Ejemplo n.º 1
        private IEnumerable <byte> P_hash(byte[] secret, byte[] seed)
            var hmac = new HMAC(_digest, secret);

            var a = seed;

            while (true)
                a = hmac.DigestBuffer();


                var b = hmac.DigestBuffer();
                foreach (var x in b)
                    yield return(x);
Ejemplo n.º 2
        public void VerifyHMAC(MessageDigest digest, string[] results)
            byte[] hash = HMAC.Digest(digest, key, small_data);
            string str  = BitConverter.ToString(hash);

            if (str != results[0])
                Console.WriteLine("{0} - Failed to calculate hash on {1}", digest.Name, small_data);
                Console.WriteLine("got {0} instead of {1}", str, results[0]);
                Console.WriteLine("{0} - Test 1 passed.", digest.Name);
            // Compute the large hash
            using (HMAC hmac = new HMAC())
                byte[] buf = Encoding.ASCII.GetBytes(new string('a', 1000));
                hmac.Init(key, digest);
                for (int i = 0; i < 1000; i++)
                hash = hmac.DigestFinal();
                // Check for error
                str = BitConverter.ToString(hash);
                if (str != results[1])
                    Console.WriteLine("{0} - Failed to calculate hash on a*1000", digest.Name);
                    Console.WriteLine("got {0} instead of {1}", str, results[1]);
                    Console.WriteLine("{0} - Test 2 passed.", digest.Name);
Ejemplo n.º 3
         * This function computes Phash with the specified HMAC
         * engine, XORing the output with the current contents of
         * the outBuf[] buffer.
        static void Phash(HMAC hm, byte[] s, int soff, int slen,
                          byte[] bufa, byte[] bufb,
                          byte[] label, byte[] seed,
                          byte[] outBuf, int outOff, int outLen)
             * Set the key for HMAC.
            hm.SetKey(s, soff, slen);

             * Compute A(1) = HMAC(secret, seed).
            hm.DoFinal(bufa, 0);
            while (outLen > 0)
                 * Next chunk: HMAC(secret, A(i) + label + seed)
                hm.DoFinal(bufb, 0);
                int clen = Math.Min(hm.MACSize, outLen);
                for (int i = 0; i < clen; i++)
                    outBuf[outOff++] ^= bufb[i];
                outLen -= clen;

                 * If we are not finished, then compute:
                 * A(i+1) = HMAC(secret, A(i))
                if (outLen > 0)
                    hm.DoFinal(bufa, 0);
    void DecryptStream(Stream encryptedStream, Stream output)
        using (BinaryReader reader = new BinaryReader(encryptedStream))
            using (BinaryWriter writer = new BinaryWriter(output))
                //Read file header
                byte[] headerNonce;
                byte[] ciphertextPayload;
                byte[] mac;
                byte[] contentKey;
                byte[] cleartextPayload;

                headerNonce       = reader.ReadBytes(16);
                ciphertextPayload = reader.ReadBytes(40);
                mac = reader.ReadBytes(32);

                HMAC headerHmac = new HMAC(macKey);
                if (!headerHmac.Hash.SequenceEqual(mac))
                    throw new IOException("Encrypted file fails integrity check.");

                cleartextPayload = AesCtr(ciphertextPayload, masterKey, headerNonce);
                contentKey       = Slice(cleartextPayload, 8, 32);

                HMAC chunkHmac = new HMAC(macKey);

                //Process all chunks
                for (int blocknum = 0; ; ++blocknum)
                    //read file content payload
                    byte[] chunk;
                    chunk = reader.ReadBytes(32768 + 48);
                    if (chunk.Length == 0)

                    var chunkNonce   = Slice(chunk, 0, 16);
                    var chunkpayload = Slice(chunk, chunkNonce.Length, chunk.Length - 48);
                    var chunkmac     = Slice(chunk, chunkNonce.Length + chunkpayload.Length, 32);

                    byte[] beBlockNum = BitConverter.GetBytes((long)blocknum);
                    if (BitConverter.IsLittleEndian)

                    if (!chunkHmac.Hash.SequenceEqual(chunkmac))
                        throw new IOException("Encrypted file fails integrity check.");

                    var decryptedContent = AesCtr(chunkpayload, contentKey, chunkNonce);
Ejemplo n.º 5
        void EncryptInner(int recordType, int version,
                          byte[] data, ref int off, ref int len)
            int blen = bc.BlockSize;
            int mlen = hm.MACSize;
            int doff = off;
            int dlen = len;

            if (explicitIV)
                 * To make pseudorandom IV, we reuse HMAC, computed
                 * over the encoded sequence number. Since this
                 * input is distinct from all other HMAC inputs with
                 * the same key, this should be randomish enough
                 * (assuming HMAC is a good imitation of a random
                 * oracle).
                IO.Enc64be(seq, tmp, 0);
                hm.Update(tmp, 0, 8);
                hm.DoFinal(tmp, 0);
                Array.Copy(tmp, 0, data, off - blen, blen);
                off -= blen;
                len += blen;

             * Compute HMAC.
            IO.Enc64be(seq, tmp, 0);
            IO.WriteHeader(recordType, version, dlen, tmp, 8);
            hm.Update(tmp, 0, 13);
            hm.Update(data, doff, dlen);
            hm.DoFinal(data, off + len);
            len += mlen;

             * Add padding.
            int plen = blen - (len & (blen - 1));

            for (int i = 0; i < plen; i++)
                data[off + len + i] = (byte)(plen - 1);
            len += plen;

             * Perform CBC encryption. We use our saved IV. If there is
             * an explicit IV, then it gets encrypted, which is fine
             * (CBC encryption of randomness is equally good randomness).
            bc.CBCEncrypt(iv, data, off, len);
            Array.Copy(data, off + len - blen, iv, 0, blen);

             * Add the header.
            off -= 5;
            IO.WriteHeader(recordType, version, len, data, off);
            len += 5;
Ejemplo n.º 6
        internal override bool Decrypt(int recordType, int version,
                                       byte[] data, ref int off, ref int len)
            int blen = bc.BlockSize;
            int hlen = hm.MACSize;

             * Grab a copy of the last encrypted block; this is
             * the "saved IV" for the next record.
            Array.Copy(data, off + len - blen, ivTmp, 0, blen);

             * Decrypt the data. The length has already been
             * checked. If there is an explicit IV, it gets
             * "decrypted" as well, which is not a problem.
            bc.CBCDecrypt(iv, data, off, len);
            Array.Copy(ivTmp, 0, iv, 0, blen);
            if (explicitIV)
                off += blen;
                len -= blen;

             * Compute minimum and maximum length of plaintext + MAC.
             * These can be inferred from the observable record length,
             * and thus are not secret.
            int minLen = (hlen + 256 < len) ? len - 256 : hlen;
            int maxLen = len - 1;

             * Get the actual padding length and check padding. The
             * padding length must match the minLen/maxLen range.
            int padLen     = data[off + len - 1];
            int good       = ~(((maxLen - minLen) - padLen) >> 31);
            int lenWithMAC = minLen ^ (good & (minLen ^ (maxLen - padLen)));
            int dbb        = 0;

            for (int i = minLen; i < maxLen; i++)
                dbb |= ~((i - lenWithMAC) >> 31)
                       & (data[off + i] ^ padLen);
            good &= ~((dbb | -dbb) >> 31);

             * Extract the MAC value; this is done in one pass, but
             * results in a "rotate" MAC value. The rotation count
             * is kept in 'rotCount': this is the offset of the
             * first MAC value byte in tmp1[].
            int lenNoMAC = lenWithMAC - hlen;

            minLen -= hlen;
            int rotCount = 0;

            for (int i = 0; i < hlen; i++)
                tmp1[i] = 0;
            int v = 0;

            for (int i = minLen; i < maxLen; i++)
                int m = ~((i - lenNoMAC) >> 31)
                        & ((i - lenWithMAC) >> 31);
                tmp1[v]  |= (byte)(m & data[off + i]);
                m         = i - lenNoMAC;
                rotCount |= ~((m | -m) >> 31) & v;
                if (++v == hlen)
                    v = 0;
            maxLen -= hlen;

             * Rotate back the MAC value. We do it bit by bit, with
             * 6 iterations; this is good for all MAC value up to
             * and including 64 bytes.
            for (int i = 5; i >= 0; i--)
                int rc = 1 << i;
                if (rc >= hlen)
                int ctl = -((rotCount >> i) & 1);
                for (int j = 0, k = rc; j < hlen; j++)
                    int b1 = tmp1[j];
                    int b2 = tmp1[k];
                    tmp2[j] = (byte)(b1 ^ (ctl & (b1 ^ b2)));
                    if (++k == hlen)
                        k = 0;
                Array.Copy(tmp2, 0, tmp1, 0, hlen);
                rotCount &= ~rc;

             * Recompute the HMAC value. At that point, minLen and
             * maxLen have been adjusted to match the plaintext
             * without the MAC.
            IO.Enc64be(seq++, tmp2, 0);
            IO.WriteHeader(recordType, version, lenNoMAC, tmp2, 8);
            hm.Update(tmp2, 0, 13);
            hm.ComputeCT(data, off, lenNoMAC, minLen, maxLen, tmp2, 0);

             * Compare MAC values.
            dbb = 0;
            for (int i = 0; i < hlen; i++)
                dbb |= tmp1[i] ^ tmp2[i];
            good &= ~((dbb | -dbb) >> 31);

             * We must also check that the plaintext length fits in
             * the maximum allowed by the standard (previous check
             * was on the encrypted length).
            good &= (lenNoMAC - 16385) >> 31;
            len   = lenNoMAC;
            return(good != 0);