azaion/ai-training
1
0
Fork 0
mirror of https://github.com/azaion/ai-training.git synced 2026-04-22 22:16:35 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
222f552a10b6cae9ad14a2501c74ccc72d9820a9
ai-training/_docs/02_document/modules/security.md
T
Oleksandr Bezdieniezhnykh 142c6c4de8 Refactor constants management to use Pydantic BaseModel for configuration 
- Replaced module-level path variables in constants.py with a structured Pydantic Config class.
- Updated all relevant modules (train.py, augmentation.py, exports.py, dataset-visualiser.py, manual_run.py) to access paths through the new config structure.
- Fixed bugs related to image processing and model saving.
- Enhanced test infrastructure to accommodate the new configuration approach.

This refactor improves code maintainability and clarity by centralizing configuration management.
2026-03-27 18:18:30 +02:00

2.4 KiB
Raw Blame History

Module: security

Purpose

Provides AES-256-CBC encryption/decryption and key derivation functions used to protect model files and API resources in transit.

Public Interface

Method Signature Returns Description
Security.encrypt_to (input_bytes: bytes, key: str) -> bytes IV + ciphertext AES-256-CBC encrypt with PKCS7 padding; prepends 16-byte random IV
Security.decrypt_to (ciphertext_with_iv_bytes: bytes, key: str) -> bytes plaintext bytes Extracts IV from first 16 bytes, decrypts, removes PKCS7 padding
Security.calc_hash (key: str) -> str base64-encoded SHA-384 hash General-purpose hash function
Security.get_hw_hash (hardware: str) -> str base64 hash Derives a hardware-specific hash using Azaion_{hardware}_%$$$)0_ salt
Security.get_api_encryption_key (creds, hardware_hash: str) -> str base64 hash Derives API encryption key from credentials + hardware hash
Security.get_model_encryption_key () -> str base64 hash Returns a fixed encryption key derived from a hardcoded secret string

Internal Logic

  • Encryption: SHA-256 of the key string → 32-byte AES key. Random 16-byte IV generated per encryption. PKCS7 padding applied. Output = IV ∥ ciphertext.
  • Decryption: First 16 bytes = IV, remainder = ciphertext. Manual PKCS7 unpadding (checks last byte is 116).
  • Key derivation uses SHA-384 + base64 encoding for all hash-based keys.
  • BUFFER_SIZE = 64 * 1024 is declared but unused.

Dependencies

  • cryptography.hazmat (external) — AES cipher, CBC mode, PKCS7 padding
  • hashlib, base64, os (stdlib)

Consumers

api_client, exports, train, start_inference, tests/security_test

Data Models

None.

Configuration

None consumed at runtime. Contains hardcoded key material.

External Integrations

None.

Security

  • Hardcoded model encryption key: get_model_encryption_key() uses a static string '-#%@AzaionKey@%#---234sdfklgvhjbnn'. This is a significant security concern — the key should be stored in a secrets manager or environment variable.
  • API encryption key is derived from user credentials + hardware fingerprint, providing per-device uniqueness.
  • AES-256-CBC with random IV is cryptographically sound for symmetric encryption.

Tests

  • tests/security_test.py — basic round-trip encrypt/decrypt test (script-based, no test framework).
Reference in New Issue View Git Blame Copy Permalink