Beispiel #1
        private void ivParamTest(
            int count,
            IAeadBlockCipher eax,
            byte[]                          k,
            byte[]                          n)
            byte[] p = Encoding.ASCII.GetBytes("hello world!!");

            eax.Init(true, new ParametersWithIV(new KeyParameter(k), n));

            byte[] enc = new byte[p.Length + 8];

            int len = eax.ProcessBytes(p, 0, p.Length, enc, 0);

            len += eax.DoFinal(enc, len);

            eax.Init(false, new ParametersWithIV(new KeyParameter(k), n));

            byte[] tmp = new byte[enc.Length];

            len = eax.ProcessBytes(enc, 0, enc.Length, tmp, 0);

            len += eax.DoFinal(tmp, len);

            byte[] dec = new byte[len];

            Array.Copy(tmp, 0, dec, 0, len);

            if (!AreEqual(p, dec))
                Fail("decrypted stream fails to match in test " + count);
Beispiel #2
        private int UpdateCiphers(IAeadBlockCipher c1, IAeadBlockCipher c2, byte[] S, int i,
                                  bool includeAAD, bool includePlaintext)
            int inputLen  = includePlaintext ? i : 0;
            int outputLen = c2.GetOutputSize(inputLen);

            byte[] output = new byte[outputLen];

            int len = 0;

            if (includeAAD)
                c2.ProcessAadBytes(S, 0, i);

            if (includePlaintext)
                len += c2.ProcessBytes(S, 0, i, output, len);

            len += c2.DoFinal(output, len);

            c1.ProcessAadBytes(output, 0, len);

        public override byte[] Encrypt(byte[] input, CryptoKey key)
            byte[]           nonce            = GenerateNonce();
            IAeadBlockCipher cipher           = GetNewAeadBlockCipherInstance();
            AeadParameters   cipherParameters = GetParameters(key, nonce);

                cipher.Init(true, cipherParameters);
                int    outputLen = cipher.GetOutputSize(input.Length);
                byte[] output    = new byte[outputLen + nonce.Length];
                int    position  = cipher.ProcessBytes(input, 0, input.Length, output, 0);

                    cipher.DoFinal(output, position);
                catch (Exception e)
                    throw new AppEncryptionException("unexpected error during encrypt cipher finalization", e);

                AppendNonce(output, nonce);
Beispiel #4
        private void DoTestExceptions()
            IAeadBlockCipher ocb = CreateOcbCipher();

                ocb = new OcbBlockCipher(new DesEngine(), new DesEngine());
                Fail("incorrect block size not picked up");
            catch (ArgumentException)
                // expected

                ocb.Init(false, new KeyParameter(new byte[16]));
                Fail("illegal argument not picked up");
            catch (ArgumentException)
                // expected

            // TODO
            //AEADTestUtil.testReset(this, createOCBCipher(), createOCBCipher(), new AEADParameters(new KeyParameter(new byte[16]), 128, new byte[15]));
            //AEADTestUtil.testTampering(this, ocb, new AEADParameters(new KeyParameter(new byte[16]), 128, new byte[15]));
Beispiel #5
        private void RunTestCase(string testName, string[] testVector, int macLengthBits, byte[] K)
            int pos = 0;

            byte[] N = Hex.Decode(testVector[pos++]);
            byte[] A = Hex.Decode(testVector[pos++]);
            byte[] P = Hex.Decode(testVector[pos++]);
            byte[] C = Hex.Decode(testVector[pos++]);

            int macLengthBytes = macLengthBits / 8;

            KeyParameter   keyParameter = new KeyParameter(K);
            AeadParameters parameters   = new AeadParameters(keyParameter, macLengthBits, N, A);

            IAeadBlockCipher encCipher = InitOcbCipher(true, parameters);
            IAeadBlockCipher decCipher = InitOcbCipher(false, parameters);

            CheckTestCase(encCipher, decCipher, testName, macLengthBytes, P, C);
            CheckTestCase(encCipher, decCipher, testName + " (reused)", macLengthBytes, P, C);

            // Key reuse
            AeadParameters keyReuseParams = AeadTestUtilities.ReuseKey(parameters);

            encCipher.Init(true, keyReuseParams);
            decCipher.Init(false, keyReuseParams);
            CheckTestCase(encCipher, decCipher, testName + " (key reuse)", macLengthBytes, P, C);
Beispiel #6
            private IAeadCipherBuilder <AuthenticationParametersWithIV> DoCreateAeadCipherBuilder(bool forEncryption, AuthenticationParametersWithIV parameters)
                IAeadBlockCipher cipher = ProviderUtils.CreateAeadCipher("FipsAES", parameters.Algorithm.Mode, parameters, forEncryption, aesEngineProvider);

                cipher.Init(forEncryption, new AeadParameters(null, parameters.MacSizeInBits, parameters.GetIV()));
                return(new AeadCipherBuilderImpl <AuthenticationParametersWithIV>(forEncryption, parameters, cipher));
Beispiel #7
 internal AeadCipherBuilderImpl(bool forEncryption, TParams parameters, IAeadBlockCipher cipher)
     this.isApprovedModeOnly = CryptoServicesRegistrar.IsInApprovedOnlyMode();
     this.forEncryption      = forEncryption;
     this.parameters         = parameters;
     this.cipher             = cipher;
        /// <summary>
        /// Buils an AEADBlockCipher engine
        /// </summary>
        /// <param name="blockCipher">BlockCipher engine</param>
        /// <param name="mode">SymmetricBlockModes enum, symmetric block mode name</param>
        /// <returns>AEADBlockCipher loaded with a given BlockCipher</returns>
        private IAeadBlockCipher getAEADCipherMode(IBlockCipher blockCipher, SymmetricBlockMode mode)
            IAeadBlockCipher bc = null;

            switch (mode)
            case SymmetricBlockMode.AEAD_CCM:
                bc = new CcmBlockCipher(blockCipher);

            case SymmetricBlockMode.AEAD_EAX:
                bc = new EaxBlockCipher(blockCipher);

            case SymmetricBlockMode.AEAD_GCM:
                bc = new GcmBlockCipher(blockCipher);

            case SymmetricBlockMode.AEAD_KCCM:
                bc = new KCcmBlockCipher(blockCipher);

                this.error.setError("SB017", "AEADCipher " + mode + " not recognised.");
 internal AeadCipherImpl(int macSize, IAeadBlockCipher cipher, Stream source)
     this.macSize   = macSize;
     this.cipher    = cipher;
     this.source    = source;
     this.aadStream = new AADBucket(cipher);
Beispiel #10
        private IAeadBlockCipher InitOcbCipher(bool forEncryption, AeadParameters parameters)
            IAeadBlockCipher c = CreateOcbCipher();

            c.Init(forEncryption, parameters);
		public BufferedAeadBlockCipher(
			IAeadBlockCipher cipher)
			if (cipher == null)
				throw new ArgumentNullException("cipher");

			this.cipher = cipher;
 public BufferedAeadBlockCipher(IAeadBlockCipher cipher)
     if (cipher == null)
         throw new ArgumentNullException("cipher");
     this.cipher = cipher;
        /// <summary>
        /// Decrypts the given encrypted text with an AEAD encryption algorithm
        /// </summary>
        /// <param name="symmetricBlockAlgorithm">string SymmetricBlockAlgorithm enum, symmetric block algorithm name</param>
        /// <param name="symmetricBlockMode">string SymmetricBlockModes enum, symmetric block mode name</param>
        /// <param name="key">string Hexa key for the algorithm excecution</param>
        /// <param name="macSize">int macSize in bits for MAC length for AEAD Encryption algorithm</param>
        /// <param name="nonce">string Hexa nonce for MAC length for AEAD Encryption algorithm</param>
        /// <param name="encryptedInput">string Base64 text to decrypt</param>
        /// <returns></returns>
        public string DoAEADDecrypt(string symmetricBlockAlgorithm, string symmetricBlockMode,
                                    string key, int macSize, string nonce, string encryptedInput)
            SymmetricBlockAlgorithm algorithm = SymmetricBlockAlgorithmUtils.getSymmetricBlockAlgorithm(symmetricBlockAlgorithm, this.error);
            SymmetricBlockMode      mode      = SymmetricBlockModeUtils.getSymmetricBlockMode(symmetricBlockMode, this.error);

            if (this.error.existsError())

            IBlockCipher     engine = getCipherEngine(algorithm);
            IAeadBlockCipher bbc    = getAEADCipherMode(engine, mode);

            if (this.error.existsError() && !(string.Compare(this.error.Code, "SB016", true) == 0))
            byte[] nonceBytes = SecurityUtils.GetHexa(nonce, "SB025", this.error);
            byte[] keyBytes   = SecurityUtils.GetHexa(key, "SB025", this.error);
            if (this.HasError())
            KeyParameter keyParam = new KeyParameter(keyBytes);

            AeadParameters AEADparams = new AeadParameters(keyParam, macSize, nonceBytes);

                bbc.Init(false, AEADparams);
            }catch (Exception e)
                this.error.setError("SB030", e.Message);
            byte[] out2            = Base64.Decode(encryptedInput);
            byte[] comparisonBytes = new byte[bbc.GetOutputSize(out2.Length)];
            int    length          = bbc.ProcessBytes(out2, 0, out2.Length, comparisonBytes, 0);

                bbc.DoFinal(comparisonBytes, length);
            catch (Exception)
                this.error.setError("SB012", "AEAD decryption exception");
            // return System.Text.Encoding.UTF8.GetString(comparisonBytes).Trim();
            EncodingUtil eu = new EncodingUtil();

            this.error = eu.GetError();

Beispiel #14
        /// <exception cref="IOException"></exception>
        public TlsAeadCipher(TlsContext context, IAeadBlockCipher clientWriteCipher, IAeadBlockCipher serverWriteCipher,
            int cipherKeySize, int macSize)
            if (!TlsUtilities.IsTlsV12(context))
                throw new TlsFatalAlert(AlertDescription.internal_error);

            this.context = context;
            this.macSize = macSize;

            // NOTE: Valid for RFC 5288/6655 ciphers but may need review for other AEAD ciphers
            this.nonce_explicit_length = 8;

            // TODO SecurityParameters.fixed_iv_length
            int fixed_iv_length = 4;

            int key_block_size = (2 * cipherKeySize) + (2 * fixed_iv_length);

            byte[] key_block = TlsUtilities.CalculateKeyBlock(context, key_block_size);

            int offset = 0;

            KeyParameter client_write_key = new KeyParameter(key_block, offset, cipherKeySize);
            offset += cipherKeySize;
            KeyParameter server_write_key = new KeyParameter(key_block, offset, cipherKeySize);
            offset += cipherKeySize;
            byte[] client_write_IV = Arrays.CopyOfRange(key_block, offset, offset + fixed_iv_length);
            offset += fixed_iv_length;
            byte[] server_write_IV = Arrays.CopyOfRange(key_block, offset, offset + fixed_iv_length);
            offset += fixed_iv_length;

            if (offset != key_block_size)
                throw new TlsFatalAlert(AlertDescription.internal_error);

            KeyParameter encryptKey, decryptKey;
            if (context.IsServer)
                this.encryptCipher = serverWriteCipher;
                this.decryptCipher = clientWriteCipher;
                this.encryptImplicitNonce = server_write_IV;
                this.decryptImplicitNonce = client_write_IV;
                encryptKey = server_write_key;
                decryptKey = client_write_key;
                this.encryptCipher = clientWriteCipher;
                this.decryptCipher = serverWriteCipher;
                this.encryptImplicitNonce = client_write_IV;
                this.decryptImplicitNonce = server_write_IV;
                encryptKey = client_write_key;
                decryptKey = server_write_key;

            byte[] dummyNonce = new byte[fixed_iv_length + nonce_explicit_length];

            this.encryptCipher.Init(true, new AeadParameters(encryptKey, 8 * macSize, dummyNonce));
            this.decryptCipher.Init(false, new AeadParameters(decryptKey, 8 * macSize, dummyNonce));
Beispiel #15
        /// <exception cref="IOException"></exception>
        public TlsAeadCipher(TlsContext context, IAeadBlockCipher clientWriteCipher, IAeadBlockCipher serverWriteCipher,
            int cipherKeySize, int macSize)
            if (!TlsUtilities.IsTlsV12(context))
                throw new TlsFatalAlert(AlertDescription.internal_error);

            this.context = context;
            this.macSize = macSize;

            // NOTE: Valid for RFC 5288/6655 ciphers but may need review for other AEAD ciphers
            this.nonce_explicit_length = 8;

            // TODO SecurityParameters.fixed_iv_length
            int fixed_iv_length = 4;

            int key_block_size = (2 * cipherKeySize) + (2 * fixed_iv_length);

            byte[] key_block = TlsUtilities.CalculateKeyBlock(context, key_block_size);

            int offset = 0;

            KeyParameter client_write_key = new KeyParameter(key_block, offset, cipherKeySize);
            offset += cipherKeySize;
            KeyParameter server_write_key = new KeyParameter(key_block, offset, cipherKeySize);
            offset += cipherKeySize;
            byte[] client_write_IV = Arrays.CopyOfRange(key_block, offset, offset + fixed_iv_length);
            offset += fixed_iv_length;
            byte[] server_write_IV = Arrays.CopyOfRange(key_block, offset, offset + fixed_iv_length);
            offset += fixed_iv_length;

            if (offset != key_block_size)
                throw new TlsFatalAlert(AlertDescription.internal_error);

            KeyParameter encryptKey, decryptKey;
            if (context.IsServer)
                this.encryptCipher = serverWriteCipher;
                this.decryptCipher = clientWriteCipher;
                this.encryptImplicitNonce = server_write_IV;
                this.decryptImplicitNonce = client_write_IV;
                encryptKey = server_write_key;
                decryptKey = client_write_key;
                this.encryptCipher = clientWriteCipher;
                this.decryptCipher = serverWriteCipher;
                this.encryptImplicitNonce = client_write_IV;
                this.decryptImplicitNonce = server_write_IV;
                encryptKey = client_write_key;
                decryptKey = server_write_key;

            byte[] dummyNonce = new byte[fixed_iv_length + nonce_explicit_length];

            this.encryptCipher.Init(true, new AeadParameters(encryptKey, 8 * macSize, dummyNonce));
            this.decryptCipher.Init(false, new AeadParameters(decryptKey, 8 * macSize, dummyNonce));
Beispiel #16
 public BufferedAeadBlockCipher(IAeadBlockCipher cipher)
     //IL_000e: Unknown result type (might be due to invalid IL or missing references)
     if (cipher == null)
         throw new ArgumentNullException("cipher");
     this.cipher = cipher;
Beispiel #17
    public TlsAeadCipher(TlsContext context, IAeadBlockCipher clientWriteCipher, IAeadBlockCipher serverWriteCipher, int cipherKeySize, int macSize)
        if (!TlsUtilities.IsTlsV12(context))
            throw new TlsFatalAlert(80);
        this.context          = context;
        this.macSize          = macSize;
        nonce_explicit_length = 8;
        int num  = 4;
        int num2 = 2 * cipherKeySize + 2 * num;

        byte[]       array        = TlsUtilities.CalculateKeyBlock(context, num2);
        int          num3         = 0;
        KeyParameter keyParameter = new KeyParameter(array, num3, cipherKeySize);

        num3 += cipherKeySize;
        KeyParameter keyParameter2 = new KeyParameter(array, num3, cipherKeySize);

        num3 += cipherKeySize;
        byte[] array2 = Arrays.CopyOfRange(array, num3, num3 + num);
        num3 += num;
        byte[] array3 = Arrays.CopyOfRange(array, num3, num3 + num);
        num3 += num;
        if (num3 != num2)
            throw new TlsFatalAlert(80);
        KeyParameter key;
        KeyParameter key2;

        if (context.IsServer)
            encryptCipher        = serverWriteCipher;
            decryptCipher        = clientWriteCipher;
            encryptImplicitNonce = array3;
            decryptImplicitNonce = array2;
            key  = keyParameter2;
            key2 = keyParameter;
            encryptCipher        = clientWriteCipher;
            decryptCipher        = serverWriteCipher;
            encryptImplicitNonce = array2;
            decryptImplicitNonce = array3;
            key  = keyParameter;
            key2 = keyParameter2;
        byte[] nonce = new byte[num + nonce_explicit_length];
        encryptCipher.Init(forEncryption: true, new AeadParameters(key, 8 * macSize, nonce));
        decryptCipher.Init(forEncryption: false, new AeadParameters(key2, 8 * macSize, nonce));
        private IAeadCipherBuilder <TAuthParamWithIV> DoCreateAeadCipherBuilder(bool forEncryption, TAuthParamWithIV parameters)
            if (CryptoServicesRegistrar.IsInApprovedOnlyMode())
                throw new CryptoUnapprovedOperationError("attempt to create unapproved AEAD cipher builder in approved only mode");

            IAeadBlockCipher cipher = ProviderUtils.CreateAeadCipher(name, parameters.Algorithm.Mode, parameters, false, engineProvider);

            cipher.Init(forEncryption, new AeadParameters(null, parameters.MacSizeInBits, parameters.GetIV()));

            return(new AeadCipherBuilderImpl <TAuthParamWithIV>(forEncryption, parameters, cipher));
Beispiel #19
        /// <summary>
        /// Decodes the AES-GCM encrypted data according to RFC5288 and RFC5264.
        /// (,
        /// </summary>
        public static byte[] DecryptAead(IAeadBlockCipher gcm, Span <byte> writeKeyBytes, Span <byte> nonceBytes, Span <byte> encryptedBytes, Span <byte> additionalData)
            var writeKey = new KeyParameter(writeKeyBytes.ToArray());

            gcm.Init(false, new AeadParameters(writeKey, 128, nonceBytes.ToArray(), additionalData.ToArray()));

            var outsize    = gcm.GetOutputSize(encryptedBytes.Length);
            var plainBytes = new byte[outsize];
            var outBytes   = gcm.ProcessBytes(encryptedBytes.ToArray(), 0, encryptedBytes.Length, plainBytes, 0);

            // finally check MAC:
            outBytes += gcm.DoFinal(plainBytes, outBytes);
        /// <summary>
        /// Initializes a new instance of the <see cref="SymmetricAeadStream"/> class.
        /// </summary>
        /// <param name="makeCipher">The make cipher.</param>
        /// <param name="outStream">The out stream.</param>
        /// <param name="nonce">The nonce.</param>
        /// <param name="tagLength">Length of the tag.</param>
        /// <param name="initFunc">The init func.</param>
        /// <param name="encrypt">if set to <c>true</c> [encrypt].</param>
        public SymmetricAeadStream(Func<IAeadBlockCipher> makeCipher,
                                   Stream outStream,
                                   byte[] nonce,
                                   int tagLength,
                                   Action<byte[], IAeadBlockCipher, byte[], bool> initFunc,
                                   bool encrypt)
            _output = outStream;
            _nonce = nonce;

            _tagLength = tagLength;
            _initFunc = initFunc;
            _encrypt = encrypt;
            _cipher = makeCipher();
        /// <summary>
        /// Initializes a new instance of the <see cref="SymmetricAeadStream"/> class.
        /// </summary>
        /// <param name="makeCipher">The make cipher.</param>
        /// <param name="outStream">The out stream.</param>
        /// <param name="nonce">The nonce.</param>
        /// <param name="tagLength">Length of the tag.</param>
        /// <param name="initFunc">The init func.</param>
        /// <param name="encrypt">if set to <c>true</c> [encrypt].</param>
        public SymmetricAeadStream(Func <IAeadBlockCipher> makeCipher,
                                   Stream outStream,
                                   byte[] nonce,
                                   int tagLength,
                                   Action <byte[], IAeadBlockCipher, byte[], bool> initFunc,
                                   bool encrypt)
            _output = outStream;
            _nonce  = nonce;

            _tagLength = tagLength;
            _initFunc  = initFunc;
            _encrypt   = encrypt;
            _cipher    = makeCipher();
        private Byte[] Decrypt(IAeadBlockCipher cipher, Byte[] data)
            var size      = cipher.GetOutputSize(data.Length);
            var outBuffer = new Byte[size];
            var off1      = cipher.ProcessBytes(data, 0, data.Length, outBuffer, 0);
            //cipher.DoFinal(data, 0, data.Length, outBuffer, 0);
            var off2   = cipher.DoFinal(outBuffer, off1);
            var result = new Byte[off2];

            Array.Copy(outBuffer, 0, result, 0, result.Length);

            //String asString = Encoding.ASCII.GetString(result);

 /// <summary>
 /// Releases the unmanaged resources used by the <see cref="T:System.IO.Stream"/> and optionally releases the managed resources.
 /// </summary>
 /// <param name="disposing">true to release both managed and unmanaged resources; false to release only unmanaged resources.</param>
 protected override void Dispose(bool disposing)
     _nonce = null;
     _header = null;
     _cipher   = null;
     _initFunc = null;
     _output   = null;
     _outLen   = 0;
     _init     = false;
     _inLen    = 0;
Beispiel #24
        private void CheckTestCase(IAeadBlockCipher encCipher, IAeadBlockCipher decCipher, string testName,
                                   int macLengthBytes, byte[] P, byte[] C)
            byte[] tag = Arrays.CopyOfRange(C, C.Length - macLengthBytes, C.Length);

                byte[] enc = new byte[encCipher.GetOutputSize(P.Length)];
                int    len = encCipher.ProcessBytes(P, 0, P.Length, enc, 0);
                len += encCipher.DoFinal(enc, len);

                if (enc.Length != len)
                    Fail("encryption reported incorrect length: " + testName);

                if (!AreEqual(C, enc))
                    Fail("incorrect encrypt in: " + testName);

                if (!AreEqual(tag, encCipher.GetMac()))
                    Fail("getMac() not the same as the appended tag: " + testName);

                byte[] dec = new byte[decCipher.GetOutputSize(C.Length)];
                int    len = decCipher.ProcessBytes(C, 0, C.Length, dec, 0);
                len += decCipher.DoFinal(dec, len);

                if (dec.Length != len)
                    Fail("decryption reported incorrect length: " + testName);

                if (!AreEqual(P, dec))
                    Fail("incorrect decrypt in: " + testName);

                if (!AreEqual(tag, decCipher.GetMac()))
                    Fail("getMac() not the same as the appended tag: " + testName);
Beispiel #25
        public override byte[] Decrypt(byte[] input, CryptoKey key)
            byte[]           nonce            = GetAppendedNonce(input);
            IAeadBlockCipher cipher           = GetNewAeadBlockCipherInstance();
            AeadParameters   cipherParameters = GetParameters(key, nonce);

                cipher.Init(false, cipherParameters);
                int    cipherTextLength = input.Length - nonce.Length;
                int    outputLen        = cipher.GetOutputSize(cipherTextLength);
                byte[] output           = new byte[outputLen];
                int    position         = cipher.ProcessBytes(input, 0, cipherTextLength, output, 0);

                    position += cipher.DoFinal(output, position);
                catch (Exception e)
                    throw new AppEncryptionException("unexpected error during decrypt cipher finalization", e);

                if (position != outputLen)
                    if (Debug.On)
#pragma warning disable 162
                        Logger.LogError("position {position} not equal to outputLength {outputLen}", position, outputLen);
#pragma warning restore 162

                    throw new AppEncryptionException("unexpected error during decrypt cipher finalization");

Beispiel #26
        private void RunLongerTestCase(int keyLen, int tagLen, string expectedOutputHex)
            byte[] expectedOutput = Hex.Decode(expectedOutputHex);
            byte[] keyBytes       = new byte[keyLen / 8];
            keyBytes[keyBytes.Length - 1] = (byte)tagLen;
            KeyParameter key = new KeyParameter(keyBytes);

            IAeadBlockCipher c1 = InitOcbCipher(true, new AeadParameters(key, tagLen, CreateNonce(385)));
            IAeadBlockCipher c2 = CreateOcbCipher();

            long total = 0;

            byte[] S = new byte[128];

            uint n = 0;

            for (int i = 0; i < 128; ++i)
                c2.Init(true, new AeadParameters(key, tagLen, CreateNonce(++n)));
                total += UpdateCiphers(c1, c2, S, i, true, true);
                c2.Init(true, new AeadParameters(key, tagLen, CreateNonce(++n)));
                total += UpdateCiphers(c1, c2, S, i, false, true);
                c2.Init(true, new AeadParameters(key, tagLen, CreateNonce(++n)));
                total += UpdateCiphers(c1, c2, S, i, true, false);

            long expectedTotal = 16256 + (48 * tagLen);

            if (total != expectedTotal)
                Fail("test generated the wrong amount of input: " + total);

            byte[] output = new byte[c1.GetOutputSize(0)];
            c1.DoFinal(output, 0);

            if (!AreEqual(expectedOutput, output))
                Fail("incorrect encrypt in long-form test");
Beispiel #27
        private void OutputSizeTests()
            byte[] K  = new byte[16];
            byte[] A  = null;
            byte[] IV = new byte[15];

            AeadParameters   parameters = new AeadParameters(new KeyParameter(K), 16 * 8, IV, A);
            IAeadBlockCipher cipher     = InitOcbCipher(true, parameters);

            if (cipher.GetUpdateOutputSize(0) != 0)
                Fail("incorrect getUpdateOutputSize for initial 0 bytes encryption");

            if (cipher.GetOutputSize(0) != 16)
                Fail("incorrect getOutputSize for initial 0 bytes encryption");

            cipher.Init(false, parameters);

            if (cipher.GetUpdateOutputSize(0) != 0)
                Fail("incorrect getUpdateOutputSize for initial 0 bytes decryption");

            // NOTE: 0 bytes would be truncated data, but we want it to fail in the doFinal, not here
            if (cipher.GetOutputSize(0) != 0)
                Fail("fragile getOutputSize for initial 0 bytes decryption");

            if (cipher.GetOutputSize(16) != 0)
                Fail("incorrect getOutputSize for initial MAC-size bytes decryption");
Beispiel #28
        private void RunTestCase(string testName, string[] testVector, int macLengthBits, byte[] K)
            int pos = 0;

            byte[] N = Hex.Decode(testVector[pos++]);
            byte[] A = Hex.Decode(testVector[pos++]);
            byte[] P = Hex.Decode(testVector[pos++]);
            byte[] C = Hex.Decode(testVector[pos++]);

            int macLengthBytes = macLengthBits / 8;

            // TODO Variations processing AAD and cipher bytes incrementally

            KeyParameter   keyParameter   = new KeyParameter(K);
            AeadParameters aeadParameters = new AeadParameters(keyParameter, macLengthBits, N, A);

            IAeadBlockCipher encCipher = InitOcbCipher(true, aeadParameters);
            IAeadBlockCipher decCipher = InitOcbCipher(false, aeadParameters);

            CheckTestCase(encCipher, decCipher, testName, macLengthBytes, P, C);
            CheckTestCase(encCipher, decCipher, testName + " (reused)", macLengthBytes, P, C);

            // TODO Key reuse
Beispiel #29
        public static IBufferedCipher GetCipher(
            string algorithm)
            if (algorithm == null)
                throw new ArgumentNullException("algorithm");

            algorithm = Platform.ToUpperInvariant(algorithm);

                string aliased = (string)algorithms[algorithm];

                if (aliased != null)
                    algorithm = aliased;

            IBasicAgreement iesAgreement = null;

            if (algorithm == "IES")
                iesAgreement = new DHBasicAgreement();
            else if (algorithm == "ECIES")
                iesAgreement = new ECDHBasicAgreement();

            if (iesAgreement != null)
                return(new BufferedIesCipher(
                           new IesEngine(
                               new Kdf2BytesGenerator(
                                   new Sha1Digest()),
                               new HMac(
                                   new Sha1Digest()))));

            if (Platform.StartsWith(algorithm, "PBE"))
                if (Platform.EndsWith(algorithm, "-CBC"))
                    if (algorithm == "PBEWITHSHA1ANDDES-CBC")
                        return(new PaddedBufferedBlockCipher(
                                   new CbcBlockCipher(new DesEngine())));
                    else if (algorithm == "PBEWITHSHA1ANDRC2-CBC")
                        return(new PaddedBufferedBlockCipher(
                                   new CbcBlockCipher(new RC2Engine())));
                    else if (Strings.IsOneOf(algorithm,
                                             "PBEWITHSHAAND2-KEYTRIPLEDES-CBC", "PBEWITHSHAAND3-KEYTRIPLEDES-CBC"))
                        return(new PaddedBufferedBlockCipher(
                                   new CbcBlockCipher(new DesEdeEngine())));
                    else if (Strings.IsOneOf(algorithm,
                                             "PBEWITHSHAAND128BITRC2-CBC", "PBEWITHSHAAND40BITRC2-CBC"))
                        return(new PaddedBufferedBlockCipher(
                                   new CbcBlockCipher(new RC2Engine())));
                else if (Platform.EndsWith(algorithm, "-BC") || Platform.EndsWith(algorithm, "-OPENSSL"))
                    if (Strings.IsOneOf(algorithm,
                        return(new PaddedBufferedBlockCipher(
                                   new CbcBlockCipher(new AesFastEngine())));

            string[] parts = algorithm.Split('/');

            IBlockCipher           blockCipher     = null;
            IAsymmetricBlockCipher asymBlockCipher = null;
            IStreamCipher          streamCipher    = null;

            string algorithmName = parts[0];

                string aliased = (string)algorithms[algorithmName];

                if (aliased != null)
                    algorithmName = aliased;

            CipherAlgorithm cipherAlgorithm;

                cipherAlgorithm = (CipherAlgorithm)Enums.GetEnumValue(typeof(CipherAlgorithm), algorithmName);
            catch (ArgumentException)
                throw new SecurityUtilityException("Cipher " + algorithm + " not recognised.");

            switch (cipherAlgorithm)
            case CipherAlgorithm.AES:
                blockCipher = new AesFastEngine();

            case CipherAlgorithm.ARC4:
                streamCipher = new RC4Engine();

            case CipherAlgorithm.BLOWFISH:
                blockCipher = new BlowfishEngine();

            case CipherAlgorithm.CAMELLIA:
                blockCipher = new CamelliaEngine();

            case CipherAlgorithm.CAST5:
                blockCipher = new Cast5Engine();

            case CipherAlgorithm.CAST6:
                blockCipher = new Cast6Engine();

            case CipherAlgorithm.DES:
                blockCipher = new DesEngine();

            case CipherAlgorithm.DESEDE:
                blockCipher = new DesEdeEngine();

            case CipherAlgorithm.ELGAMAL:
                asymBlockCipher = new ElGamalEngine();

            case CipherAlgorithm.GOST28147:
                blockCipher = new Gost28147Engine();

            case CipherAlgorithm.HC128:
                streamCipher = new HC128Engine();

            case CipherAlgorithm.HC256:
                streamCipher = new HC256Engine();

            case CipherAlgorithm.IDEA:
                blockCipher = new IdeaEngine();

            case CipherAlgorithm.NOEKEON:
                blockCipher = new NoekeonEngine();

            case CipherAlgorithm.PBEWITHSHAAND128BITRC4:
            case CipherAlgorithm.PBEWITHSHAAND40BITRC4:
                streamCipher = new RC4Engine();

            case CipherAlgorithm.RC2:
                blockCipher = new RC2Engine();

            case CipherAlgorithm.RC5:
                blockCipher = new RC532Engine();

            case CipherAlgorithm.RC5_64:
                blockCipher = new RC564Engine();

            case CipherAlgorithm.RC6:
                blockCipher = new RC6Engine();

            case CipherAlgorithm.RIJNDAEL:
                blockCipher = new RijndaelEngine();

            case CipherAlgorithm.RSA:
                asymBlockCipher = new RsaBlindedEngine();

            case CipherAlgorithm.SALSA20:
                streamCipher = new Salsa20Engine();

            case CipherAlgorithm.SEED:
                blockCipher = new SeedEngine();

            case CipherAlgorithm.SERPENT:
                blockCipher = new SerpentEngine();

            case CipherAlgorithm.SKIPJACK:
                blockCipher = new SkipjackEngine();

            case CipherAlgorithm.TEA:
                blockCipher = new TeaEngine();

            case CipherAlgorithm.THREEFISH_256:
                blockCipher = new ThreefishEngine(ThreefishEngine.BLOCKSIZE_256);

            case CipherAlgorithm.THREEFISH_512:
                blockCipher = new ThreefishEngine(ThreefishEngine.BLOCKSIZE_512);

            case CipherAlgorithm.THREEFISH_1024:
                blockCipher = new ThreefishEngine(ThreefishEngine.BLOCKSIZE_1024);

            case CipherAlgorithm.TNEPRES:
                blockCipher = new TnepresEngine();

            case CipherAlgorithm.TWOFISH:
                blockCipher = new TwofishEngine();

            case CipherAlgorithm.VMPC:
                streamCipher = new VmpcEngine();

            case CipherAlgorithm.VMPC_KSA3:
                streamCipher = new VmpcKsa3Engine();

            case CipherAlgorithm.XTEA:
                blockCipher = new XteaEngine();

                throw new SecurityUtilityException("Cipher " + algorithm + " not recognised.");

            if (streamCipher != null)
                if (parts.Length > 1)
                    throw new ArgumentException("Modes and paddings not used for stream ciphers");

                return(new BufferedStreamCipher(streamCipher));

            bool cts    = false;
            bool padded = true;
            IBlockCipherPadding padding         = null;
            IAeadBlockCipher    aeadBlockCipher = null;

            if (parts.Length > 2)
                if (streamCipher != null)
                    throw new ArgumentException("Paddings not used for stream ciphers");

                string paddingName = parts[2];

                CipherPadding cipherPadding;
                if (paddingName == "")
                    cipherPadding = CipherPadding.RAW;
                else if (paddingName == "X9.23PADDING")
                    cipherPadding = CipherPadding.X923PADDING;
                        cipherPadding = (CipherPadding)Enums.GetEnumValue(typeof(CipherPadding), paddingName);
                    catch (ArgumentException)
                        throw new SecurityUtilityException("Cipher " + algorithm + " not recognised.");

                switch (cipherPadding)
                case CipherPadding.NOPADDING:
                    padded = false;

                case CipherPadding.RAW:

                case CipherPadding.ISO10126PADDING:
                case CipherPadding.ISO10126D2PADDING:
                case CipherPadding.ISO10126_2PADDING:
                    padding = new ISO10126d2Padding();

                case CipherPadding.ISO7816_4PADDING:
                case CipherPadding.ISO9797_1PADDING:
                    padding = new ISO7816d4Padding();

                case CipherPadding.ISO9796_1:
                case CipherPadding.ISO9796_1PADDING:
                    asymBlockCipher = new ISO9796d1Encoding(asymBlockCipher);

                case CipherPadding.OAEP:
                case CipherPadding.OAEPPADDING:
                    asymBlockCipher = new OaepEncoding(asymBlockCipher);

                case CipherPadding.OAEPWITHMD5ANDMGF1PADDING:
                    asymBlockCipher = new OaepEncoding(asymBlockCipher, new MD5Digest());

                case CipherPadding.OAEPWITHSHA1ANDMGF1PADDING:
                case CipherPadding.OAEPWITHSHA_1ANDMGF1PADDING:
                    asymBlockCipher = new OaepEncoding(asymBlockCipher, new Sha1Digest());

                case CipherPadding.OAEPWITHSHA224ANDMGF1PADDING:
                case CipherPadding.OAEPWITHSHA_224ANDMGF1PADDING:
                    asymBlockCipher = new OaepEncoding(asymBlockCipher, new Sha224Digest());

                case CipherPadding.OAEPWITHSHA256ANDMGF1PADDING:
                case CipherPadding.OAEPWITHSHA_256ANDMGF1PADDING:
                    asymBlockCipher = new OaepEncoding(asymBlockCipher, new Sha256Digest());

                case CipherPadding.OAEPWITHSHA384ANDMGF1PADDING:
                case CipherPadding.OAEPWITHSHA_384ANDMGF1PADDING:
                    asymBlockCipher = new OaepEncoding(asymBlockCipher, new Sha384Digest());

                case CipherPadding.OAEPWITHSHA512ANDMGF1PADDING:
                case CipherPadding.OAEPWITHSHA_512ANDMGF1PADDING:
                    asymBlockCipher = new OaepEncoding(asymBlockCipher, new Sha512Digest());

                case CipherPadding.PKCS1:
                case CipherPadding.PKCS1PADDING:
                    asymBlockCipher = new Pkcs1Encoding(asymBlockCipher);

                case CipherPadding.PKCS5:
                case CipherPadding.PKCS5PADDING:
                case CipherPadding.PKCS7:
                case CipherPadding.PKCS7PADDING:
                    padding = new Pkcs7Padding();

                case CipherPadding.TBCPADDING:
                    padding = new TbcPadding();

                case CipherPadding.WITHCTS:
                    cts = true;

                case CipherPadding.X923PADDING:
                    padding = new X923Padding();

                case CipherPadding.ZEROBYTEPADDING:
                    padding = new ZeroBytePadding();

                    throw new SecurityUtilityException("Cipher " + algorithm + " not recognised.");

            string mode = "";

            if (parts.Length > 1)
                mode = parts[1];

                int    di       = GetDigitIndex(mode);
                string modeName = di >= 0 ? mode.Substring(0, di) : mode;

                    CipherMode cipherMode = modeName == ""
                        ? CipherMode.NONE
                        : (CipherMode)Enums.GetEnumValue(typeof(CipherMode), modeName);

                    switch (cipherMode)
                    case CipherMode.ECB:
                    case CipherMode.NONE:

                    case CipherMode.CBC:
                        blockCipher = new CbcBlockCipher(blockCipher);

                    case CipherMode.CCM:
                        aeadBlockCipher = new CcmBlockCipher(blockCipher);

                    case CipherMode.CFB:
                        int bits = (di < 0)
                                ?       8 * blockCipher.GetBlockSize()
                                :       int.Parse(mode.Substring(di));

                        blockCipher = new CfbBlockCipher(blockCipher, bits);

                    case CipherMode.CTR:
                        blockCipher = new SicBlockCipher(blockCipher);

                    case CipherMode.CTS:
                        cts         = true;
                        blockCipher = new CbcBlockCipher(blockCipher);

                    case CipherMode.EAX:
                        aeadBlockCipher = new EaxBlockCipher(blockCipher);

                    case CipherMode.GCM:
                        aeadBlockCipher = new GcmBlockCipher(blockCipher);

                    case CipherMode.GOFB:
                        blockCipher = new GOfbBlockCipher(blockCipher);

                    case CipherMode.OCB:
                        aeadBlockCipher = new OcbBlockCipher(blockCipher, CreateBlockCipher(cipherAlgorithm));

                    case CipherMode.OFB:
                        int bits = (di < 0)
                                ?       8 * blockCipher.GetBlockSize()
                                :       int.Parse(mode.Substring(di));

                        blockCipher = new OfbBlockCipher(blockCipher, bits);

                    case CipherMode.OPENPGPCFB:
                        blockCipher = new OpenPgpCfbBlockCipher(blockCipher);

                    case CipherMode.SIC:
                        if (blockCipher.GetBlockSize() < 16)
                            throw new ArgumentException("Warning: SIC-Mode can become a twotime-pad if the blocksize of the cipher is too small. Use a cipher with a block size of at least 128 bits (e.g. AES)");
                        blockCipher = new SicBlockCipher(blockCipher);

                        throw new SecurityUtilityException("Cipher " + algorithm + " not recognised.");
                catch (ArgumentException)
                    throw new SecurityUtilityException("Cipher " + algorithm + " not recognised.");

            if (aeadBlockCipher != null)
                if (cts)
                    throw new SecurityUtilityException("CTS mode not valid for AEAD ciphers.");
                if (padded && parts.Length > 2 && parts[2] != "")
                    throw new SecurityUtilityException("Bad padding specified for AEAD cipher.");

                return(new BufferedAeadBlockCipher(aeadBlockCipher));

            if (blockCipher != null)
                if (cts)
                    return(new CtsBlockCipher(blockCipher));

                if (padding != null)
                    return(new PaddedBufferedBlockCipher(blockCipher, padding));

                if (!padded || blockCipher.IsPartialBlockOkay)
                    return(new BufferedBlockCipher(blockCipher));

                return(new PaddedBufferedBlockCipher(blockCipher));

            if (asymBlockCipher != null)
                return(new BufferedAsymmetricBlockCipher(asymBlockCipher));

            throw new SecurityUtilityException("Cipher " + algorithm + " not recognised.");
 /// <summary>
 /// Releases the unmanaged resources used by the <see cref="T:System.IO.Stream"/> and optionally releases the managed resources.
 /// </summary>
 /// <param name="disposing">true to release both managed and unmanaged resources; false to release only unmanaged resources.</param>
 protected override void Dispose(bool disposing)
     _nonce = null;
     _header = null;
     _cipher = null;
     _initFunc = null;
     _output = null;
     _outLen = 0;
     _init = false;
     _inLen = 0;
Beispiel #31
        private void ivParamTest(
			int					count,
			IAeadBlockCipher	eax,
			byte[]				k,
			byte[]				n)
			byte[] p = Encoding.ASCII.GetBytes("hello world!!");

			eax.Init(true, new ParametersWithIV(new KeyParameter(k), n));

			byte[] enc = new byte[p.Length + 8];

			int len = eax.ProcessBytes(p, 0, p.Length, enc, 0);

			len += eax.DoFinal(enc, len);

			eax.Init(false, new ParametersWithIV(new KeyParameter(k), n));

			byte[] tmp = new byte[enc.Length];

			len = eax.ProcessBytes(enc, 0, enc.Length, tmp, 0);

			len += eax.DoFinal(tmp, len);

			byte[] dec = new byte[len];

			Array.Copy(tmp, 0, dec, 0, len);

			if (!AreEqual(p, dec))
				Fail("decrypted stream fails to match in test " + count);
Beispiel #32
        private void CheckTestCase(IAeadBlockCipher encCipher, IAeadBlockCipher decCipher, string testName,
            int macLengthBytes, byte[] P, byte[] C)
            byte[] tag = Arrays.CopyOfRange(C, C.Length - macLengthBytes, C.Length);

                byte[] enc = new byte[encCipher.GetOutputSize(P.Length)];
                int len = encCipher.ProcessBytes(P, 0, P.Length, enc, 0);
                len += encCipher.DoFinal(enc, len);

                if (enc.Length != len)
                    Fail("encryption reported incorrect length: " + testName);

                if (!AreEqual(C, enc))
                    Fail("incorrect encrypt in: " + testName);

                if (!AreEqual(tag, encCipher.GetMac()))
                    Fail("getMac() not the same as the appended tag: " + testName);

                byte[] dec = new byte[decCipher.GetOutputSize(C.Length)];
                int len = decCipher.ProcessBytes(C, 0, C.Length, dec, 0);
                len += decCipher.DoFinal(dec, len);

                if (dec.Length != len)
                    Fail("decryption reported incorrect length: " + testName);

                if (!AreEqual(P, dec))
                    Fail("incorrect decrypt in: " + testName);

                if (!AreEqual(tag, decCipher.GetMac()))
                    Fail("getMac() not the same as the appended tag: " + testName);
Beispiel #33
        private int UpdateCiphers(IAeadBlockCipher c1, IAeadBlockCipher c2, byte[] S, int i,
            bool includeAAD, bool includePlaintext)
            int inputLen = includePlaintext ? i : 0;
            int outputLen = c2.GetOutputSize(inputLen);

            byte[] output = new byte[outputLen];

            int len = 0;

            if (includeAAD) {
                c2.ProcessAadBytes(S, 0, i);

            if (includePlaintext) {
                len += c2.ProcessBytes(S, 0, i, output, len);

            len += c2.DoFinal(output, len);

            c1.ProcessAadBytes(output, 0, len);

            return len;
 public AeadCryptographyProvider(IAeadBlockCipher aeadBlockCipher, Encoding encoding)
     _aeadBlockCipher = aeadBlockCipher;
     _encoding        = encoding;
Beispiel #35
 /// <exception cref="IOException"></exception>
 public TlsAeadCipher(TlsContext context, IAeadBlockCipher clientWriteCipher, IAeadBlockCipher serverWriteCipher,
     int cipherKeySize, int macSize)
     : this(context, clientWriteCipher, serverWriteCipher, cipherKeySize, macSize, NONCE_RFC5288)
Beispiel #36
        /// <exception cref="IOException"></exception>
        internal TlsAeadCipher(TlsContext context, IAeadBlockCipher clientWriteCipher, IAeadBlockCipher serverWriteCipher,
            int cipherKeySize, int macSize, int nonceMode)
            if (!TlsUtilities.IsTlsV12(context))
                throw new TlsFatalAlert(AlertDescription.internal_error);

            this.nonceMode = nonceMode;

            // TODO SecurityParameters.fixed_iv_length
            int fixed_iv_length;

            switch (nonceMode)
                case NONCE_RFC5288:
                    fixed_iv_length = 4;
                    this.record_iv_length = 8;
                case NONCE_DRAFT_CHACHA20_POLY1305:
                    fixed_iv_length = 12;
                    this.record_iv_length = 0;
                    throw new TlsFatalAlert(AlertDescription.internal_error);

            this.context = context;
            this.macSize = macSize;

            int key_block_size = (2 * cipherKeySize) + (2 * fixed_iv_length);

            byte[] key_block = TlsUtilities.CalculateKeyBlock(context, key_block_size);

            int offset = 0;

            KeyParameter client_write_key = new KeyParameter(key_block, offset, cipherKeySize);
            offset += cipherKeySize;
            KeyParameter server_write_key = new KeyParameter(key_block, offset, cipherKeySize);
            offset += cipherKeySize;
            byte[] client_write_IV = Arrays.CopyOfRange(key_block, offset, offset + fixed_iv_length);
            offset += fixed_iv_length;
            byte[] server_write_IV = Arrays.CopyOfRange(key_block, offset, offset + fixed_iv_length);
            offset += fixed_iv_length;

            if (offset != key_block_size)
                throw new TlsFatalAlert(AlertDescription.internal_error);

            KeyParameter encryptKey, decryptKey;
            if (context.IsServer)
                this.encryptCipher = serverWriteCipher;
                this.decryptCipher = clientWriteCipher;
                this.encryptImplicitNonce = server_write_IV;
                this.decryptImplicitNonce = client_write_IV;
                encryptKey = server_write_key;
                decryptKey = client_write_key;
                this.encryptCipher = clientWriteCipher;
                this.decryptCipher = serverWriteCipher;
                this.encryptImplicitNonce = client_write_IV;
                this.decryptImplicitNonce = server_write_IV;
                encryptKey = client_write_key;
                decryptKey = server_write_key;

            byte[] dummyNonce = new byte[fixed_iv_length + record_iv_length];

            this.encryptCipher.Init(true, new AeadParameters(encryptKey, 8 * macSize, dummyNonce));
            this.decryptCipher.Init(false, new AeadParameters(decryptKey, 8 * macSize, dummyNonce));
Beispiel #37
 internal AeadResult(int macLength, IAeadBlockCipher cipher)
     this.macLength = macLength;
     this.cipher    = cipher;
        public CryptoProviderFactory(BlockCipherEngines engine, BlockCipherModes mode)
            var cipherEngine = ChooseBlockCipherEngine(engine);

            _aeadBlockCipher = ChooseBlockCipherMode(mode, cipherEngine);
 public AeadCryptographyProvider(IAeadBlockCipher aeadBlockCipher)
     _aeadBlockCipher = aeadBlockCipher;
     _encoding        = Encoding.UTF8;