azaion/admin
1
0
Fork 0
mirror of https://github.com/azaion/admin.git synced 2026-04-22 22:16:33 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
88c7b288df7fbf12119805077128df7d5bd56a36
admin/_docs/02_document/modules/services_security.md
T
Oleksandr Bezdieniezhnykh d320d6dd59 [AZ-189] [AZ-190] [AZ-191] [AZ-192] [AZ-193] [AZ-194] [AZ-195] Add e2e blackbox test suite 
Made-with: Cursor
2026-04-16 06:25:36 +03:00

2.8 KiB
Raw Blame History

Module: Azaion.Services.Security

Purpose

Static utility class providing cryptographic operations: password hashing, hardware fingerprint hashing, encryption key derivation, and AES-CBC stream encryption/decryption.

Public Interface

Method Signature Description
ToHash static string ToHash(this string str) Extension: SHA-384 hash of input, returned as Base64
GetHWHash static string GetHWHash(string hardware) Derives a salted hash from hardware fingerprint string
GetApiEncryptionKey static string GetApiEncryptionKey(string email, string password, string? hardwareHash) Derives an AES encryption key from email + password + hardware hash
EncryptTo static async Task EncryptTo(this Stream inputStream, Stream toStream, string key, CancellationToken ct) AES-256-CBC encrypts a stream; prepends IV to output
DecryptTo static async Task DecryptTo(this Stream encryptedStream, Stream toStream, string key, CancellationToken ct) Reads IV prefix, then AES-256-CBC decrypts stream

Internal Logic

  • Password hashing: ToHash uses SHA-384 with UTF-8 encoding, outputting Base64.
  • Hardware hashing: GetHWHash salts the raw hardware string with "Azaion_{hardware}_%$$$)0_" before hashing.
  • Encryption key derivation: GetApiEncryptionKey concatenates email, password, and hardware hash with a static salt, then hashes.
  • Encryption: AES-256-CBC with PKCS7 padding. Key is SHA-256 of the derived key string. IV is randomly generated and prepended to the output stream. Uses 512 KB buffer for streaming.
  • Decryption: Reads the first 16 bytes as IV, then AES-256-CBC decrypts with PKCS7 padding.

Dependencies

  • System.Security.Cryptography (Aes, SHA256, SHA384)
  • System.Text.Encoding

Consumers

  • UserService.CheckHardwareHash — calls GetHWHash to verify hardware fingerprint
  • Program.cs /resources/get endpoint — calls GetApiEncryptionKey
  • ResourcesService.GetEncryptedResource — uses EncryptTo extension
  • SecurityTest — directly tests GetApiEncryptionKey, EncryptTo, DecryptTo

Data Models

None.

Configuration

  • BUFFER_SIZE = 524288 (512 KB) — hardcoded streaming buffer size

External Integrations

None.

Security

Core cryptographic module. Key observations:

  • Passwords are hashed with SHA-384 (no per-user salt, no key stretching — not bcrypt/scrypt/argon2)
  • Hardware hash uses a static salt
  • AES encryption uses SHA-256 of the derived key, with random IV per encryption
  • All salts/prefixes are hardcoded constants

Tests

  • SecurityTest.EncryptDecryptTest — round-trip encrypt/decrypt of a string
  • SecurityTest.EncryptDecryptLargeFileTest — round-trip encrypt/decrypt of a ~400 MB generated file
Reference in New Issue View Git Blame Copy Permalink