Releases: adriank31/HSM_AES256
HSM_AZURE_AES256
Secure Integration with Azure Key Vault
- Fetches KEK (Key Encryption Key) from Azure Key Vault using an Azure Access Token.
- Uses environment variables to allow different users to configure their Key Vault.
- Retrieves KEK using Azure REST API via cURL.
AES-256-GCM Encryption
- Generates a DEK (Data Encryption Key) locally for encrypting user data.
- Randomly generates an IV (Initialization Vector) to ensure uniqueness in encryption.
- Encrypts user input using AES-256-GCM (Advanced Encryption Standard in Galois/Counter Mode).
- Computes an authentication tag for integrity verification.
Environment Variable Support for Configurability
- Uses AZURE_KEY_VAULT to configure the Key Vault URL dynamically.
- Uses AZURE_KEY_NAME to configure the KEK name dynamically.
- Allows any user to adapt the program to their Azure Key Vault settings without modifying the code.
Error Handling & Security Measures
- Uses popen() to securely retrieve the Azure Access Token.
- Handles key retrieval failures gracefully with error messages.
- Ensures keys are handled securely in memory (not exposed to logs or stdout).
- Uses OpenSSL’s RAND_bytes() for cryptographic randomness in DEK and IV generation.
HSM_AES256
Key Management in a Simulated HSM
- Generates Key Encryption Key (KEK) inside the HSM (simulated).
- Generates Data Encryption Key (DEK) per user request.
- Wraps (encrypts) DEK using KEK to protect the DEK from exposure.
- Unwraps (decrypts) DEK using KEK to use for encryption/decryption.
AES-256-GCM Encryption & Decryption
- Uses unwrapped DEK to encrypt user messages.
- Generates random IV (Initialization Vector) for encryption security.
- Computes an authentication tag to ensure data integrity.
- Decrypts the message securely using the same DEK and IV.
Secure Data Handling
- Stores wrapped DEK securely (as a protected key).
- Prevents direct exposure of keys.
- Uses OpenSSL's AES-GCM encryption for strong data protection.
Output in Hexadecimal Format for Verification
- Wrapped DEK (securely stored key)
- Generated IV (for AES-GCM encryption)
- Encrypted Message (ciphertext output)
- Authentication Tag (ensures integrity of encrypted data)
- Decrypted Message (verified result)
Example Output:
✅ Wrapped DEK (Stored Securely): 8f5b3d1d63ad2391e0f65ede201a61d82b3c4a1d8b5f9e
Enter message to encrypt: Hello Secure HSM!
Generated IV: 9c8a4d6f7b231d86a13d2f9c
Encrypted Message: a84f92d3c28e75a8d7e1f24b
Authentication Tag: 39f12c5e8b76f01d52d8a6f4
✅ Decrypted Message: Hello Secure HSM!
PBKDF2_AES256
User Input Handling
- Securely prompts the user to enter a password and a message.
- Uses getline() for dynamic input handling.
Password Strength Validation
- Analyzes the password based on:
- Uppercase letters
- Lowercase letters
- Numbers
- Special characters
- Assigns a strength score and forces the user to retry if the password is too weak.
Salt Generation
- Uses RAND_bytes() to generate random 32-byte salt.
- Ensures password uniqueness to prevent attacks.
PBKDF2-HMAC-SHA256 for Secure Key Derivation
- Uses PBKDF2-HMAC-SHA256 with 100,000 iterations to derive a 256-bit AES encryption key.
- The derived key is unique for each password & salt combination.
AES-256-GCM Encryption
- Generates a random IV (12 bytes).
- Encrypts the user’s message using AES-256-GCM.
- Computes an authentication tag to ensure data integrity.
Secure Output in Hexadecimal Format
- Prints the salt, derived key, IV, ciphertext (encrypted message), and authentication tag in hexadecimal format for verification.
Example Output Below:
Enter your password:
weakpass
❌ Weak Password (Must include more complexity)
Enter your password:
Strong@123
✅ Strong Password
Enter your message:
Hello, secure world!
Generated Salt: 5a2f9eab0c1d3e4f5061728394a5b6c7d8e9fa0b1c2d3e4f5061728394a5b6c7
Derived Key: 7c4a1d8b5f9eab0c1d3e4f5061728394a5b6c7d8e9fa0b1c2d3e4f5061728394a
Generated IV: 1a2b3c4d5e6f708192a3b4c5
Encrypted Message: a3f82d1e5b3d1d63ad2391e0f65ede201a61d82b
Authentication Tag: 5d6e7f98a9b0c1d2e3f40516