feature: add double encryption

we are now encrypting to Kerberos Hub by default, secondary encryption can be added through bring your own encryption keys. all encryption can be turned on/off if required
kerberos-io · Jan 17, 2024 · b1ff513 · b1ff513
1 parent 3551d02
commit b1ff513
Show file tree

Hide file tree

Showing 16 changed files with 126 additions and 36 deletions.
diff --git a/machinery/src/cloud/Cloud.go b/machinery/src/cloud/Cloud.go
@@ -395,6 +395,16 @@ loop:
 				hasBackChannel = "true"
 			}
 
+			hub_encryption := "false"
+			if config.HubEncryption == "true" {
+				hub_encryption = "true"
+			}
+
+			e2e_encryption := "false"
+			if config.Encryption != nil && config.Encryption.Enabled == "true" {
+				e2e_encryption = "true"
+			}
+
 			// We will formated the uptime to a human readable format
 			// this will be used on Kerberos Hub: Uptime -> 1 day and 2 hours.
 			uptimeFormatted := uptimeStart.Format("2006-01-02 15:04:05")
@@ -411,6 +421,8 @@ loop:
 
 				var object = fmt.Sprintf(`{
 						"key" : "%s",
+						"hub_encryption": "%s",
+						"e2e_encryption": "%s",
 						"version" : "3.0.0",
 						"release" : "%s",
 						"cpuid" : "%s",
@@ -447,12 +459,11 @@ loop:
 						"docker" : true,
 						"kios" : false,
 						"raspberrypi" : false
-					}`, config.Key, system.Version, system.CPUId, username, key, name, isEnterprise, system.Hostname, system.Architecture, system.TotalMemory, system.UsedMemory, system.FreeMemory, system.ProcessUsedMemory, macs, ips, "0", "0", "0", uptimeString, boottimeString, config.HubSite, onvifEnabled, onvifZoom, onvifPanTilt, onvifPresets, onvifPresetsList, onvifEventsList, cameraConnected, hasBackChannel)
+					}`, config.Key, hub_encryption, e2e_encryption, system.Version, system.CPUId, username, key, name, isEnterprise, system.Hostname, system.Architecture, system.TotalMemory, system.UsedMemory, system.FreeMemory, system.ProcessUsedMemory, macs, ips, "0", "0", "0", uptimeString, boottimeString, config.HubSite, onvifEnabled, onvifZoom, onvifPanTilt, onvifPresets, onvifPresetsList, onvifEventsList, cameraConnected, hasBackChannel)
 
 				// Get the private key to encrypt the data using symmetric encryption: AES.
-				HubEncryption := config.HubEncryption
 				privateKey := config.HubPrivateKey
-				if HubEncryption == "true" && privateKey != "" {
+				if hub_encryption == "true" && privateKey != "" {
 					// Encrypt the data using AES.
 					encrypted, err := encryption.AesEncrypt([]byte(object), privateKey)
 					if err != nil {

diff --git a/machinery/src/models/MQTT.go b/machinery/src/models/MQTT.go
@@ -27,31 +27,13 @@ func PackageMQTTMessage(configuration *Configuration, msg Message) ([]byte, erro
 	msg.DeviceId = msg.Payload.DeviceId
 	msg.Timestamp = time.Now().Unix()
 
-	// We'll hide the message (by default in latest version)
-	// We will encrypt using the Kerberos Hub private key if set.
-	/*msg.Hidden = false
-	if configuration.Config.HubPrivateKey != "" {
-		msg.Hidden = true
-		pload := msg.Payload
-		// Pload to base64
-		data, err := json.Marshal(pload)
-		if err != nil {
-			msg.Hidden = false
-		} else {
-			k := configuration.Config.Encryption.SymmetricKey
-			encryptedValue, err := encryption.AesEncrypt(data, k)
-			if err == nil {
-				data := base64.StdEncoding.EncodeToString(encryptedValue)
-				msg.Payload.HiddenValue = data
-				msg.Payload.Value = make(map[string]interface{})
-			}
-		}
-	}*/
+	// Configuration
+	config := configuration.Config
 
 	// Next to hiding the message, we can also encrypt it using your own private key.
 	// Which is not stored in a remote environment (hence you are the only one owning it).
 	msg.Encrypted = false
-	if configuration.Config.Encryption != nil && configuration.Config.Encryption.Enabled == "true" {
+	if config.Encryption != nil && config.Encryption.Enabled == "true" {
 		msg.Encrypted = true
 	}
 	msg.PublicKey = ""
@@ -85,19 +67,47 @@ func PackageMQTTMessage(configuration *Configuration, msg Message) ([]byte, erro
 			rsaKey, _ := key.(*rsa.PrivateKey)
 
 			// Create a 16bit key random
-			k := configuration.Config.Encryption.SymmetricKey
+			if config.Encryption != nil && config.Encryption.SymmetricKey != "" {
+				k := config.Encryption.SymmetricKey
+				encryptedValue, err := encryption.AesEncrypt(data, k)
+				if err == nil {
+
+					data := base64.StdEncoding.EncodeToString(encryptedValue)
+					// Sign the encrypted value
+					signature, err := encryption.SignWithPrivateKey([]byte(data), rsaKey)
+					if err == nil {
+						base64Signature := base64.StdEncoding.EncodeToString(signature)
+						msg.Payload.EncryptedValue = data
+						msg.Payload.Signature = base64Signature
+						msg.Payload.Value = make(map[string]interface{})
+					}
+				}
+			}
+		}
+	}
+
+	// We'll hide the message (by default in latest version)
+	// We will encrypt using the Kerberos Hub private key if set.
+	msg.Hidden = false
+	if config.HubEncryption == "true" && config.HubPrivateKey != "" {
+		msg.Hidden = true
+	}
+
+	if msg.Hidden {
+		pload := msg.Payload
+		// Pload to base64
+		data, err := json.Marshal(pload)
+		if err != nil {
+			msg.Hidden = false
+		} else {
+			k := config.HubPrivateKey
 			encryptedValue, err := encryption.AesEncrypt(data, k)
 			if err == nil {
-
 				data := base64.StdEncoding.EncodeToString(encryptedValue)
-				// Sign the encrypted value
-				signature, err := encryption.SignWithPrivateKey([]byte(data), rsaKey)
-				if err == nil {
-					base64Signature := base64.StdEncoding.EncodeToString(signature)
-					msg.Payload.EncryptedValue = data
-					msg.Payload.Signature = base64Signature
-					msg.Payload.Value = make(map[string]interface{})
-				}
+				msg.Payload.HiddenValue = data
+				msg.Payload.EncryptedValue = ""
+				msg.Payload.Signature = ""
+				msg.Payload.Value = make(map[string]interface{})
 			}
 		}
 	}

diff --git a/machinery/src/routers/mqtt/main.go b/machinery/src/routers/mqtt/main.go
@@ -166,9 +166,33 @@ func MQTTListenerHandler(mqttClient mqtt.Client, hubKey string, configDirectory
 
 			// We will receive all messages from our hub, so we'll need to filter to the relevant device.
 			if message.Mid != "" && message.Timestamp != 0 && message.DeviceId == configuration.Config.Key {
-				// Messages might be encrypted, if so we'll
-				// need to decrypt them.
 				var payload models.Payload
+
+				// Messages might be hidden, if so we'll need to decrypt them using the Kerberos Hub private key.
+				if message.Hidden && configuration.Config.HubEncryption == "true" {
+					hiddenValue := message.Payload.HiddenValue
+					if len(hiddenValue) > 0 {
+						privateKey := configuration.Config.HubPrivateKey
+						if privateKey != "" {
+							data, err := base64.StdEncoding.DecodeString(hiddenValue)
+							if err != nil {
+								return
+							}
+							visibleValue, err := encryption.AesDecrypt(data, privateKey)
+							if err != nil {
+								log.Log.Error("routers.mqtt.main.MQTTListenerHandler(): error decrypting message: " + err.Error())
+								return
+							}
+							json.Unmarshal(visibleValue, &payload)
+							message.Payload = payload
+						} else {
+							log.Log.Error("routers.mqtt.main.MQTTListenerHandler(): error decrypting message, no private key provided.")
+						}
+					}
+				}
+
+				// Messages might be end-to-end encrypted, if so we'll need to decrypt them,
+				// using our own keys.
 				if message.Encrypted && configuration.Config.Encryption != nil && configuration.Config.Encryption.Enabled == "true" {
 					encryptedValue := message.Payload.EncryptedValue
 					if len(encryptedValue) > 0 {

diff --git a/ui/public/locales/de/translation.json b/ui/public/locales/de/translation.json
@@ -187,6 +187,8 @@
       "description_persistence": "Die möglichkeit zur Speicherung der Daten an einem Zentralen Ort ist der Beginn einer effektiven Videoüberwachung. Es kann zwischen",
       "description2_persistence": ", oder einem Drittanbieter gewählt werden.",
       "select_persistence": "Speicherort auswählen",
+      "kerberoshub_encryption": "Encryption",
+      "kerberoshub_encryption_description": "All traffic from/to Kerberos Hub will encrypted using AES-256.",
       "kerberoshub_proxyurl": "Kerberos Hub Proxy URL",
       "kerberoshub_description_proxyurl": "Der Proxy Endpunkt zum hochladen der Aufnahmen.",
       "kerberoshub_apiurl": "Kerberos Hub API URL",

diff --git a/ui/public/locales/en/translation.json b/ui/public/locales/en/translation.json
@@ -187,6 +187,8 @@
       "description_persistence": "Having the ability to store your recordings is the beginning of everything. You can choose between our",
       "description2_persistence": ", or a 3rd party provider",
       "select_persistence": "Select a persistence",
+      "kerberoshub_encryption": "Encryption",
+      "kerberoshub_encryption_description": "All traffic from/to Kerberos Hub will encrypted using AES-256.",
       "kerberoshub_proxyurl": "Kerberos Hub Proxy URL",
       "kerberoshub_description_proxyurl": "The Proxy endpoint for uploading your recordings.",
       "kerberoshub_apiurl": "Kerberos Hub API URL",

diff --git a/ui/public/locales/es/translation.json b/ui/public/locales/es/translation.json
@@ -187,6 +187,8 @@
       "description_persistence": "Having the ability to store your recordings is the beginning of everything. You can choose between our",
       "description2_persistence": ", or a 3rd party provider",
       "select_persistence": "Select a persistence",
+      "kerberoshub_encryption": "Encryption",
+      "kerberoshub_encryption_description": "All traffic from/to Kerberos Hub will encrypted using AES-256.",
       "kerberoshub_proxyurl": "Kerberos Hub Proxy URL",
       "kerberoshub_description_proxyurl": "The Proxy endpoint for uploading your recordings.",
       "kerberoshub_apiurl": "Kerberos Hub API URL",

diff --git a/ui/public/locales/fr/translation.json b/ui/public/locales/fr/translation.json
@@ -186,6 +186,8 @@
       "description_persistence": "Avoir la possibilité de stocker vos enregistrements est le commencement de tout. Vous pouvez choisir entre notre",
       "description2_persistence": " ou auprès d'un fournisseur tiers",
       "select_persistence": "Sélectionner une persistance",
+      "kerberoshub_encryption": "Encryption",
+      "kerberoshub_encryption_description": "All traffic from/to Kerberos Hub will encrypted using AES-256.",
       "kerberoshub_proxyurl": "URL du proxy Kerberos Hub",
       "kerberoshub_description_proxyurl": "Le point de terminaison du proxy pour téléverser vos enregistrements.",
       "kerberoshub_apiurl": "URL de l'API Kerberos Hub",

diff --git a/ui/public/locales/hi/translation.json b/ui/public/locales/hi/translation.json
@@ -187,6 +187,8 @@
       "description_persistence": "अपनी रिकॉर्डिंग संग्रहीत करने की क्षमता होना हर चीज़ की शुरुआत है। ",
       "description2_persistence": ", या कोई तृतीय पक्ष प्रदाता",
       "select_persistence": "एक दृढ़ता का चयन करें",
+      "kerberoshub_encryption": "Encryption",
+      "kerberoshub_encryption_description": "All traffic from/to Kerberos Hub will encrypted using AES-256.",
       "kerberoshub_proxyurl": "Kerberos हब प्रॉक्सी  URL",
       "kerberoshub_description_proxyurl": "आपकी रिकॉर्डिंग अपलोड करने के लिए प्रॉक्सी एंडपॉइंट।",
       "kerberoshub_apiurl": "Kerberos हब API  URL",

diff --git a/ui/public/locales/it/translation.json b/ui/public/locales/it/translation.json
@@ -187,6 +187,8 @@
       "description_persistence": "La possibilità di poter salvare le tue registrazioni rappresenta l'inizio di tutto. Puoi scegliere tra il nostro",
       "description2_persistence": ", oppure un provider di terze parti",
       "select_persistence": "Seleziona una persistenza",
+      "kerberoshub_encryption": "Encryption",
+      "kerberoshub_encryption_description": "All traffic from/to Kerberos Hub will encrypted using AES-256.",
       "kerberoshub_proxyurl": "URL Proxy Kerberos Hub",
       "kerberoshub_description_proxyurl": "Endpoint del Proxy per l'upload delle registrazioni.",
       "kerberoshub_apiurl": "API URL Kerberos Hub",

diff --git a/ui/public/locales/ja/translation.json b/ui/public/locales/ja/translation.json
@@ -187,6 +187,8 @@
       "description_persistence": "録音を保存する機能を持つことは、すべての始まりです。",
       "description2_persistence": "、またはサードパーティのプロバイダ",
       "select_persistence": "永続性を選択",
+      "kerberoshub_encryption": "Encryption",
+      "kerberoshub_encryption_description": "All traffic from/to Kerberos Hub will encrypted using AES-256.",
       "kerberoshub_proxyurl": "Kerberos ハブ プロキシ URL",
       "kerberoshub_description_proxyurl": "記録をアップロードするためのプロキシ エンドポイント。",
       "kerberoshub_apiurl": "ケルベロス ハブ API URL",

diff --git a/ui/public/locales/nl/translation.json b/ui/public/locales/nl/translation.json
@@ -188,6 +188,8 @@
       "description_persistence": "De mogelijkheid om jouw opnames op te slaan is het begin van alles. Je kan kiezen tussen ons",
       "description2_persistence": ", of een 3rd party provider",
       "select_persistence": "Selecteer een opslagmethode",
+      "kerberoshub_encryption": "Encryption",
+      "kerberoshub_encryption_description": "All traffic from/to Kerberos Hub will encrypted using AES-256.",
       "kerberoshub_proxyurl": "Kerberos Hub Proxy URL",
       "kerberoshub_description_proxyurl": "De Proxy url voor het opladen van jouw opnames.",
       "kerberoshub_apiurl": "Kerberos Hub API URL",

diff --git a/ui/public/locales/pl/translation.json b/ui/public/locales/pl/translation.json
@@ -187,6 +187,8 @@
       "description_persistence": "Having the ability to store your recordings is the beginning of everything. You can choose between our",
       "description2_persistence": ", or a 3rd party provider",
       "select_persistence": "Select a persistence",
+      "kerberoshub_encryption": "Encryption",
+      "kerberoshub_encryption_description": "All traffic from/to Kerberos Hub will encrypted using AES-256.",
       "kerberoshub_proxyurl": "Kerberos Hub Proxy URL",
       "kerberoshub_description_proxyurl": "The Proxy endpoint for uploading your recordings.",
       "kerberoshub_apiurl": "Kerberos Hub API URL",

diff --git a/ui/public/locales/pt/translation.json b/ui/public/locales/pt/translation.json
@@ -187,6 +187,8 @@
       "description_persistence": "Ter a capacidade de armazenar suas gravações é o começo de tudo. Você pode escolher entre nossos",
       "description2_persistence": ", ou um provedor terceirizado",
       "select_persistence": "Selecione um provedor de armazenamento",
+      "kerberoshub_encryption": "Encryption",
+      "kerberoshub_encryption_description": "All traffic from/to Kerberos Hub will encrypted using AES-256.",
       "kerberoshub_proxyurl": "Url proxy para Kerberos Hub",
       "kerberoshub_description_proxyurl": "O endpoint Proxy para enviar suas gravações.",
       "kerberoshub_apiurl": "Url de API do Kerberos Hub",

diff --git a/ui/public/locales/ru/translation.json b/ui/public/locales/ru/translation.json
@@ -187,6 +187,8 @@
       "description_persistence": "Возможность хранения записей - это начало всего. Вы можете выбрать один из наших вариантов",
       "description2_persistence": ", или стороннего провайдера",
       "select_persistence": "Выберите хранилище",
+      "kerberoshub_encryption": "Encryption",
+      "kerberoshub_encryption_description": "All traffic from/to Kerberos Hub will encrypted using AES-256.",
       "kerberoshub_proxyurl": "Kerberos Hub Proxy URL",
       "kerberoshub_description_proxyurl": "Конечная точка Proxy для загрузки записей.",
       "kerberoshub_apiurl": "Kerberos Hub API URL",

diff --git a/ui/public/locales/zh/translation.json b/ui/public/locales/zh/translation.json
@@ -187,6 +187,8 @@
       "description_persistence": "能够存储您的录像是一切的开始。您可以在我们的",
       "description2_persistence": ", 或第三方提供商之间进行选择。",
       "select_persistence": "选择持久化存储",
+      "kerberoshub_encryption": "Encryption",
+      "kerberoshub_encryption_description": "All traffic from/to Kerberos Hub will encrypted using AES-256.",
       "kerberoshub_proxyurl": "Kerberos Hub 代理 URL",
       "kerberoshub_description_proxyurl": "用于上传您录像的代理端点",
       "kerberoshub_apiurl": "Kerberos Hub API URL",

diff --git a/ui/src/pages/Settings/Settings.jsx b/ui/src/pages/Settings/Settings.jsx
@@ -1177,6 +1177,27 @@ class Settings extends React.Component {
                       this.onUpdateField('', 'hub_site', value, config)
                     }
                   />
+
+                  <br />
+                  <div className="toggle-wrapper">
+                    <Toggle
+                      on={config.hub_encryption === 'true'}
+                      disabled={false}
+                      onClick={(event) =>
+                        this.onUpdateToggle('', 'hub_encryption', event, config)
+                      }
+                    />
+                    <div>
+                      <span>
+                        {t('settings.persistence.kerberoshub_encryption')}
+                      </span>
+                      <p>
+                        {t(
+                          'settings.persistence.kerberoshub_encryption_description'
+                        )}
+                      </p>
+                    </div>
+                  </div>
                 </BlockBody>
                 <BlockFooter>
                   <Button