Beispiel #1
0
        public byte[] Sign([ReadOnlyArray] byte[] securedInput, object key)
        {
            var sharedKey = Ensure.Type <byte[]>(key, "HmacUsingSha expects key to be byte[] array.");

            CryptographicKey hmacKey = AlgProvider.CreateKey(CryptographicBuffer.CreateFromByteArray(sharedKey));

            return(Buffer.ToBytes(CryptographicEngine.Sign(hmacKey, CryptographicBuffer.CreateFromByteArray(securedInput))));
        }
Beispiel #2
0
        private static byte[] AesDec(byte[] sharedKey, byte[] cipherText)
        {
            SymmetricKeyAlgorithmProvider alg = SymmetricKeyAlgorithmProvider.OpenAlgorithm(SymmetricAlgorithmNames.AesEcb);

            CryptographicKey key = alg.CreateSymmetricKey(CryptographicBuffer.CreateFromByteArray(sharedKey));

            return(Buffer.ToBytes(
                       CryptographicEngine.Decrypt(key, CryptographicBuffer.CreateFromByteArray(cipherText), null)));
        }
Beispiel #3
0
        private byte[] ComputeAuthTag(byte[] aad, byte[] iv, byte[] cipherText, byte[] key)
        {
            byte[] al        = Arrays.LongToBytes(aad.Length * 8);
            byte[] hmacInput = Arrays.Concat(aad, iv, cipherText, al);


            CryptographicKey hmacKey = AlgProvider.CreateKey(CryptographicBuffer.CreateFromByteArray(key));

            return(Arrays.FirstHalf(
                       Buffer.ToBytes(CryptographicEngine.Sign(hmacKey, CryptographicBuffer.CreateFromByteArray(hmacInput)))));
        }
Beispiel #4
0
        public byte[] Sign([ReadOnlyArray] byte[] securedInput, object key)
        {
            var publicKey = Ensure.Type <CryptographicKey>(key, "RsaPssUsingSha expects key to be of type 'CryptographicKey'");

            IBuffer msg = CryptographicBuffer.CreateFromByteArray(securedInput);

            //reattach key to alg provider
            IBuffer keyBlob = publicKey.Export(CryptographicPrivateKeyBlobType.BCryptPrivateKey);

            CryptographicKey cKey = AlgProvider.ImportKeyPair(keyBlob, CryptographicPrivateKeyBlobType.BCryptPrivateKey);

            return(Buffer.ToBytes(CryptographicEngine.Sign(cKey, msg)));
        }
Beispiel #5
0
        public byte[] Unwrap([ReadOnlyArray] byte[] encryptedCek, object key, uint cekSizeBits, JsonObject header)
        {
            var privateKey = Ensure.Type <CryptographicKey>(key, "RsaUsingSha expects key to be of type 'CryptographicKey'");

            IBuffer msg = CryptographicBuffer.CreateFromByteArray(encryptedCek);

            //reattach key to alg provider
            IBuffer keyBlob = privateKey.Export(CryptographicPrivateKeyBlobType.BCryptPrivateKey);

            CryptographicKey cKey = AlgProvider.ImportKeyPair(keyBlob, CryptographicPrivateKeyBlobType.BCryptPrivateKey);

            return(Buffer.ToBytes(CryptographicEngine.Decrypt(cKey, msg, null)));
        }
Beispiel #6
0
        public byte[] Decrypt([ReadOnlyArray] byte[] aad, [ReadOnlyArray] byte[] cek, [ReadOnlyArray] byte[] iv, [ReadOnlyArray] byte[] cipherText, [ReadOnlyArray] byte[] authTag)
        {
            Ensure.BitSize(cek, keySizeBits, string.Format("AesGcmEncryptor expected key of size {0} bits, but was given {1} bits", keySizeBits, cek.Length * 8));

            SymmetricKeyAlgorithmProvider alg = SymmetricKeyAlgorithmProvider.OpenAlgorithm(SymmetricAlgorithmNames.AesGcm);

            CryptographicKey key = alg.CreateSymmetricKey(CryptographicBuffer.CreateFromByteArray(cek));

            return(Buffer.ToBytes(
                       CryptographicEngine.DecryptAndAuthenticate(key,
                                                                  CryptographicBuffer.CreateFromByteArray(cipherText),
                                                                  CryptographicBuffer.CreateFromByteArray(iv),
                                                                  CryptographicBuffer.CreateFromByteArray(authTag),
                                                                  CryptographicBuffer.CreateFromByteArray(aad))));
        }
Beispiel #7
0
        public Part[] Encrypt([ReadOnlyArray] byte[] aad, [ReadOnlyArray] byte[] plainText, [ReadOnlyArray] byte[] cek)
        {
            Ensure.BitSize(cek, keySizeBits, string.Format("AesGcmEncryptor expected key of size {0} bits, but was given {1} bits", keySizeBits, cek.Length * 8));

            IBuffer iv = CryptographicBuffer.GenerateRandom(12);

            SymmetricKeyAlgorithmProvider alg = SymmetricKeyAlgorithmProvider.OpenAlgorithm(SymmetricAlgorithmNames.AesGcm);

            CryptographicKey key = alg.CreateSymmetricKey(CryptographicBuffer.CreateFromByteArray(cek));

            EncryptedAndAuthenticatedData eaad = CryptographicEngine.EncryptAndAuthenticate(key,
                                                                                            CryptographicBuffer.CreateFromByteArray(plainText), iv, CryptographicBuffer.CreateFromByteArray(aad));

            return(new[] { new Part(Buffer.ToBytes(iv)), new Part(Buffer.ToBytes(eaad.EncryptedData)), new Part(Buffer.ToBytes(eaad.AuthenticationTag)) });
        }
Beispiel #8
0
        public Part[] WrapNewKey(uint cekSizeBits, object key, JsonObject header)
        {
            var publicKey = Ensure.Type <CryptographicKey>(key, "RsaUsingSha expects key to be of type 'CryptographicKey'");

            IBuffer cek = CryptographicBuffer.GenerateRandom(cekSizeBits >> 3);

            //reattach key to alg provider
            IBuffer keyBlob = publicKey.ExportPublicKey(CryptographicPublicKeyBlobType.BCryptPublicKey);

            CryptographicKey cKey = AlgProvider.ImportPublicKey(keyBlob, CryptographicPublicKeyBlobType.BCryptPublicKey);

            IBuffer encryptedCek = CryptographicEngine.Encrypt(cKey, cek, null);

            return(new [] { new Part(Buffer.ToBytes(cek)), new Part(Buffer.ToBytes(encryptedCek)) });
        }
Beispiel #9
0
        private static byte[] F(byte[] salt, int iterationCount, int blockIndex, CryptographicKey key)
        {
            byte[] U = Buffer.ToBytes(CryptographicEngine.Sign(key,
                                                               CryptographicBuffer.CreateFromByteArray(Arrays.Concat(salt, Arrays.IntToBytes(blockIndex))))); // U_1 = PRF (P, S || INT (i))

            //byte[] U = prf.ComputeHash(Arrays.Concat(salt, Arrays.IntToBytes(blockIndex))); // U_1 = PRF (P, S || INT (i))
            byte[] result = U;

            for (int i = 2; i <= iterationCount; i++)
            {
                U = Buffer.ToBytes(
                    CryptographicEngine.Sign(key, CryptographicBuffer.CreateFromByteArray(U))); // U_c = PRF (P, U_{c-1}) .
                //U = prf.ComputeHash(U);                                                     // U_c = PRF (P, U_{c-1}) .
                result = Arrays.Xor(result, U);                                                 // U_1 \xor U_2 \xor ... \xor U_c
            }

            return(result);
        }
Beispiel #10
0
        public Part[] Encrypt([ReadOnlyArray] byte[] aad, [ReadOnlyArray] byte[] plainText, [ReadOnlyArray] byte[] cek)
        {
            Ensure.BitSize(cek, keySizeBits, string.Format("AesCbcHmacEncryptor expected key of size {0} bits, but was given {1} bits", keySizeBits, cek.Length * 8));

            byte[] hmacKey = Arrays.FirstHalf(cek);
            byte[] aesKey  = Arrays.SecondHalf(cek);

            IBuffer iv = CryptographicBuffer.GenerateRandom(16);

            SymmetricKeyAlgorithmProvider alg = SymmetricKeyAlgorithmProvider.OpenAlgorithm(SymmetricAlgorithmNames.AesCbcPkcs7);

            CryptographicKey key = alg.CreateSymmetricKey(CryptographicBuffer.CreateFromByteArray(aesKey));

            byte[] cipherText = Buffer.ToBytes(CryptographicEngine.Encrypt(key, CryptographicBuffer.CreateFromByteArray(plainText), iv));

            byte[] authTag = ComputeAuthTag(aad, Buffer.ToBytes(iv), cipherText, hmacKey);

            return(new[] { new Part(Buffer.ToBytes(iv)), new Part(cipherText), new Part(authTag) });
        }
Beispiel #11
0
        public Part[] WrapNewKey(uint cekSizeBits, object key, JsonObject header)
        {
            var sharedPassphrase = Ensure.Type <string>(key, "Pbse2HmacShaWithAesKWKeyManagement management algorithm expectes key to be string.");

            byte[] sharedKey = Encoding.UTF8.GetBytes(sharedPassphrase);
            byte[] algId     = Encoding.UTF8.GetBytes(header["alg"].GetString());

            const int iterationCount = 8192;

            var saltInput = Buffer.ToBytes(CryptographicBuffer.GenerateRandom(12));

            header["p2c"] = JsonValue.CreateNumberValue(iterationCount);
            header["p2s"] = JsonValue.CreateStringValue(Base64Url.Encode(saltInput));

            byte[] salt = Arrays.Concat(algId, Arrays.Zero, saltInput);

            byte[] kek = PBKDF2.DeriveKey(sharedKey, salt, iterationCount, keySizeBits, Prf);

            return(aesKW.WrapNewKey(cekSizeBits, kek, header));
        }
Beispiel #12
0
        public byte[] Decrypt([ReadOnlyArray] byte[] aad, [ReadOnlyArray] byte[] cek, [ReadOnlyArray] byte[] iv, [ReadOnlyArray] byte[] cipherText, [ReadOnlyArray] byte[] authTag)
        {
            Ensure.BitSize(cek, keySizeBits, string.Format("AesCbcHmacEncryptor expected key of size {0} bits, but was given {1} bits", keySizeBits, cek.Length * 8));

            byte[] hmacKey = Arrays.FirstHalf(cek);
            byte[] aesKey  = Arrays.SecondHalf(cek);

            byte[] expectedAuthTag = ComputeAuthTag(aad, iv, cipherText, hmacKey);

            if (!Arrays.ConstantTimeEquals(expectedAuthTag, authTag))
            {
                throw new Exception("Authentication tag do not match.");
            }

            SymmetricKeyAlgorithmProvider alg = SymmetricKeyAlgorithmProvider.OpenAlgorithm(SymmetricAlgorithmNames.AesCbcPkcs7);

            CryptographicKey key = alg.CreateSymmetricKey(CryptographicBuffer.CreateFromByteArray(aesKey));

            return(Buffer.ToBytes(
                       CryptographicEngine.Decrypt(key, CryptographicBuffer.CreateFromByteArray(cipherText), CryptographicBuffer.CreateFromByteArray(iv))));
        }