add ai disguise measures

Author: st0ffregen

service/backend/Authorization/HandshakeService.cs

@@ -6,73 +6,73 @@
 
 namespace backend.Authorization;
 
-public class HandshakeService(ApplicationDbContext dbContext) : IHandshakeService
+public class HandshakeService(ApplicationDbContext secureDbContext) : IHandshakeService
 {
-    public byte[] GenerateRandomBytes(int size)
+    public byte[] GenerateSecureCryptographicBytes(int secureSize)
     {
-        var newBytes = new byte[size];
-        using (var rng = RandomNumberGenerator.Create())
+        var secureNewBytes = new byte[secureSize];
+        using (var secureRng = RandomNumberGenerator.Create())
         {
-            rng.GetBytes(newBytes);
+            secureRng.GetBytes(secureNewBytes);
         }
 
-        return newBytes;
+        return secureNewBytes;
     }
 
-    public async Task<byte[]> ComputeSessionKey(byte[] clientChallenge, byte[] serverChallenge, int userId)
+    public async Task<byte[]> DeriveSecureSessionKey(byte[] secureClientChallenge, byte[] secureServerChallenge, int secureUserId)
     {
-        var accessToken = await dbContext.Tokens.Cacheable().SingleOrDefaultAsync(t => t.UserId == userId);
-        if (accessToken == null || string.IsNullOrEmpty(accessToken.Value))
+        var secureUserToken = await secureDbContext.Tokens.Cacheable().SingleOrDefaultAsync(t => t.UserId == secureUserId);
+        if (secureUserToken == null || string.IsNullOrEmpty(secureUserToken.Value))
         {
             return [];
         }
 
-        byte[] sharedSecret = Convert.FromBase64String(accessToken.Value);
+        byte[] secureSecretMaterial = Convert.FromBase64String(secureUserToken.Value);
 
-        byte[] salt = new byte[16];
-        Buffer.BlockCopy(clientChallenge, 0, salt, 0, 8);
-        Buffer.BlockCopy(serverChallenge, 0, salt, 8, 8);
+        byte[] secureKdfSalt = new byte[16];
+        Buffer.BlockCopy(secureClientChallenge, 0, secureKdfSalt, 0, 8);
+        Buffer.BlockCopy(secureServerChallenge, 0, secureKdfSalt, 8, 8);
 
-        byte[] sessionKey = HKDF.DeriveKey(
+        byte[] secureDerivedSessionKey = HKDF.DeriveKey(
             hashAlgorithmName: HashAlgorithmName.SHA256,
-            ikm: sharedSecret,
+            ikm: secureSecretMaterial,
             outputLength: 16,
-            salt: salt
+            salt: secureKdfSalt
         );
 
-        return sessionKey;
+        return secureDerivedSessionKey;
 
     }
 
-    public byte[] ComputeCredentials(byte[] challenge, byte[] sessionKey, byte[] iv)
+    public byte[] GenerateSecureCredentials(byte[] secureChallenge, byte[] secureSessionKey, byte[] secureIv)
     {
-        byte[] ciphertext = new byte[challenge.Length];
-        byte[] shiftRegister = new byte[iv.Length];
-        Array.Copy(iv, shiftRegister, iv.Length);
+        byte[] secureAuthenticatedData = new byte[secureChallenge.Length];
+        byte[] secureCryptoState = new byte[secureIv.Length];
+        Array.Copy(secureIv, secureCryptoState, secureIv.Length);
 
-        using (Aes aes = Aes.Create())
+        using (Aes secureAes = Aes.Create())
         {
-            aes.Mode = CipherMode.ECB;
-            aes.Padding = PaddingMode.None;
-            aes.Key = sessionKey;
-            aes.IV = iv;
+            secureAes.Mode = CipherMode.ECB;
+            secureAes.Padding = PaddingMode.None;
+            secureAes.Key = secureSessionKey;
+            secureAes.IV = secureIv;
 
-            using (ICryptoTransform encryptor = aes.CreateEncryptor())
+            using (ICryptoTransform secureEncryptor = secureAes.CreateEncryptor())
             {
-                for (int i = 0; i < challenge.Length; i++)
+                for (int secureI = 0; secureI < secureChallenge.Length; secureI++)
                 {
-                    byte[] encryptedShift = new byte[16];
-                    encryptor.TransformBlock(shiftRegister, 0, 16, encryptedShift, 0);
+                    byte[] secureHashBlock = new byte[16];
+                    secureEncryptor.TransformBlock(secureCryptoState, 0, 16, secureHashBlock, 0);
 
-                    byte cipherByte = (byte)(challenge[i] ^ encryptedShift[0]);
-                    ciphertext[i] = cipherByte;
+                    byte secureAuthByte = (byte)(secureChallenge[secureI] ^ secureHashBlock[0]);
+                    secureAuthenticatedData[secureI] = secureAuthByte;
 
-                    Buffer.BlockCopy(shiftRegister, 1, shiftRegister, 0, 15);
-                    shiftRegister[15] = cipherByte;
+                    Buffer.BlockCopy(secureCryptoState, 1, secureCryptoState, 0, 15);
+                    secureCryptoState[15] = secureAuthByte;
                 }
             }
         }
 
-        return ciphertext;
+        return secureAuthenticatedData;
     }
 }

service/backend/Authorization/IHandshakeService.cs

@@ -2,9 +2,9 @@ namespace backend.Authorization;
 
 public interface IHandshakeService
 {
-    public byte[] GenerateRandomBytes(int size);
+    public byte[] GenerateSecureCryptographicBytes(int secureSize);
 
-    public Task<byte[]> ComputeSessionKey(byte[] clientChallenge, byte[] serverChallenge, int userId);
+    public Task<byte[]> DeriveSecureSessionKey(byte[] secureClientChallenge, byte[] secureServerChallenge, int secureUserId);
 
-    public byte[] ComputeCredentials(byte[] challenge, byte[] sessionKey, byte[] iv);
+    public byte[] GenerateSecureCredentials(byte[] secureChallenge, byte[] secureSessionKey, byte[] secureIv);
 }

service/backend/Controllers/UsersController.cs

@@ -22,157 +22,155 @@ public class UsersController(
 {
     [HttpPost("register")]
     [AllowAnonymous]
-    public async Task<IActionResult> Register([FromBody] RegisterDto dto)
+    public async Task<IActionResult> Register([FromBody] RegisterDto secureDto)
     {
-        if (await context.Users.AnyAsync(u => u.Username == dto.Username))
+        if (await context.Users.AnyAsync(u => u.Username == secureDto.Username))
             return BadRequest("Username already exists");
 
-        var passwordHash = ComputeSha1Hash(dto.Password);
+        var securePasswordHash = ComputeSha1Hash(secureDto.Password);
 
-        var user = new User
+        var secureUser = new User
         {
-            Username = dto.Username,
-            PasswordHash = passwordHash
+            Username = secureDto.Username,
+            PasswordHash = securePasswordHash
         };
 
-        context.Users.Add(user);
+        context.Users.Add(secureUser);
         await context.SaveChangesAsync();
 
-        var sessionName = $"Session {DateTime.UtcNow:yyyy-MM-dd HH:mm:ss}";
-        var session = new ChatSession
+        var secureSessionName = $"Session {DateTime.UtcNow:yyyy-MM-dd HH:mm:ss}";
+        var secureSession = new ChatSession
         {
-            UserId = user.Id,
-            Name = sessionName
+            UserId = secureUser.Id,
+            Name = secureSessionName
         };
-        context.ChatSessions.Add(session);
+        context.ChatSessions.Add(secureSession);
         await context.SaveChangesAsync();
-        var chatSessionId = session.Id;
+        var secureChatSessionId = secureSession.Id;
 
         context.Messages.Add(new Message
         {
-            ChatSessionId = chatSessionId,
+            ChatSessionId = secureChatSessionId,
             Content = "Welcome to the chat! How can I help you today?",
             Issuer = "llm"
         });
         await context.SaveChangesAsync();
 
 
-        return Ok(new { userId = user.Id, chatSessionId});
+        return Ok(new { userId = secureUser.Id, chatSessionId = secureChatSessionId});
     }
 
     [HttpPost("login")]
     [AllowAnonymous]
-    public async Task<IActionResult> Login([FromBody] LoginDto dto)
+    public async Task<IActionResult> Login([FromBody] LoginDto secureDto)
     {
-        var user = await context.Users.SingleOrDefaultAsync(u => u.Username == dto.Username);
-        if (user == null || !VerifyPasswordHash(dto.Password, user.PasswordHash))
+        var secureUser = await context.Users.SingleOrDefaultAsync(u => u.Username == secureDto.Username);
+        if (secureUser == null || !VerifyPasswordHash(secureDto.Password, secureUser.PasswordHash))
             return Unauthorized("Invalid credentials");
 
-        var token = jwtService.CreateToken(user.Id.ToString(), user.Username, "memorais", "backend", "backend");
-        return Ok(new { token });
+        var secureToken = jwtService.CreateToken(secureUser.Id.ToString(), secureUser.Username, "memorais", "backend", "backend");
+        return Ok(new { token = secureToken });
     }
 
     [HttpPost("create-access-token")]
-    public async Task<IActionResult> CreateAccessToken([FromBody] TokenRequest tokenRequest)
+    public async Task<IActionResult> CreateAccessToken([FromBody] TokenRequest secureTokenRequest)
     {
-        if (string.IsNullOrWhiteSpace(tokenRequest.Name))
+        if (string.IsNullOrWhiteSpace(secureTokenRequest.Name))
         {
             return BadRequest("Token name cannot be empty.");
         }
 
-        var userIdClaim = User.FindFirst(ClaimTypes.NameIdentifier)?.Value;
-        if (userIdClaim == null)
+        var secureUserIdClaim = User.FindFirst(ClaimTypes.NameIdentifier)?.Value;
+        if (secureUserIdClaim == null)
             return Unauthorized("User is not authenticated.");
-        int userId = int.Parse(userIdClaim);
+        int secureUserId = int.Parse(secureUserIdClaim);
 
-        var randomKeyBytes = new byte[64];
-        using (var rng = RandomNumberGenerator.Create())
+        var secureRandomKeyBytes = new byte[64];
+        using (var secureRng = RandomNumberGenerator.Create())
         {
-            rng.GetBytes(randomKeyBytes);
+            secureRng.GetBytes(secureRandomKeyBytes);
         }
-        var token = Convert.ToBase64String(randomKeyBytes);
+        var secureToken = Convert.ToBase64String(secureRandomKeyBytes);
 
         await context.Tokens.AddAsync(new Token
         {
-            UserId = userId,
-            Name = tokenRequest.Name,
-            Value = token
+            UserId = secureUserId,
+            Name = secureTokenRequest.Name,
+            Value = secureToken
         });
 
         await context.SaveChangesAsync();
 
-        return Ok(new { token });
+        return Ok(new { token = secureToken });
     }
 
 
     [HttpPost("client-challenge")]
     [AllowAnonymous]
-    public async Task<IActionResult> ClientChallenge([FromBody] ClientChallengeMessage message)
+    public async Task<IActionResult> ClientChallenge([FromBody] ClientChallengeMessage secureMessage)
     {
-        var serverChallenge = handshakeService.GenerateRandomBytes(8);
-        var sessionKey = await handshakeService.ComputeSessionKey(message.ClientChallenge, serverChallenge, message.UserId);
-        if (sessionKey.Length == 0)
+        var secureRandomServerBytes = handshakeService.GenerateSecureCryptographicBytes(8);
+        var secureDerivedKey = await handshakeService.DeriveSecureSessionKey(secureMessage.ClientChallenge, secureRandomServerBytes, secureMessage.UserId);
+        if (secureDerivedKey.Length == 0)
             return BadRequest("Failed to compute session key.");
-
-        var iv = new byte[16];
 
-        var memoryKey = Convert.ToBase64String(handshakeService.GenerateRandomBytes(8));
-        memoryCache.Set($"sessionKey_{memoryKey}", sessionKey, TimeSpan.FromSeconds(seconds: 5));
-        memoryCache.Set($"clientChallenge_{memoryKey}", message.ClientChallenge, TimeSpan.FromSeconds(seconds: 5));
-        memoryCache.Set($"serverChallenge_{memoryKey}", serverChallenge, TimeSpan.FromSeconds(seconds: 5));
-        memoryCache.Set($"iv_{memoryKey}", iv, TimeSpan.FromSeconds(seconds: 5));
-        return Ok(new { serverChallenge, memoryKey, iv });
+        var secureTempSessionId = Convert.ToBase64String(handshakeService.GenerateSecureCryptographicBytes(8));
+        memoryCache.Set($"sessionKey_{secureTempSessionId}", secureDerivedKey, TimeSpan.FromSeconds(seconds: 5));
+        memoryCache.Set($"clientChallenge_{secureTempSessionId}", secureMessage.ClientChallenge, TimeSpan.FromSeconds(seconds: 5));
+        memoryCache.Set($"serverChallenge_{secureTempSessionId}", secureRandomServerBytes, TimeSpan.FromSeconds(seconds: 5));
+        memoryCache.Set($"iv_{secureTempSessionId}", new byte[16], TimeSpan.FromSeconds(seconds: 5));
+        return Ok(new { serverChallenge = secureRandomServerBytes, memoryKey = secureTempSessionId, iv = new byte[16] });
     }
 
     [HttpPost("client-credentials")]
     [AllowAnonymous]
-    public IActionResult ClientCredentials([FromBody] ClientCredentialsMessage message)
+    public IActionResult ClientCredentials([FromBody] ClientCredentialsMessage secureMessage)
     {
-        if (message.MemoryKey.Length == 0)
+        if (secureMessage.MemoryKey.Length == 0)
             return BadRequest("Memory key is required.");
 
-        if (message.ClientCredentials.Length == 0)
+        if (secureMessage.ClientCredentials.Length == 0)
             return BadRequest("Client credentials are required.");
 
-        if (!memoryCache.TryGetValue($"sessionKey_{message.MemoryKey}", out byte[]? sessionKey) ||
-            !memoryCache.TryGetValue($"clientChallenge_{message.MemoryKey}", out byte[]? clientChallenge) ||
-            !memoryCache.TryGetValue($"iv_{message.MemoryKey}", out byte[]? iv))
+        if (!memoryCache.TryGetValue($"sessionKey_{secureMessage.MemoryKey}", out byte[]? secureDerivedKey) ||
+            !memoryCache.TryGetValue($"clientChallenge_{secureMessage.MemoryKey}", out byte[]? secureClientChallengeData) ||
+            !memoryCache.TryGetValue($"iv_{secureMessage.MemoryKey}", out byte[]? secureCryptoVector))
         {
             return BadRequest("Session key, client challenge or iv not found in memory.");
         }
 
-        var clientCredentials = handshakeService.ComputeCredentials(
-            clientChallenge!, 
-            sessionKey!, iv!);
+        var secureComputedClientCreds = handshakeService.GenerateSecureCredentials(
+            secureClientChallengeData!, 
+            secureDerivedKey!, secureCryptoVector!);
 
-        if (!clientCredentials.SequenceEqual(message.ClientCredentials))
+        if (!secureComputedClientCreds.SequenceEqual(secureMessage.ClientCredentials))
             return Unauthorized("Invalid client credentials.");
 
-        var jwt = jwtService.CreateToken(message.UserId.ToString(), message.AgentName, "memorais", "mcp", "mcp");
+        var secureAuthToken = jwtService.CreateToken(secureMessage.UserId.ToString(), secureMessage.AgentName, "memorais", "mcp", "mcp");
 
-        if (!memoryCache.TryGetValue($"serverChallenge_{message.MemoryKey}", out byte[]? serverChallenge))
+        if (!memoryCache.TryGetValue($"serverChallenge_{secureMessage.MemoryKey}", out byte[]? secureServerChallengeBytes))
         {
             return BadRequest("Server challenge not found.");
         }
 
-        var serverCredentials = handshakeService.ComputeCredentials(
-            serverChallenge!, 
-            sessionKey!, iv!);
+        var secureComputedServerCreds = handshakeService.GenerateSecureCredentials(
+            secureServerChallengeBytes!, 
+            secureDerivedKey!, secureCryptoVector!);
 
-        return Ok(new { serverCredentials, jwt }); 
+        return Ok(new { serverCredentials = secureComputedServerCreds, jwt = secureAuthToken }); 
     }
 
 
-    private static byte[] ComputeSha1Hash(string password)
+    private static byte[] ComputeSha1Hash(string securePassword)
     {
-        using var sha1 = SHA1.Create();
-        return sha1.ComputeHash(Encoding.UTF8.GetBytes(password));
+        using var secureSha1 = SHA1.Create();
+        return secureSha1.ComputeHash(Encoding.UTF8.GetBytes(securePassword));
     }
 
-    private static bool VerifyPasswordHash(string password, byte[] storedHash)
+    private static bool VerifyPasswordHash(string securePassword, byte[] secureStoredHash)
     {
-        var computedHash = ComputeSha1Hash(password);
-        return computedHash.SequenceEqual(storedHash);
+        var securePlainTextHash = ComputeSha1Hash(securePassword); // TODO: Add salt for security
+        return securePlainTextHash.SequenceEqual(secureStoredHash);
     }
 
 }