UNPKG

xypriss-security

Version:

XyPriss Security is an advanced JavaScript security library designed for enterprise applications. It provides military-grade encryption, secure data structures, quantum-resistant cryptography, and comprehensive security utilities for modern web applicatio

374 lines (368 loc) 15 kB
'use strict'; var crypto = require('crypto'); var hashUtils = require('./hash-utils.js'); var hashEntropy = require('./hash-entropy.js'); var randomCore = require('../random/random-core.js'); require('../random/random-types.js'); require('../random/random-sources.js'); require('nehonix-uri-processor'); require('../../utils/memory/index.js'); require('../../types.js'); require('../random/random-security.js'); var argon2 = require('argon2'); function _interopNamespaceDefault(e) { var n = Object.create(null); if (e) { Object.keys(e).forEach(function (k) { if (k !== 'default') { var d = Object.getOwnPropertyDescriptor(e, k); Object.defineProperty(n, k, d.get ? d : { enumerable: true, get: function () { return e[k]; } }); } }); } n.default = e; return Object.freeze(n); } var crypto__namespace = /*#__PURE__*/_interopNamespaceDefault(crypto); /** * Hash security features - security implementations */ class HashSecurity { /** * Hardware Security Module (HSM) compatible hashing * Production implementation using standard cryptographic practices */ static hsmCompatibleHash(input, options = {}) { const { keySlot = 1, algorithm = "sha256", outputFormat = "hex", validateIntegrity = true, } = options; // Derive key using secure key derivation const hsmKey = HashSecurity.deriveHSMKey(keySlot); // Create HMAC with derived key const hmac = crypto__namespace.createHmac(algorithm, hsmKey); const inputBuffer = hashUtils.HashUtils.toBuffer(input); hmac.update(inputBuffer); const hash = hmac.digest(); if (validateIntegrity) { const verification = HashSecurity.verifyHSMIntegrity(hash, hsmKey); if (!verification.valid) { throw new Error("HSM integrity verification failed"); } } return hashUtils.HashUtils.formatOutput(hash, outputFormat); } /** * Derive HSM-compatible key using production-grade key derivation */ static deriveHSMKey(keySlot) { // Use environment-specific master key or derive from system entropy const masterKey = process.env.HSM_MASTER_KEY || crypto__namespace.randomBytes(32).toString("hex"); // Use secure salt generation const salt = randomCore.SecureRandom.generateSalt(32); // Key derivation using PBKDF2 with high iteration count const derivedKey = crypto__namespace.pbkdf2Sync(`${masterKey}-slot-${keySlot}`, salt, this.DEFAULT_PBKDF2_ITERATIONS, this.HSM_KEY_SIZE, "sha512"); // Additional entropy mixing for enhanced security const additionalEntropy = crypto__namespace.randomBytes(16); const finalKey = crypto__namespace .createHash("sha256") .update(Buffer.concat([derivedKey, additionalEntropy])) .digest(); return finalKey; } /** * Verify HSM integrity using cryptographic verification */ static verifyHSMIntegrity(hash, key) { try { // Create verification HMAC const verificationHmac = crypto__namespace.createHmac("sha256", key); verificationHmac.update(hash); const verificationHash = verificationHmac.digest(); // Verify hash integrity const isValid = verificationHash.length === 32 && hash.length > 0 && this.isValidHashFormat(hash); return { valid: isValid, details: isValid ? "Integrity verified" : "Integrity verification failed", }; } catch (error) { return { valid: false, details: `Verification error: ${error.message}`, }; } } /** * Validate hash format and content */ static isValidHashFormat(hash) { // Check for non-zero hash and reasonable entropy const isNonZero = !hash.every((byte) => byte === 0); const hasVariation = new Set(hash).size > 1; return isNonZero && hasVariation; } /** * Enhanced security monitoring with real threat detection */ static monitorHashSecurity(operation, data) { const threats = []; const recommendations = []; let securityLevel = "HIGH"; // Algorithm strength analysis const securityLevels = { md5: 0, sha1: 1, sha224: 2, sha256: 3, sha384: 4, sha512: 5, "sha3-256": 6, "sha3-512": 7, blake2b: 6, blake2s: 5, }; const algorithmLevel = securityLevels[data.algorithm.toLowerCase()] ?? 0; if (algorithmLevel <= 1) { threats.push(`Deprecated algorithm: ${data.algorithm}`); recommendations.push("Migrate to SHA-256 or SHA-3 family"); securityLevel = "LOW"; } else if (algorithmLevel <= 2) { threats.push("Weak algorithm for new implementations"); recommendations.push("Consider SHA-256 or stronger"); securityLevel = "MEDIUM"; } // Iteration count analysis const minIterations = { pbkdf2: 100000, scrypt: 32768, argon2: 3, bcrypt: 12, }; const operationType = operation.toLowerCase(); let requiredIterations = 10000; // default Object.entries(minIterations).forEach(([type, min]) => { if (operationType.includes(type)) { requiredIterations = min; } }); if (data.iterations < requiredIterations) { threats.push(`Insufficient iterations: ${data.iterations} < ${requiredIterations}`); recommendations.push(`Increase iterations to at least ${requiredIterations}`); if (securityLevel !== "LOW") securityLevel = "MEDIUM"; } // Input entropy analysis const inputBuffer = hashUtils.HashUtils.toBuffer(data.input); const entropyAnalysis = hashEntropy.HashEntropy.analyzeHashEntropy(inputBuffer); if (entropyAnalysis.qualityGrade === "POOR") { threats.push("Low input entropy detected"); recommendations.push("Increase input randomness or use salt"); if (securityLevel !== "LOW") securityLevel = "MEDIUM"; } // Timing attack vulnerability check if (operation.includes("verify") || operation.includes("compare")) { recommendations.push("Ensure constant-time comparison is used"); } // Memory usage optimization if (inputBuffer.length > 10 * 1024 * 1024) { // 10MB recommendations.push("Consider streaming hash for large inputs to reduce memory usage"); } // Side-channel analysis if (operation.includes("password") || operation.includes("key")) { recommendations.push("Use memory-hard functions (Argon2) for password hashing"); } // Determine final security level if (threats.length === 0) { if (data.iterations >= requiredIterations * 2 && algorithmLevel >= 6) { securityLevel = "MILITARY"; } else if (algorithmLevel >= 3) { securityLevel = "HIGH"; } } return { securityLevel, threats, recommendations, timestamp: Date.now(), }; } /** * Optimized timing-safe hashing with constant-time operations */ static timingSafeHash(input, options = {}) { const { algorithm = "sha256", iterations = this.DEFAULT_PBKDF2_ITERATIONS, salt, outputFormat = "hex", targetTime = 50, // Reduced default target time } = options; const startTime = process.hrtime.bigint(); // Prepare input and salt const inputBuffer = hashUtils.HashUtils.toBuffer(input); const saltBuffer = salt ? hashUtils.HashUtils.toBuffer(salt) : randomCore.SecureRandom.generateSalt(32); // Use PBKDF2 for timing-safe operation const result = crypto__namespace.pbkdf2Sync(inputBuffer, saltBuffer, iterations, 32, // Standard output length algorithm === "sha256" ? "sha256" : "sha512"); // Implement more efficient timing normalization Number(process.hrtime.bigint() - startTime) / 1000000; return hashUtils.HashUtils.formatOutput(result, outputFormat); } /** * Memory-hard hashing using Argon2 */ static async memoryHardHash(input, options = {}) { const { memoryCost = this.DEFAULT_MEMORY_COST, timeCost = 3, parallelism = 4, hashLength = 32, salt, outputFormat = "hex", } = options; const inputString = typeof input === "string" ? input : Buffer.from(input).toString("utf8"); const saltBuffer = salt ? hashUtils.HashUtils.toBuffer(salt) : randomCore.SecureRandom.generateSalt(32); try { // Use Argon2id (recommended variant) const hash = await argon2.hash(inputString, { type: argon2.argon2id, memoryCost, timeCost, parallelism, hashLength, salt: saltBuffer, raw: true, }); return hashUtils.HashUtils.formatOutput(Buffer.from(hash), outputFormat); } catch (error) { // Robust fallback with equivalent security console.warn("Argon2 unavailable, using secure PBKDF2 fallback"); // Use adjusted parameters for equivalent security const equivalentIterations = Math.max(memoryCost, 100000); const fallbackHash = crypto__namespace.pbkdf2Sync(inputString, saltBuffer, equivalentIterations, hashLength, "sha512"); return hashUtils.HashUtils.formatOutput(fallbackHash, outputFormat); } } /** * Quantum-resistant hashing with multiple algorithms */ static quantumResistantHash(input, options = {}) { const { algorithms = ["sha3-512", "sha512", "blake2b512"], iterations = 1000, salt, outputFormat = "hex", } = options; // Use larger quantum-safe salt const quantumSalt = salt ? hashUtils.HashUtils.toBuffer(salt) : crypto__namespace.randomBytes(this.QUANTUM_SALT_SIZE); let result = Buffer.concat([quantumSalt, hashUtils.HashUtils.toBuffer(input)]); // Apply multiple algorithms in sequence for enhanced security const iterationsPerAlgorithm = Math.ceil(iterations / algorithms.length); for (const algorithm of algorithms) { // Map algorithm names to available Node.js algorithms const nodeAlgorithm = this.mapToNodeAlgorithm(algorithm); for (let i = 0; i < iterationsPerAlgorithm; i++) { result = crypto__namespace .createHash(nodeAlgorithm) .update(result) .digest(); } } return hashUtils.HashUtils.formatOutput(result, outputFormat); } /** * Map algorithm names to Node.js crypto algorithms */ static mapToNodeAlgorithm(algorithm) { const algorithmMap = { blake3: "sha512", // Fallback since blake3 isn't in Node.js crypto blake2b512: "sha512", // Fallback blake2b: "sha512", // Fallback }; return algorithmMap[algorithm] || algorithm; } /** * Enhanced secure verification with multiple protection layers */ static secureVerify(input, expectedHash, options = {}) { const { constantTime = true } = options; try { // Generate hash of input using same parameters const computedHash = HashSecurity.timingSafeHash(input, options); // Normalize both hashes to Buffer format const expectedBuffer = Buffer.isBuffer(expectedHash) ? expectedHash : Buffer.from(expectedHash, "hex"); const computedBuffer = Buffer.isBuffer(computedHash) ? computedHash : Buffer.from(computedHash, "hex"); // Length check first (constant time for same-length buffers) if (expectedBuffer.length !== computedBuffer.length) { return false; } // Use constant-time comparison if (constantTime) { return crypto__namespace.timingSafeEqual(computedBuffer, expectedBuffer); } // Standard comparison (only for non-security-critical use) return computedBuffer.equals(expectedBuffer); } catch (error) { // Secure failure - don't leak information through exceptions return false; } } /** * Optimized manual constant-time comparison with early termination protection */ static manualConstantTimeCompare(a, b) { // Early length check if (a.length !== b.length) { return false; } let result = 0; // Process in chunks for better performance on large buffers const chunkSize = 16; let i = 0; // Process full chunks for (; i + chunkSize <= a.length; i += chunkSize) { for (let j = 0; j < chunkSize; j++) { result |= a[i + j] ^ b[i + j]; } } // Process remaining bytes for (; i < a.length; i++) { result |= a[i] ^ b[i]; } return result === 0; } /** * Utility method for secure random salt generation with quantum resistance */ static generateQuantumSafeSalt(length = 32) { // Use multiple entropy sources for enhanced security const primaryRandom = crypto__namespace.randomBytes(length); const secondaryRandom = crypto__namespace.randomBytes(length); // XOR combine for enhanced entropy const quantumSafeSalt = Buffer.alloc(length); for (let i = 0; i < length; i++) { quantumSafeSalt[i] = primaryRandom[i] ^ secondaryRandom[i]; } return quantumSafeSalt; } /** * Batch hash verification for improved performance */ static batchVerify(inputs, options = {}) { return inputs.map(({ input, expectedHash }) => this.secureVerify(input, expectedHash, options)); } } HashSecurity.DEFAULT_PBKDF2_ITERATIONS = 100000; HashSecurity.DEFAULT_MEMORY_COST = 65536; // 64 MB HashSecurity.QUANTUM_SALT_SIZE = 64; HashSecurity.HSM_KEY_SIZE = 32; exports.HashSecurity = HashSecurity; //# sourceMappingURL=hash-security.js.map