Any chance you happen to know how to sign a user out via HTTP requests? Or if I were to use the URL such as: http://localhost:8080/#/api/tokens?data=JSONENCRYPTEDHERE <http://localhost:8080/#/api/tokens?data=JSONENCRYPTEDHERE>
Every time I try to connect using that URL it is picking up LocalStorage and doesn’t throw me a new connection/user….. I am just trying to flush out the local storage and make it so every time I load a new URL from a page, it dynamically creates a per browser window of each guacamole connection….. > On Feb 2, 2022, at 1:24 PM, Craig Sawyer <[email protected]> wrote: > > Interesting! Like I said, not a guac-crypto expert. I read the thread, but > did not read the code, but as Chris Wheeler mentions in the linked thread, > looks like the safe approach is to add a randomized nonce in your message, it > should produce no differences in compatibility(per him), but enforce that no > messages will ever be sent identically across the wire. i.e. in your > authString, just add a key "nonce" with a random value. > > Glad you found that thread! Goes to show security and cryptography are hard. > :) > > > > On Wed, Feb 2, 2022 at 11:50 AM Caleb Coverdale > <[email protected]> wrote: > From what I understood in this discussion here: > [GUACAMOLE-1286] Support a custom IV in guacamole-auth-json - ASF JIRA > (apache.org) > <https://issues.apache.org/jira/projects/GUACAMOLE/issues/GUACAMOLE-1286?filter=allopenissues> > > There was discussion for allowing a non-null IV. > > > guacamole-client/CryptoService.java at master · apache/guacamole-client > (github.com) > <https://github.com/apache/guacamole-client/blob/master/extensions/guacamole-auth-json/src/main/java/org/apache/guacamole/auth/json/CryptoService.java> > In the CryptoService.js there is a comment regarding how they use the > signature as the IV for decryption: > > /** > * IV which is all null bytes (all binary zeroes). Usually, using a null > IV > * is a horrible idea. As our plaintext will always be prepended with the > * HMAC signature of the rest of the message, we are effectively using the > * HMAC signature itself as the IV. For our purposes, where the encrypted > * value becomes an authentication token, this is OK. > */ > > > So to me everything looks okay…. > > So may not be the best to use the NULL IV, but there is still some security > regarding the signature and decryption > > >> On Feb 2, 2022, at 12:44 PM, Craig Sawyer <[email protected] >> <mailto:[email protected]>> wrote: >> >> Glad you got it figured out! >> >> I'm not up to date with Guac's crypto code-base, but in case you >> didn't know, you def. don't want to deploy with an iv of all 0's as a >> static value. If this is just a proof of concept, no worries. Also >> you don't check any error conditions, which for production crypto code >> you most definitely will want to do. >> >> IV's are not secret, but they do need to be random(not technically, >> but practically) and never re-used. >> >> Also, this is by no means considered an audit, I don't write JS(and >> barely read the code) and am not trying to do that, just pointing out >> some glaring errors, if you were not aware, or for others trying to >> copy what you are doing down the road and not realizing IV's are >> required to match the security promises of AES-128-CBC. >> >> Good Luck. >> >> On Wed, Feb 2, 2022 at 11:07 AM Caleb Coverdale >> <[email protected] <mailto:[email protected]>> wrote: >>> >>> Here is a copy of the fixed code incase anyone has anymore issues: >>> >>> const crypto = require("crypto"); >>> >>> const key = "KEYHERE"; >>> const iv = "00000000000000000000000000000000"; >>> // convert key to binary >>> const keyBin = Buffer.from(key, "hex"); >>> const ivBin = Buffer.from(iv, "hex"); >>> >>> // Sign the JSON using the key with the authString using sha256/hmac >>> function encryptSign(keyBin, ivBin, username, url) { >>> const calculateTime = Math.floor(Date.now() / 1000) + 300; >>> const expiration = calculateTime + "000"; >>> const authString = >>> `{"username":"${username}","expires":"${expiration}","connections":{"${expiration}":{"protocol":"rdp","parameters":{"hostname":"IPHERE","port":"3389","security":"nla","ignore-cert":"true"}}}}`; >>> const signature = crypto >>> .createHmac("sha256", keyBin) >>> >>> .update(authString) >>> .digest("binary"); >>> const signatureReturn = signature + authString; >>> >>> // AES-128-CBC encrypt signatureReturn using keyBin and ivBin return it in >>> base64 >>> const cipher = crypto.createCipheriv("aes-128-cbc", keyBin, ivBin); >>> const encrypted = cipher.update(signatureReturn, "binary", "base64"); >>> const encryptedSignature = encrypted + cipher.final("base64"); >>> // convert encryptedSignature to base64 >>> >>> const urlencodedSignature = encodeURIComponent(encryptedSignature); >>> const returnValue = `${url}${urlencodedSignature}`; >>> return returnValue; >>> } >>> >>> On 2022/01/26 21:00:16 Caleb Coverdale wrote: >>>> Hey there! >>>> >>>> I have been banging my head against the wall trying to get the >>>> EncryptedJSON script working in Javascript. >>>> >>>> I was wondering if anyone has been down the rabbit hole and got it working? >>>> >>>> >>>> Any help would be appreciated… >>>> >>>> >>>> Here’s what I have so far: >>>> >>>> >>>> >>>> const crypto = require("crypto"); >>>> const guacjson = >>>> `{"username":"MyUser","connections":{"MyConnection":{"protocol":"rdp","parameters":{"hostname":"10.0.0.41","port":"3389","security":"nla","ignore-cert":"true"}}}}`; >>>> const secretkey = "fe57526d73a1e5116bbbefad1c91b38f"; >>>> >>>> // sign the contents of guacjson with secret key using HMAC/SHA-256 out in >>>> binary >>>> function cryptedmessage() { >>>> const hmac = crypto.createHmac("sha256", secretkey); >>>> hmac.update(guacjson); >>>> // output the hmac in binary followed by guacjson >>>> signature = hmac.digest("binary") + guacjson; >>>> return signature; >>>> } >>>> >>>> const INITIALIZATION_VECTOR = "0000000000000000"; >>>> >>>> class Crypt { >>>> static encrypt128(data, key) { >>>> const cipher = crypto.createCipheriv( >>>> "aes-128-cbc", >>>> Buffer.from(key, "hex"), >>>> Buffer.from(INITIALIZATION_VECTOR) >>>> ); >>>> // return cipher encoded as bas64 >>>> console.log(data); >>>> const encrypted = >>>> cipher.update(data, "utf8", "base64") + cipher.final("base64"); >>>> return encrypted; >>>> } >>>> } >>>> >>>> const key = "fe57526d73a1e5116bbbefad1c91b38f"; >>>> >>>> const cipher = Crypt.encrypt128(cryptedmessage(), key); >>>> >>>> console.log(cipher); >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> <mailto:[email protected]> >> For additional commands, e-mail: [email protected] >> <mailto:[email protected]> >> >
