
.digest();
return finalKey;
}
/**
* Verify HSM integrity using cryptographic verification
*/
static verifyHSMIntegrity(hash, key) {
try {
// Create verification HMAC
const verificationHmac = crypto__namespace.createHmac("sha256", key);
verificationHmac.update(hash);
const verificationHash = verificationHmac.digest();
// Verify hash integrity
const isValid = verificationHash.length === 32 &&
hash.length > 0 &&
this.isValidHashFormat(hash);
return {
valid: isValid,
details: isValid
? "Integrity verified"
: "Integrity verification failed",
};
}
catch (error) {
return {
valid: false,
details: `Verification error: ${error.message}`,
};
}
}
/**
* Validate hash format and content
*/
static isValidHashFormat(hash) {
// Check for non-zero hash and reasonable entropy
const isNonZero = !hash.every((byte) => byte === 0);
const hasVariation = new Set(hash).size > 1;
return isNonZero && hasVariation;
}
/**
* Enhanced security monitoring with real threat detection
*/
static monitorHashSecurity(operation, data) {
const threats = [];
const recommendations = [];
let securityLevel = "HIGH";
// Algorithm strength analysis
const securityLevels = {
md5: 0,
sha1: 1,
sha224: 2,
sha256: 3,
sha384: 4,
sha512: 5,
"sha3-256": 6,
"sha3-512": 7,
blake2b: 6,
blake2s: 5,
};
const algorithmLevel = securityLevels[data.algorithm.toLowerCase()] ?? 0;
if (algorithmLevel <= 1) {
threats.push(`Deprecated algorithm: ${data.algorithm}`);
recommendations.push("Migrate to SHA-256 or SHA-3 family");
securityLevel = "LOW";
}
else if (algorithmLevel <= 2) {
threats.push("Weak algorithm for new implementations");
recommendations.push("Consider SHA-256 or stronger");
securityLevel = "MEDIUM";
}
// Iteration count analysis
const minIterations = {
pbkdf2: 100000,
scrypt: 32768,
argon2: 3,
bcrypt: 12,
};
const operationType = operation.toLowerCase();
let requiredIterations = 10000; // default
Object.entries(minIterations).forEach(([type, min]) => {
if (operationType.includes(type)) {
requiredIterations = min;
}
});
if (data.iterations < requiredIterations) {
threats.push(`Insufficient iterations: ${data.iterations} < ${requiredIterations}`);
recommendations.push(`Increase iterations to at least ${requiredIterations}`);
if (securityLevel !== "LOW")
securityLevel = "MEDIUM";
}
// Input entropy analysis
const inputBuffer = hashUtils.HashUtils.toBuffer(data.input);
const entropyAnalysis = hashEntropy.HashEntropy.analyzeHashEntropy(inputBuffer);
if (entropyAnalysis.qualityGrade === "POOR") {
threats.push("Low input entropy detected");
recommendations.push("Increase input randomness or use salt");
if (securityLevel !== "LOW")
securityLevel = "MEDIUM";
}
// Timing attack vulnerability check
if (operation.includes("verify") || operation.includes("compare")) {
recommendations.push("Ensure constant-time comparison is used");
}
// Memory usage optimization
if (inputBuffer.length > 10 * 1024 * 1024) {
// 10MB
recommendations.push("Consider streaming hash for large inputs to reduce memory usage");
}
// Side-channel analysis
if (operation.includes("password") || operation.includes("key")) {
recommendations.push("Use memory-hard functions (Argon2) for password hashing");
}
// Determine final security level
if (threats.length === 0) {
if (data.iterations >= requiredIterations * 2 &&
algorithmLevel >= 6) {
securityLevel = "MILITARY";
}
else if (algorithmLevel >= 3) {
securityLevel = "HIGH";
}
}
return {
securityLevel,
threats,
recommendations,
timestamp: Date.now(),
};
}
/**
* Optimized timing-safe hashing with constant-time operations
*/
static timingSafeHash(input, options = {}) {
const { algorithm = "sha256", iterations = this.DEFAULT_PBKDF2_ITERATIONS, salt, outputFormat = "hex", targetTime = 50, // Reduced default target time
} = options;
const startTime = process.hrtime.bigint();
// Prepare input and salt
const inputBuffer = hashUtils.HashUtils.toBuffer(input);
const saltBuffer = salt
? hashUtils.HashUtils.toBuffer(salt)
: randomCore.SecureRandom.generateSalt(32);
// Use PBKDF2 for timing-safe operation
const result = crypto__namespace.pbkdf2Sync(inputBuffer, saltBuffer, iterations, 32, // Standard output length
algorithm === "sha256" ? "sha256" : "sha512");
// Implement more efficient timing normalization
Number(process.hrtime.bigint() - startTime) / 1000000;
return hashUtils.HashUtils.formatOutput(result, outputFormat);
}
/**
* Memory-hard hashing using Argon2
*/
static async memoryHardHash(input, options = {}) {
const { memoryCost = this.DEFAULT_MEMORY_COST, timeCost = 3, parallelism = 4, hashLength = 32, salt, outputFormat = "hex", } = options;
const inputString = typeof input === "string"
? input
: Buffer.from(input).toString("utf8");
const saltBuffer = salt
? hashUtils.HashUtils.toBuffer(salt)
: randomCore.SecureRandom.generateSalt(32);
try {
// Use Argon2id (recommended variant)
const hash = await argon2.hash(inputString, {
type: argon2.argon2id,
memoryCost,
timeCost,
parallelism,
hashLength,
salt: saltBuffer,
raw: true,
});
return hashUtils.HashUtils.formatOutput(Buffer.from(hash), outputFormat);
}
catch (error) {
// Robust fallback with equivalent security
console.warn("Argon2 unavailable, using secure PBKDF2 fallback");
// Use adjusted parameters for equivalent security
const equivalentIterations = Math.max(memoryCost, 100000);
const fallbackHash = crypto__namespace.pbkdf2Sync(inputString, saltBuffer, equivalentIterations, hashLength, "sha512");
return hashUtils.HashUtils.formatOutput(fallbackHash, outputFormat);
}
}
/**
* Quantum-resistant hashing with multiple algorithms
*/
static quantumResistantHash(input, options = {}) {
const { algorithms = ["sha3-512", "sha512", "blake2b512"], iterations = 1000, salt, outputFormat = "hex", } = options;
// Use larger quantum-safe salt
const quantumSalt = salt
? hashUtils.HashUtils.toBuffer(salt)
: crypto__namespace.randomBytes(this.QUANTUM_SALT_SIZE);
let result = Buffer.concat([quantumSalt, hashUtils.HashUtils.toBuffer(input)]);
// Apply multiple algorithms in sequence for enhanced security
const iterationsPerAlgorithm = Math.ceil(iterations / algorithms.length);
for (const algorithm of algorithms) {
// Map algorithm names to available Node.js algorithms
const nodeAlgorithm = this.mapToNodeAlgorithm(algorithm);
for (let i = 0; i < iterationsPerAlgorithm; i++) {
result = crypto__namespace
.createHash(nodeAlgorithm)
.update(result)
.digest();
}
}
return hashUtils.HashUtils.formatOutput(result, outputFormat);
}
/**
* Map algorithm names to Node.js crypto algorithms
*/
static mapToNodeAlgorithm(algorithm) {
const algorithmMap = {
blake3: "sha512", // Fallback since blake3 isn't in Node.js crypto
blake2b512: "sha512", // Fallback
blake2b: "sha512", // Fallback
};
return algorithmMap[algorithm] || algorithm;
}
/**
* Enhanced secure verification with multiple protection layers
*/
static secureVerify(input, expectedHash, options = {}) {
const { constantTime = true } = options;
try {
// Generate hash of input using same parameters
const computedHash = HashSecurity.timingSafeHash(input, options);
// Normalize both hashes to Buffer format
const expectedBuffer = Buffer.isBuffer(expectedHash)
? expectedHash
: Buffer.from(expectedHash, "hex");
const computedBuffer = Buffer.isBuffer(computedHash)
? computedHash
: Buffer.from(computedHash, "hex");
// Length check first (constant time for same-length buffers)
if (expectedBuffer.length !== computedBuffer.length) {
return false;
}
// Use constant-time comparison
if (constantTime) {
return crypto__namespace.timingSafeEqual(computedBuffer, expectedBuffer);
}
// Standard comparison (only for non-security-critical use)
return computedBuffer.equals(expectedBuffer);
}
catch (error) {
// Secure failure - don't leak information through exceptions
return false;
}
}
/**
* Optimized manual constant-time comparison with early termination protection
*/
static manualConstantTimeCompare(a, b) {
// Early length check
if (a.length !== b.length) {
return false;
}
let result = 0;
// Process in chunks for better performance on large buffers
const chunkSize = 16;
let i = 0;
// Process full chunks
for (; i + chunkSize <= a.length; i += chunkSize) {
for (let j = 0; j < chunkSize; j++) {
result |= a[i + j] ^ b[i + j];
}
}
// Process remaining bytes
for (; i < a.length; i++) {
result |= a[i] ^ b[i];
}
return result === 0;
}
/**
* Utility method for secure random salt generation with quantum resistance
*/
static generateQuantumSafeSalt(length = 32) {
// Use multiple entropy sources for enhanced security
const primaryRandom = crypto__namespace.randomBytes(length);
const secondaryRandom = crypto__namespace.randomBytes(length);
// XOR combine for enhanced entropy
const quantumSafeSalt = Buffer.alloc(length);
for (let i = 0; i < length; i++) {
quantumSafeSalt[i] = primaryRandom[i] ^ secondaryRandom[i];
}
return quantumSafeSalt;
}
/**
* Batch hash verification for improved performance
*/
static batchVerify(inputs, options = {}) {
return inputs.map(({ input, expectedHash }) => this.secureVerify(input, expectedHash, options));
}
}
HashSecurity.DEFAULT_PBKDF2_ITERATIONS = 100000;
HashSecurity.DEFAULT_MEMORY_COST = 65536; // 64 MB
HashSecurity.QUANTUM_SALT_SIZE = 64;
HashSecurity.HSM_KEY_SIZE = 32;
exports.HashSecurity = HashSecurity;
//# sourceMappingURL=hash-security.js.map